Trojan.Inject4.31997

Technical Information

Malicious functions

Injects code into

the following system processes:

<SYSTEM32>\conhost.exe

Modifies file system

Creates the following files

%TEMP%\penumbra launcher.exe
%TEMP%\_mei14882\unicodedata.pyd
%TEMP%\_mei14882\sqlite3.dll
%TEMP%\_mei14882\select.pyd
%TEMP%\_mei14882\pywintypes310.dll
%TEMP%\_mei14882\pythoncom310.dll
%TEMP%\_mei14882\python310.dll
%TEMP%\_mei14882\pyexpat.pyd
%TEMP%\_mei14882\psutil\_psutil_windows.cp310-win_amd64.pyd
%TEMP%\_mei14882\mfc140u.dll
%TEMP%\_mei14882\libssl-1_1.dll
%TEMP%\_mei14882\win32api.cp310-win_amd64.pyd
%TEMP%\_mei14882\libffi-7.dll
%TEMP%\_mei14882\_win32sysloader.cp310-win_amd64.pyd
%TEMP%\_mei14882\_uuid.pyd
%TEMP%\_mei14882\_ssl.pyd
%TEMP%\_mei14882\_sqlite3.pyd
%TEMP%\_mei14882\_socket.pyd
%TEMP%\_mei14882\_queue.pyd
%TEMP%\_mei14882\_overlapped.pyd
%TEMP%\_mei14882\_multiprocessing.pyd
%TEMP%\_mei14882\_lzma.pyd
%TEMP%\_mei14882\_hashlib.pyd
%TEMP%\_mei14882\libcrypto-1_1.dll
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\copying.txt
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\entry_points.txt
%TEMP%\_mei14882\win32trace.cp310-win_amd64.pyd
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\wheel
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\record
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\metadata
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\license
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\installer
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\top_level.txt
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\entry_points.txt
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\wheel
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\record
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\metadata
%TEMP%\_mei14882\_elementtree.pyd
%TEMP%\_mei14882\pyinstaller-4.10.dist-info\installer
%TEMP%\_mei14882\certifi\cacert.pem
%TEMP%\_mei14882\base_library.zip
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\zip-safe
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\top_level.txt
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\wheel
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\record
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\metadata
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\license
%TEMP%\_mei14882\altgraph-0.17.2.dist-info\installer
%TEMP%\_mei14882\win32ui.cp310-win_amd64.pyd
%TEMP%\_mei14882\win32com\shell\shell.cp310-win_amd64.pyd
%TEMP%\_mei14882\win32crypt.cp310-win_amd64.pyd
%TEMP%\_mei14882\_decimal.pyd
%TEMP%\_mei14882\crypto\hash\_ripemd160.pyd
%TEMP%\_mei14882\crypto\hash\_md2.pyd
%TEMP%\_mei14882\crypto\hash\_blake2s.pyd
%TEMP%\_mei14882\crypto\hash\_blake2b.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_ofb.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_ocb.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_eksblowfish.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_ecb.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_des3.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_des.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_ctr.pyd
%TEMP%\_mei14882\crypto\hash\_md4.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_cfb.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_cast.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_blowfish.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_arc2.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_aesni.pyd
%TEMP%\_mei14882\crypto\cipher\_raw_aes.pyd
%TEMP%\_mei14882\crypto\cipher\_pkcs1_decode.pyd
%TEMP%\_mei14882\crypto\cipher\_chacha20.pyd
%TEMP%\_mei14882\crypto\cipher\_salsa20.pyd
%TEMP%\_mei14882\crypto\cipher\_arc4.pyd
%TEMP%\penumbra.exe
%TEMP%\_mei14882\crypto\cipher\_raw_cbc.pyd
%TEMP%\_mei14882\crypto\publickey\_ec_ws.pyd
%TEMP%\_mei14882\_cffi_backend.cp310-win_amd64.pyd
%TEMP%\_mei14882\crypto\hash\_sha1.pyd
%TEMP%\_mei14882\_bz2.pyd
%TEMP%\_mei14882\_asyncio.pyd
%TEMP%\_mei14882\vcruntime140_1.dll
%TEMP%\mc patcher v3.exe
%TEMP%\_mei14882\vcruntime140.dll
%TEMP%\_mei14882\pil\_webp.cp310-win_amd64.pyd
%TEMP%\_mei14882\pil\_imagingtk.cp310-win_amd64.pyd
%TEMP%\_mei14882\pil\_imaging.cp310-win_amd64.pyd
%TEMP%\_mei14882\msvcp140.dll
%TEMP%\_mei14882\crypto\util\_strxor.pyd
%TEMP%\_mei14882\_ctypes.pyd
%TEMP%\_mei14882\crypto\util\_cpuid_c.pyd
%TEMP%\_mei14882\crypto\protocol\_scrypt.pyd
%TEMP%\_mei14882\crypto\math\_modexp.pyd
%TEMP%\_mei14882\crypto\hash\_poly1305.pyd
%TEMP%\_mei14882\crypto\hash\_keccak.pyd
%TEMP%\_mei14882\crypto\hash\_ghash_portable.pyd
%TEMP%\_mei14882\crypto\hash\_ghash_clmul.pyd
%TEMP%\_mei14882\crypto\hash\_sha512.pyd
%TEMP%\_mei14882\crypto\hash\_sha384.pyd
%TEMP%\_mei14882\crypto\hash\_sha256.pyd
%TEMP%\_mei14882\crypto\hash\_sha224.pyd
%TEMP%\_mei14882\crypto\hash\_md5.pyd
%TEMP%\_mei14882\setuptools-58.1.0.dist-info\top_level.txt

Miscellaneous

Creates and executes the following

'%TEMP%\penumbra launcher.exe'
'%TEMP%\penumbra.exe'
'%TEMP%\mc patcher v3.exe'

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\Penumbra Launcher.exe"
'%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\Penumbra.exe"
'%WINDIR%\syswow64\cmd.exe' /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreferenc...
'%WINDIR%\syswow64\cmd.exe' /c start "" "%TEMP%\MC PATCHER V3.exe"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

Демо бесплатно на 14 дней

Выдаётся при установке

Скачать с сайта

Скачать с Google Play

Скачайте
Dr.Web для Android

Бесплатно на 3 месяца
Все компоненты защиты
Продление демо через
AppGallery/Google Pay

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней