Trojan.MulDrop25.64390

Technical Information

Malicious functions

Creates and executes the following

'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' "$t1 = 'user32.dll';$t = 'using System; using System.Runtime.InteropServices; public class User32 {[DllImport(' + [System.Text.Encoding]::UTF8.GetString(34) + $t1 + [System.Text.Encoding]::UTF8...
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\6_urtc1x.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5090.tmp" "%TEMP%\CSC508F.tmp"
'%WINDIR%\syswow64\rundll32.exe' <SYSTEM32>\shell32.dll,OpenAs_RunDLL <PATH_SAMPLE>.hwp
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -windowstyle hidden "$stringPath=$env:temp+'\'+'temp.dat';$stringByte = Get-Content -path $stringPath -encoding byte;$string = [System.Text.Encoding]::UTF8.GetString($stringByte);$scriptBlock =...
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\-r9aat1b.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAEC6.tmp" "%TEMP%\CSCAEC5.tmp"
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\leywqhfl.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB1F1.tmp" "%TEMP%\CSCB1F0.tmp"
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qou0emx1.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB51C.tmp" "%TEMP%\CSCB51B.tmp"
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hl06l5iz.cmdline"
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB7EA.tmp" "%TEMP%\CSCB7E9.tmp"

Modifies file system

Creates the following files

%TEMP%\6_urtc1x.0.cs
%TEMP%\resb1f1.tmp
%TEMP%\leywqhfl.dll
%TEMP%\qou0emx1.0.cs
%TEMP%\qou0emx1.cmdline
%TEMP%\qou0emx1.out
%TEMP%\cscb51b.tmp
%TEMP%\resb51c.tmp
%TEMP%\qou0emx1.dll
%TEMP%\hl06l5iz.0.cs
%TEMP%\hl06l5iz.cmdline
%TEMP%\hl06l5iz.out
%TEMP%\cscb7e9.tmp
%TEMP%\resb7ea.tmp
%TEMP%\hl06l5iz.dll
%WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
%TEMP%\cscb1f0.tmp
%WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
%TEMP%\leywqhfl.out
%TEMP%\leywqhfl.0.cs
%TEMP%\6_urtc1x.cmdline
%TEMP%\6_urtc1x.out
%TEMP%\csc508f.tmp
%TEMP%\res5090.tmp
%TEMP%\6_urtc1x.dll
<PATH_SAMPLE>.hwp
C:\users\public\public.dat
%TEMP%\temp.dat
%TEMP%\working.bat
%TEMP%\-r9aat1b.0.cs
%TEMP%\-r9aat1b.cmdline
%TEMP%\-r9aat1b.out
%TEMP%\cscaec5.tmp
%TEMP%\resaec6.tmp
%TEMP%\-r9aat1b.dll
%TEMP%\leywqhfl.cmdline
%TEMP%\189f63b7.tmp

Deletes the following files

%TEMP%\res5090.tmp
%TEMP%\leywqhfl.dll
%TEMP%\leywqhfl.0.cs
%TEMP%\resb51c.tmp
%TEMP%\cscb51b.tmp
%TEMP%\qou0emx1.pdb
%TEMP%\qou0emx1.out
%TEMP%\qou0emx1.0.cs
%TEMP%\hl06l5iz.pdb
%TEMP%\qou0emx1.dll
%TEMP%\resb7ea.tmp
%TEMP%\cscb7e9.tmp
%TEMP%\hl06l5iz.out
%TEMP%\hl06l5iz.dll
%TEMP%\hl06l5iz.cmdline
%TEMP%\leywqhfl.pdb
%TEMP%\qou0emx1.cmdline
%TEMP%\leywqhfl.out
%TEMP%\resaec6.tmp
%TEMP%\csc508f.tmp
%TEMP%\6_urtc1x.out
%TEMP%\6_urtc1x.0.cs
%TEMP%\6_urtc1x.cmdline
%TEMP%\6_urtc1x.pdb
%TEMP%\6_urtc1x.dll
%TEMP%\cscaec5.tmp
%TEMP%\cscb1f0.tmp
%TEMP%\-r9aat1b.pdb
%TEMP%\-r9aat1b.out
%TEMP%\-r9aat1b.cmdline
%TEMP%\-r9aat1b.dll
%TEMP%\-r9aat1b.0.cs
%TEMP%\resb1f1.tmp
%TEMP%\leywqhfl.cmdline
%TEMP%\hl06l5iz.0.cs

Deletes itself.

Network activity

Connects to

'ap#.#cloud.com':443

TCP

Other

'ap#.#cloud.com':443

UDP

DNS ASK ap#.#cloud.com

Miscellaneous

Creates and executes the following

'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\6_urtc1x.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5090.tmp" "%TEMP%\CSC508F.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\-r9aat1b.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESAEC6.tmp" "%TEMP%\CSCAEC5.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\leywqhfl.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB1F1.tmp" "%TEMP%\CSCB1F0.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qou0emx1.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB51C.tmp" "%TEMP%\CSCB51B.tmp"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\hl06l5iz.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RESB7EA.tmp" "%TEMP%\CSCB7E9.tmp"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c dir %WINDIR%\SysWow64\WindowsPowerShell\v1.0\*rshell.exe /s /b /od
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\working.bat""

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Завантажте
Dr.Web для Android

Безкоштовно на 3 місяці
Всі компоненти захисту
Подовження демо в
AppGallery/Google Pay

Технології

Терміни

Навчання

Міфи

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней