Technical Information
To ensure autorun and distribution
Modifies the following registry keys
- [<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'System32' = '"%LOCALAPPDATA%\Microsoft\System32\System32.exe" 74626d76752174622177622140'
Modifies file system
Creates the following files
- %TEMP%\_mei28082\vcruntime140.dll
- %LOCALAPPDATA%\microsoft\system32\_hashlib.pyd
- %LOCALAPPDATA%\microsoft\system32\_lzma.pyd
- %LOCALAPPDATA%\microsoft\system32\_queue.pyd
- %LOCALAPPDATA%\microsoft\system32\_socket.pyd
- %LOCALAPPDATA%\microsoft\system32\_ssl.pyd
- %LOCALAPPDATA%\microsoft defender.zip
- %LOCALAPPDATA%\microsoft defender\base_library.zip
- %LOCALAPPDATA%\microsoft defender\certifi\cacert.pem
- %LOCALAPPDATA%\microsoft defender\libcrypto-1_1.dll
- %LOCALAPPDATA%\microsoft defender\libssl-1_1.dll
- %LOCALAPPDATA%\microsoft defender\microsoftdefender.exe
- %LOCALAPPDATA%\microsoft defender\microsoftdefender.exe.manifest
- %LOCALAPPDATA%\microsoft defender\psutil\_psutil_windows.cp37-win_amd64.pyd
- %LOCALAPPDATA%\microsoft defender\python37.dll
- <Current directory>\test.txt
- %LOCALAPPDATA%\microsoft defender\select.pyd
- %LOCALAPPDATA%\microsoft defender\unicodedata.pyd
- %LOCALAPPDATA%\microsoft defender\vcruntime140.dll
- %LOCALAPPDATA%\microsoft defender\_bz2.pyd
- %LOCALAPPDATA%\microsoft defender\_ctypes.pyd
- %LOCALAPPDATA%\microsoft defender\_decimal.pyd
- %LOCALAPPDATA%\microsoft defender\_elementtree.pyd
- %LOCALAPPDATA%\microsoft defender\_hashlib.pyd
- %LOCALAPPDATA%\microsoft defender\_lzma.pyd
- %LOCALAPPDATA%\microsoft defender\_multiprocessing.pyd
- %LOCALAPPDATA%\microsoft defender\_queue.pyd
- %LOCALAPPDATA%\microsoft defender\_socket.pyd
- %LOCALAPPDATA%\microsoft defender\_ssl.pyd
- %LOCALAPPDATA%\microsoft\system32\_elementtree.pyd
- %LOCALAPPDATA%\microsoft defender\pyexpat.pyd
- %LOCALAPPDATA%\microsoft\system32\_bz2.pyd
- %TEMP%\_mei28082\select.pyd
- %TEMP%\_mei28082\_bz2.pyd
- %TEMP%\_mei28082\_elementtree.pyd
- %TEMP%\_mei28082\_hashlib.pyd
- %TEMP%\_mei28082\_lzma.pyd
- %TEMP%\_mei28082\_queue.pyd
- %TEMP%\_mei28082\_socket.pyd
- %TEMP%\_mei28082\_ssl.pyd
- %TEMP%\_mei28082\installer.exe.manifest
- %TEMP%\_mei28082\libcrypto-1_1.dll
- %TEMP%\_mei28082\libssl-1_1.dll
- %TEMP%\_mei28082\psutil\_psutil_windows.cp37-win_amd64.pyd
- %TEMP%\_mei28082\pyexpat.pyd
- %TEMP%\_mei28082\python37.dll
- %TEMP%\_mei28082\unicodedata.pyd
- %LOCALAPPDATA%\microsoft\system32\unicodedata.pyd
- %TEMP%\_mei28082\base_library.zip
- %TEMP%\_mei28082\certifi\cacert.pem
- %LOCALAPPDATA%\microsoft\system32.zip
- %LOCALAPPDATA%\microsoft\system32\base_library.zip
- %LOCALAPPDATA%\microsoft\system32\certifi\cacert.pem
- %LOCALAPPDATA%\microsoft\system32\libcrypto-1_1.dll
- %LOCALAPPDATA%\microsoft\system32\libssl-1_1.dll
- %LOCALAPPDATA%\microsoft\system32\psutil\_psutil_windows.cp37-win_amd64.pyd
- %LOCALAPPDATA%\microsoft\system32\pyexpat.pyd
- %LOCALAPPDATA%\microsoft\system32\python37.dll
- %LOCALAPPDATA%\microsoft\system32\select.pyd
- %LOCALAPPDATA%\microsoft\system32\system32.exe
- %LOCALAPPDATA%\microsoft\system32\system32.exe.manifest
- %LOCALAPPDATA%\microsoft\system32\vcruntime140.dll
- %PROGRAMDATA%\microsoft\system32\license.zip
Deletes the following files
- %LOCALAPPDATA%\microsoft\system32.zip
- %TEMP%\_mei28082\_socket.pyd
- %TEMP%\_mei28082\_queue.pyd
- %TEMP%\_mei28082\_lzma.pyd
- %TEMP%\_mei28082\_hashlib.pyd
- %TEMP%\_mei28082\_elementtree.pyd
- %TEMP%\_mei28082\_bz2.pyd
- %TEMP%\_mei28082\vcruntime140.dll
- %TEMP%\_mei28082\unicodedata.pyd
- %TEMP%\_mei28082\select.pyd
- %TEMP%\_mei28082\python37.dll
- %TEMP%\_mei28082\pyexpat.pyd
- %TEMP%\_mei28082\psutil\_psutil_windows.cp37-win_amd64.pyd
- %TEMP%\_mei28082\libssl-1_1.dll
- %TEMP%\_mei28082\libcrypto-1_1.dll
- %TEMP%\_mei28082\installer.exe.manifest
- %TEMP%\_mei28082\certifi\cacert.pem
- %TEMP%\_mei28082\base_library.zip
- %TEMP%\_mei28082\_ssl.pyd
- %LOCALAPPDATA%\microsoft defender.zip
Network activity
TCP
- 'ap#.#ithub.com':443
- 'gi#############on-release-asset-2e65be.s3.amazonaws.com':443
- 'ap#.#yfax.fr':443
UDP
- DNS ASK ap#.#ithub.com
- DNS ASK gi#############on-release-asset-2e65be.s3.amazonaws.com
- DNS ASK ap#.#yfax.fr
Miscellaneous
Creates and executes the following
- '%LOCALAPPDATA%\microsoft\system32\system32.exe' 74626d76752174622177622140
- '%LOCALAPPDATA%\microsoft defender\microsoftdefender.exe' Defender\microsoftDefender.exe" 74626d76752174622177622140
- '<SYSTEM32>\cmd.exe' /c "REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "System32" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\System32\System32.exe\" 74626d76752174622177622140" /f"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "REG QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v System32"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c ""%LOCALAPPDATA%\Microsoft Defender\microsoftDefender.exe 74626d76752174622177622140""' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "%LOCALAPPDATA%\"Microsoft Defender\microsoftDefender.exe" 74626d76752174622177622140"' (with hidden window)
- '<SYSTEM32>\cmd.exe' /c "REG QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v System32"' (with hidden window)
Executes the following
- '<SYSTEM32>\cmd.exe' /c "REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "System32" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\System32\System32.exe\" 74626d76752174622177622140" /f"
- '<SYSTEM32>\reg.exe' ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "System32" /t REG_SZ /d "\"%LOCALAPPDATA%\Microsoft\System32\System32.exe\" 74626d76752174622177622140" /f
- '<SYSTEM32>\cmd.exe' /c "REG QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v System32"
- '<SYSTEM32>\reg.exe' QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run /v System32
- '<SYSTEM32>\cmd.exe' /c ""%LOCALAPPDATA%\Microsoft Defender\microsoftDefender.exe 74626d76752174622177622140""
- '<SYSTEM32>\cmd.exe' /c "%LOCALAPPDATA%\"Microsoft Defender\microsoftDefender.exe" 74626d76752174622177622140"
- '<SYSTEM32>\cmd.exe' /c "REG QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v System32"
- '<SYSTEM32>\reg.exe' QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v System32
