Trojan.MulDrop24.9020

Technical Information

Malicious functions

Executes the following

'<SYSTEM32>\taskkill.exe' /F /IM firefox.exe
'<SYSTEM32>\taskkill.exe' /F /IM idaq.exe
'<SYSTEM32>\taskkill.exe' /F /IM idaq64.exe
'<SYSTEM32>\taskkill.exe' /F /IM WinDbg.exe
'<SYSTEM32>\taskkill.exe' /F /IM Procmon.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmware.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmware-tray.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmware-vmx.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmware-authd.exe
'<SYSTEM32>\taskkill.exe' /F /IM VirtualBox.exe
'<SYSTEM32>\taskkill.exe' /F /IM VBoxSVC.exe
'<SYSTEM32>\taskkill.exe' /F /IM VBoxNetDHCP.exe
'<SYSTEM32>\taskkill.exe' /F /IM VBoxNetNAT.exe
'<SYSTEM32>\taskkill.exe' /F /IM VBoxHeadless.exe
'<SYSTEM32>\taskkill.exe' /F /IM qemu-system-arm.exe
'<SYSTEM32>\taskkill.exe' /F /IM Cuckoo.exe
'<SYSTEM32>\taskkill.exe' /F /IM python.exe
'<SYSTEM32>\taskkill.exe' /F /IM pythonw.exe
'<SYSTEM32>\taskkill.exe' /F /IM python3.exe
'<SYSTEM32>\taskkill.exe' /F /IM python3w.exe
'<SYSTEM32>\taskkill.exe' /F /IM msconfig.exe
'<SYSTEM32>\taskkill.exe' /F /IM x64dbg.exe
'<SYSTEM32>\taskkill.exe' /F /IM radare2.exe
'<SYSTEM32>\taskkill.exe' /F /IM r2.exe
'<SYSTEM32>\taskkill.exe' /F /IM Ghidra.exe
'<SYSTEM32>\taskkill.exe' /F /IM ImmunityDebugger.exe
'<SYSTEM32>\taskkill.exe' /F /IM tcpview.exe
'<SYSTEM32>\taskkill.exe' /F /IM Sysmon.exe
'<SYSTEM32>\taskkill.exe' /F /IM ApateDNS.exe
'<SYSTEM32>\taskkill.exe' /F /IM joeboxserver.exe
'<SYSTEM32>\taskkill.exe' /F /IM qemu-system-x86_64.exe
'<SYSTEM32>\taskkill.exe' /F /IM ksdumper.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmwaretray.exe
'<SYSTEM32>\taskkill.exe' /F /IM chrome.exe
'<SYSTEM32>\taskkill.exe' /F /IM edge.exe
'<SYSTEM32>\taskkill.exe' /F /IM brave.exe
'<SYSTEM32>\taskkill.exe' /F /IM httpdebuggerui.exe
'<SYSTEM32>\taskkill.exe' /F /IM wireshark.exe
'<SYSTEM32>\taskkill.exe' /F /IM fiddler.exe
'<SYSTEM32>\taskkill.exe' /F /IM regedit.exe
'<SYSTEM32>\taskkill.exe' /F /IM taskmgr.exe
'<SYSTEM32>\taskkill.exe' /F /IM vboxservice.exe
'<SYSTEM32>\taskkill.exe' /F /IM df5serv.exe
'<SYSTEM32>\taskkill.exe' /F /IM processhacker.exe
'<SYSTEM32>\taskkill.exe' /F /IM vboxtray.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmtoolsd.exe
'<SYSTEM32>\taskkill.exe' /F /IM ida64.exe
'<SYSTEM32>\taskkill.exe' /F /IM joeboxcontrol.exe
'<SYSTEM32>\taskkill.exe' /F /IM ollydbg.exe
'<SYSTEM32>\taskkill.exe' /F /IM pestudio.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmwareuser.exe
'<SYSTEM32>\taskkill.exe' /F /IM vgauthservice.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmacthlp.exe
'<SYSTEM32>\taskkill.exe' /F /IM x96dbg.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmsrvc.exe
'<SYSTEM32>\taskkill.exe' /F /IM x32dbg.exe
'<SYSTEM32>\taskkill.exe' /F /IM vmusrvc.exe
'<SYSTEM32>\taskkill.exe' /F /IM prl_cc.exe
'<SYSTEM32>\taskkill.exe' /F /IM prl_tools.exe
'<SYSTEM32>\taskkill.exe' /F /IM xenservice.exe
'<SYSTEM32>\taskkill.exe' /F /IM qemu-ga.exe
'<SYSTEM32>\taskkill.exe' /F /IM ksdumperclient.exe
'<SYSTEM32>\taskkill.exe' /F /IM "CFF Explorer.exe"

Launches a large number of processes

Terminates or attempts to terminate

the following user processes:

firefox.exe

Modifies file system

Creates the following files

Network activity

Connects to

'ip##fo.io':443

TCP

Other

'ip##fo.io':443

UDP

DNS ASK ip##fo.io

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'<SYSTEM32>\cmd.exe' /c' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Procmon.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware-tray.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware-vmx.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware-authd.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VirtualBox.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxSVC.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxNetDHCP.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxNetNAT.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxHeadless.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq qemu-system-x86_64.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq idaq64.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq WinDbg.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq qemu-system-arm.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq python3.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq python3w.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq msconfig.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq x64dbg.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq radare2.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq r2.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Ghidra.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ImmunityDebugger.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq tcpview.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Sysmon.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ApateDNS.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq python.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq pythonw.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq idaq.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq joeboxserver.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ksdumper.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq wireshark.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq fiddler.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq regedit.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq taskmgr.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vboxservice.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq df5serv.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq processhacker.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vboxtray.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmtoolsd.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmwaretray.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ida64.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ollydbg.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq httpdebuggerui.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq pestudio.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vgauthservice.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmacthlp.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq x96dbg.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmsrvc.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq x32dbg.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmusrvc.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq prl_cc.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq prl_tools.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq xenservice.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq qemu-ga.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq joeboxcontrol.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ksdumperclient.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmwareuser.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Cuckoo.exe"' (with hidden window)
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq CFF Explorer.exe"' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq idaq64.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq WinDbg.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Procmon.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware-tray.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware-vmx.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmware-authd.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VirtualBox.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxSVC.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxNetDHCP.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxNetNAT.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq VBoxHeadless.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq qemu-system-x86_64.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq qemu-system-arm.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq python.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq pythonw.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq python3.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq python3w.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq msconfig.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq x64dbg.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq radare2.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq r2.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Ghidra.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ImmunityDebugger.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq tcpview.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Sysmon.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ApateDNS.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq idaq.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq Cuckoo.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq joeboxserver.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ksdumperclient.exe"
'<SYSTEM32>\runas.exe' /user:Administrator <Full path to file>
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq httpdebuggerui.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq wireshark.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq fiddler.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq regedit.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq taskmgr.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vboxservice.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq df5serv.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq processhacker.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vboxtray.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmtoolsd.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmwaretray.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ida64.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ollydbg.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq pestudio.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmwareuser.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vgauthservice.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmacthlp.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq x96dbg.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmsrvc.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq x32dbg.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq vmusrvc.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq prl_cc.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq prl_tools.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq xenservice.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq qemu-ga.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq joeboxcontrol.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq ksdumper.exe"
'<SYSTEM32>\tasklist.exe' /FI "IMAGENAME eq CFF Explorer.exe"

Tecnologie

Termini

Formazione ed informazione

Falsi miti

Technical Information

Curing recommendations

Free trial