Trojan.MulDrop36.3949

Technical Information

Malicious functions

Launches a large number of processes

Terminates or attempts to terminate

the following system processes:

<SYSTEM32>\cmd.exe

Modifies file system

Creates the following files

%TEMP%\_mei15802\vcruntime140.dll
%TEMP%\_mei15802\_bz2.pyd
%TEMP%\_mei15802\_ctypes.pyd
%TEMP%\_mei15802\_decimal.pyd
%TEMP%\_mei15802\_hashlib.pyd
%TEMP%\_mei15802\_lzma.pyd
%TEMP%\_mei15802\_multiprocessing.pyd
%TEMP%\_mei15802\_queue.pyd
%TEMP%\_mei15802\_socket.pyd
%TEMP%\_mei15802\_ssl.pyd
%TEMP%\_mei15802\base_library.zip
%TEMP%\_mei15802\libcrypto-1_1.dll
%TEMP%\_mei15802\libffi-7.dll
%TEMP%\_mei15802\libssl-1_1.dll
%TEMP%\_mei15802\pyexpat.pyd
%TEMP%\_mei15802\python38.dll
%TEMP%\_mei15802\select.pyd
%TEMP%\_mei15802\unicodedata.pyd

Miscellaneous

Restarts the analyzed sample

Executes the following

'<SYSTEM32>\cmd.exe' /c "net session"
'<SYSTEM32>\net.exe' session
'<SYSTEM32>\net1.exe' session
'<SYSTEM32>\cmd.exe' /c "wmic cpu get name,numberofcores,numberoflogicalprocessors /format:list"
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name,adapterram /format:list"
'<SYSTEM32>\cmd.exe' /c "wmic os get caption,version,buildnumber,osarchitecture /format:list"
'<SYSTEM32>\wbem\wmic.exe' path win32_VideoController get name,adapterram /format:list
'<SYSTEM32>\wbem\wmic.exe' cpu get name,numberofcores,numberoflogicalprocessors /format:list
'<SYSTEM32>\wbem\wmic.exe' os get caption,version,buildnumber,osarchitecture /format:list
'<SYSTEM32>\cmd.exe' /c "wmic bios get version,manufacturer,releasedate,smbiosbiosversion /format:list"
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get model,manufacturer,systemtype /format:list"
'<SYSTEM32>\wbem\wmic.exe' computersystem get model,manufacturer,systemtype /format:list
'<SYSTEM32>\wbem\wmic.exe' bios get version,manufacturer,releasedate,smbiosbiosversion /format:list
'<SYSTEM32>\cmd.exe' /c "sc query FaceItService"
'<SYSTEM32>\cmd.exe' /c "sc query Vgk"
'<SYSTEM32>\cmd.exe' /c "sc query mDNSResponder"
'<SYSTEM32>\cmd.exe' /c "sc query aswMonFlt"
'<SYSTEM32>\cmd.exe' /c "sc query EasyAntiCheat"
'<SYSTEM32>\cmd.exe' /c "sc query AVGService"
'<SYSTEM32>\cmd.exe' /c "sc query ESEAClient"
'<SYSTEM32>\cmd.exe' /c "powershell -Command "if ((Get-CimInstance Win32_USBControllerDevice -ErrorAction SilentlyContinue)) { 'PRESENT' } else { 'NONE' }""
'<SYSTEM32>\cmd.exe' /c "powershell -Command (Get-MpComputerStatus).RealTimeProtectionEnabled"
'<SYSTEM32>\cmd.exe' /c "powershell -Command (Get-NetFirewallProfile).Enabled"
'<SYSTEM32>\cmd.exe' /c "bcdedit /enum"
'<SYSTEM32>\sc.exe' query Vgk
'<SYSTEM32>\sc.exe' query EasyAntiCheat
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "if ((Get-CimInstance Win32_USBControllerDevice -ErrorAction SilentlyContinue)) { 'PRESENT' } else { 'NONE' }"
'<SYSTEM32>\sc.exe' query AVGService
'<SYSTEM32>\sc.exe' query mDNSResponder
'<SYSTEM32>\sc.exe' query FaceItService
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command (Get-MpComputerStatus).RealTimeProtectionEnabled
'<SYSTEM32>\sc.exe' query ESEAClient
'<SYSTEM32>\bcdedit.exe' /enum
'<SYSTEM32>\sc.exe' query aswMonFlt
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command (Get-NetFirewallProfile).Enabled
'<SYSTEM32>\cmd.exe' /c "sc query BEService"
'<SYSTEM32>\cmd.exe' /c "sc query NEACService"
'<SYSTEM32>\cmd.exe' /c "sc query EAAntiCheatService"
'<SYSTEM32>\cmd.exe' /c "sc query VSSERV"
'<SYSTEM32>\cmd.exe' /c "sc query ACE-BASE"
'<SYSTEM32>\cmd.exe' /c "sc query AVG Antivirus"
'<SYSTEM32>\sc.exe' query BEService
'<SYSTEM32>\sc.exe' query NEACService
'<SYSTEM32>\sc.exe' query VSSERV
'<SYSTEM32>\sc.exe' query AVG Antivirus
'<SYSTEM32>\sc.exe' query EAAntiCheatService
'<SYSTEM32>\sc.exe' query ACE-BASE
'<SYSTEM32>\cmd.exe' /c "sc query ACE-GAME"
'<SYSTEM32>\cmd.exe' /c "sc query AVGIDSAgent"
'<SYSTEM32>\cmd.exe' /c "sc query AVP"
'<SYSTEM32>\sc.exe' query AVGIDSAgent
'<SYSTEM32>\sc.exe' query ACE-GAME
'<SYSTEM32>\sc.exe' query AVP
'<SYSTEM32>\cmd.exe' /c "sc query AntiCheatExpert"
'<SYSTEM32>\cmd.exe' /c "sc query AVGSvc"
'<SYSTEM32>\cmd.exe' /c "sc query McShield"
'<SYSTEM32>\sc.exe' query AVGSvc
'<SYSTEM32>\sc.exe' query AntiCheatExpert
'<SYSTEM32>\sc.exe' query McShield
'<SYSTEM32>\cmd.exe' /c "wmic cpu get VirtualizationFirmwareEnabled /format:list"
'<SYSTEM32>\cmd.exe' /c "powershell -Command "Get-Tpm | Select-Object -Property TpmPresent, TpmEnabled | Format-List""
'<SYSTEM32>\cmd.exe' /c "sc query AVG WatchDog"
'<SYSTEM32>\cmd.exe' /c "bcdedit"
'<SYSTEM32>\cmd.exe' /c "sc query NS"
'<SYSTEM32>\bcdedit.exe'
'<SYSTEM32>\wbem\wmic.exe' cpu get VirtualizationFirmwareEnabled /format:list
'<SYSTEM32>\sc.exe' query AVG WatchDog
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -Command "Get-Tpm | Select-Object -Property TpmPresent, TpmEnabled | Format-List"
'<SYSTEM32>\sc.exe' query NS
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgui.exe""
'<SYSTEM32>\cmd.exe' /c "sc query ekrn"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq avgui.exe"
'<SYSTEM32>\sc.exe' query ekrn
'<SYSTEM32>\cmd.exe' /c "sc query MBAMService"
'<SYSTEM32>\sc.exe' query MBAMService
'<SYSTEM32>\cmd.exe' /c "sc query MBAMChameleon"
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgsvca.exe""
'<SYSTEM32>\sc.exe' query MBAMChameleon
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq avgsvca.exe"
'<SYSTEM32>\cmd.exe' /c "sc query MBAMWebProtection"
'<SYSTEM32>\sc.exe' query MBAMWebProtection
'<SYSTEM32>\cmd.exe' /c "sc query MBEndpointAgent"
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgidsagent.exe""
'<SYSTEM32>\sc.exe' query MBEndpointAgent
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq avgidsagent.exe"
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq mbam.exe" /FO CSV"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq mbam.exe" /FO CSV
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgwdsvc.exe""
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq avgwdsvc.exe"
'<SYSTEM32>\cmd.exe' /c "wmic product where name like '%Malwarebytes%' get name"
'<SYSTEM32>\wbem\wmic.exe' product where name like '%Malwarebytes%' get name
'<SYSTEM32>\cmd.exe' /c "wmic product where name like '%AVG%' get name"
'<SYSTEM32>\wbem\wmic.exe' product where name like '%AVG%' get name
'<SYSTEM32>\cmd.exe' /c "sc query SophosMCEAgent"
'<SYSTEM32>\sc.exe' query SophosMCEAgent
'<SYSTEM32>\cmd.exe' /c "sc query WRkrn"
'<SYSTEM32>\sc.exe' query WRkrn
'<SYSTEM32>\cmd.exe' /c "sc query a2service"
'<SYSTEM32>\cmd.exe' /c "sc query WinDefend"
'<SYSTEM32>\sc.exe' query a2service
'<SYSTEM32>\sc.exe' query WinDefend
'<SYSTEM32>\cmd.exe' /c "net session"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic cpu get name,numberofcores,numberoflogicalprocessors /format:list"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic path win32_VideoController get name,adapterram /format:list"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic os get caption,version,buildnumber,osarchitecture /format:list"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic bios get version,manufacturer,releasedate,smbiosbiosversion /format:list"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic computersystem get model,manufacturer,systemtype /format:list"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query FaceItService"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query Vgk"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query mDNSResponder"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query aswMonFlt"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query EasyAntiCheat"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AVGService"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query ESEAClient"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command "if ((Get-CimInstance Win32_USBControllerDevice -ErrorAction SilentlyContinue)) { 'PRESENT' } else { 'NONE' }""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command (Get-MpComputerStatus).RealTimeProtectionEnabled"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command (Get-NetFirewallProfile).Enabled"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "bcdedit /enum"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query BEService"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query NEACService"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query EAAntiCheatService"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query VSSERV"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query ACE-BASE"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AVG Antivirus"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query ACE-GAME"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AVGIDSAgent"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AVP"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AntiCheatExpert"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AVGSvc"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query McShield"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic cpu get VirtualizationFirmwareEnabled /format:list"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "powershell -Command "Get-Tpm | Select-Object -Property TpmPresent, TpmEnabled | Format-List""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query AVG WatchDog"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "bcdedit"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query NS"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgui.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query ekrn"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query MBAMService"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query MBAMChameleon"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgsvca.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query MBAMWebProtection"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query MBEndpointAgent"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgidsagent.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq mbam.exe" /FO CSV"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "tasklist /FI "IMAGENAME eq avgwdsvc.exe""' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic product where name like '%Malwarebytes%' get name"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "wmic product where name like '%AVG%' get name"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query SophosMCEAgent"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query WRkrn"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query a2service"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c "sc query WinDefend"' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial