Technical Information
Malicious functions
To complicate detection of its presence in the operating system,
adds antivirus exclusion:
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '<Full path to file>'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -Enabl...
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp'
Modifies file system
Creates the following files
- %TEMP%\_mei46722\camera
- %TEMP%\_mei46722\pil\_avif.cp314-win_amd64.pyd
- %TEMP%\_mei46722\pil\_imaging.cp314-win_amd64.pyd
- %TEMP%\_mei46722\pil\_imagingcms.cp314-win_amd64.pyd
- %TEMP%\_mei46722\pil\_imagingmath.cp314-win_amd64.pyd
- %TEMP%\_mei46722\pil\_imagingtk.cp314-win_amd64.pyd
- %TEMP%\_mei46722\pil\_webp.cp314-win_amd64.pyd
- %TEMP%\_mei46722\vcruntime140.dll
- %TEMP%\_mei46722\vcruntime140_1.dll
- %TEMP%\_mei46722\_asyncio.pyd
- %TEMP%\_mei46722\_bz2.pyd
- %TEMP%\_mei46722\_ctypes.pyd
- %TEMP%\_mei46722\_decimal.pyd
- %TEMP%\_mei46722\_elementtree.pyd
- %TEMP%\_mei46722\_hashlib.pyd
- %TEMP%\_mei46722\_lzma.pyd
- %TEMP%\_mei46722\_multiprocessing.pyd
- %TEMP%\_mei46722\_overlapped.pyd
- %TEMP%\_mei46722\_queue.pyd
- %TEMP%\_mei46722\_socket.pyd
- %TEMP%\_mei46722\_sqlite3.pyd
- %TEMP%\_mei46722\_ssl.pyd
- %TEMP%\_mei46722\_wmi.pyd
- %TEMP%\_mei46722\_zstd.pyd
- %TEMP%\_mei46722\base_library.zip
- %TEMP%\_mei46722\config.json
- %TEMP%\_mei46722\getpass
- %TEMP%\_mei46722\libcrypto-3.dll
- %TEMP%\_mei46722\libffi-8.dll
- %TEMP%\_mei46722\libssl-3.dll
- %TEMP%\_mei46722\pyexpat.pyd
- %TEMP%\_mei46722\python314.dll
- %TEMP%\_mei46722\pywin32_system32\pywintypes314.dll
- %TEMP%\_mei46722\select.pyd
- %TEMP%\_mei46722\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\installer
- %TEMP%\_mei46722\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\metadata
- %TEMP%\_mei46722\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\record
- %TEMP%\_mei46722\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\wheel
- %TEMP%\_mei46722\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\licenses\license
- %TEMP%\_mei46722\setuptools\_vendor\importlib_metadata-8.7.1.dist-info\top_level.txt
- %TEMP%\_mei46722\setuptools\_vendor\jaraco\text\lorem ipsum.txt
- %TEMP%\_mei46722\sqlite3.dll
- %TEMP%\_mei46722\unicodedata.pyd
- %TEMP%\_mei46722\win32\win32crypt.pyd
Network activity
Connects to
- 'gs##tic.com':443
TCP
Other
- 'gs##tic.com':443
UDP
- DNS ASK gs##tic.com
Miscellaneous
Restarts the analyzed sample
Executes the following
- '<SYSTEM32>\cmd.exe' /c "net session"
- '<SYSTEM32>\cmd.exe' /c "powershell Unblock-File '.\<File name>.exe'"
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Unblock-File '.\<File name>.exe'
- '<SYSTEM32>\net.exe' session
- '<SYSTEM32>\net1.exe' session
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '<Full path to file>'"
- '<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp'"
- '<SYSTEM32>\cmd.exe' /c "net session"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell Unblock-File '.\<File name>.exe'"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '<Full path to file>'"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess ...' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "powershell -Command Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp'"' (with hidden window)
