Trojan.DownLoader35.32782

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce] '{49697869-be8e-427d-81a0-c334d1d14950}' = '"%ALLUSERSPROFILE%\Package Cache\{49697869-be8e-427d-81a0-c334d1d14950}\VC_red...

Modifies file system

Creates the following files

%TEMP%\nsle89a.tmp\modern-header.bmp
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1049\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1055\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1055\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\2052\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\2052\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\3082\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\3082\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\bootstrapperapplicationdata.xml
%TEMP%\dd_vcredist_x86_20201112152337.log
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1046\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1049\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.be\vc_redist.x86.exe
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\windows7_msu_x64
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\vcruntimeminimum_x86
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\vcruntimeadditional_x86
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\cab54a5cabbe7274d8a22eb58060aab7623
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\cabb3e1576d1fefbb979e13b1a5379e0b16
C:\28acdd5f12821937b2\$dpx$.tmp\72c2e2ad09d2c54991d29627816fc805.tmp
C:\28acdd5f12821937b2\$dpx$.tmp\f4e3401686ce654a9cbc57693dc457c9.tmp
C:\28acdd5f12821937b2\$dpx$.tmp\e0c6b3a5ea40774787f385c56f828657.tmp
C:\28acdd5f12821937b2\$dpx$.tmp\3efbe9e05c9d5f4089ceba1a79568eac.tmp
%ALLUSERSPROFILE%\package cache\{49697869-be8e-427d-81a0-c334d1d14950}\vc_redist.x86.exe
%ALLUSERSPROFILE%\package cache\{49697869-be8e-427d-81a0-c334d1d14950}\state.rsm
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1046\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1045\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1045\thm.wxl
%TEMP%\nsle89a.tmp\inetc.dll
%ProgramFiles(x86)%\wildix\wiservice\vc_redist_2019.x86.exe
%WINDIR%\temp\{2e881062-ce46-44cf-9c1e-66137f9b597b}\.cr\vc_redist_2019.x86.exe
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\wixstdba.dll
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\thm.xml
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\logo.png
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1028\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1028\license.rtf
%TEMP%\nsle89a.tmp\modern-wizard.bmp
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1029\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1031\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1031\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1036\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1036\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1040\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1040\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1041\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1041\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1042\thm.wxl
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1042\license.rtf
%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.ba\1029\license.rtf
%WINDIR%\softwaredistribution\scanfile\38c66c46-ed33-47cb-91b5-8f2617131e9e\source.cab
%WINDIR%\softwaredistribution\scanfile\38c66c46-ed33-47cb-91b5-8f2617131e9e\package.cab

Deletes the following files

%WINDIR%\softwaredistribution\scanfile\38c66c46-ed33-47cb-91b5-8f2617131e9e\source.cab

Moves the following files

from %WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\windows7_msu_x64 to %ALLUSERSPROFILE%\package cache\.unverified\windows7_msu_x64
from %ALLUSERSPROFILE%\package cache\.unverified\windows7_msu_x64 to %ALLUSERSPROFILE%\package cache\54050a5f8ae7f0c56e553f0090146c17a1d2bf8d\packages\patch\x64\windows6.1-kb2999226-x64.msu
from %WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\vcruntimeminimum_x86 to %ALLUSERSPROFILE%\package cache\.unverified\vcruntimeminimum_x86
from %ALLUSERSPROFILE%\package cache\.unverified\vcruntimeminimum_x86 to %ALLUSERSPROFILE%\package cache\{19f7e289-17b8-44ec-a099-927507b6f739}v14.21.27702\packages\vcruntimeminimum_x86\vc_runtimeminimum_x86.msi
from %WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\cab54a5cabbe7274d8a22eb58060aab7623 to %ALLUSERSPROFILE%\package cache\.unverified\cab54a5cabbe7274d8a22eb58060aab7623
from %ALLUSERSPROFILE%\package cache\.unverified\cab54a5cabbe7274d8a22eb58060aab7623 to %ALLUSERSPROFILE%\package cache\{19f7e289-17b8-44ec-a099-927507b6f739}v14.21.27702\packages\vcruntimeminimum_x86\cab1.cab
from %WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\vcruntimeadditional_x86 to %ALLUSERSPROFILE%\package cache\.unverified\vcruntimeadditional_x86
from %ALLUSERSPROFILE%\package cache\.unverified\vcruntimeadditional_x86 to %ALLUSERSPROFILE%\package cache\{213668db-2263-4e2d-abb8-487fd539130e}v14.21.27702\packages\vcruntimeadditional_x86\vc_runtimeadditional_x86.msi
from %WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\cabb3e1576d1fefbb979e13b1a5379e0b16 to %ALLUSERSPROFILE%\package cache\.unverified\cabb3e1576d1fefbb979e13b1a5379e0b16
from %ALLUSERSPROFILE%\package cache\.unverified\cabb3e1576d1fefbb979e13b1a5379e0b16 to %ALLUSERSPROFILE%\package cache\{213668db-2263-4e2d-abb8-487fd539130e}v14.21.27702\packages\vcruntimeadditional_x86\cab1.cab
from C:\28acdd5f12821937b2\$dpx$.tmp\72c2e2ad09d2c54991d29627816fc805.tmp to C:\28acdd5f12821937b2\wsusscan.cab
from C:\28acdd5f12821937b2\$dpx$.tmp\f4e3401686ce654a9cbc57693dc457c9.tmp to C:\28acdd5f12821937b2\windows6.1-kb2999226-x64.cab
from C:\28acdd5f12821937b2\$dpx$.tmp\e0c6b3a5ea40774787f385c56f828657.tmp to C:\28acdd5f12821937b2\windows6.1-kb2999226-x64-pkgproperties.txt
from C:\28acdd5f12821937b2\$dpx$.tmp\3efbe9e05c9d5f4089ceba1a79568eac.tmp to C:\28acdd5f12821937b2\windows6.1-kb2999226-x64.xml

Network activity

TCP

HTTP GET requests

http://fi#####es.wildix.com/app/integrations/vc_redist_2019.x86.exe

UDP

DNS ASK fi#####es.wildix.com

Miscellaneous

Searches for the following windows

ClassName: '#32770' WindowName: ''

Creates and executes the following

'%ProgramFiles(x86)%\wildix\wiservice\vc_redist_2019.x86.exe' /install /quiet /norestart
'%WINDIR%\temp\{2e881062-ce46-44cf-9c1e-66137f9b597b}\.cr\vc_redist_2019.x86.exe' -burn.clean.room="%ProgramFiles(x86)%\Wildix\WIService\vc_redist_2019.x86.exe" -burn.filehandle.attached=192 -burn.filehandle.self=200 /install /quiet /norestart
'%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.be\vc_redist.x86.exe' -q -burn.elevated BurnPipe.{910F4AE3-8599-438B-AE59-6BCFC5FCBE2A} {3255A68F-3CCE-407F-B75B-A4FFDC92426A} 2244
'%WINDIR%\temp\{19490542-4596-4079-a785-2e0155aaa43c}\.be\vc_redist.x86.exe' -q -burn.elevated BurnPipe.{910F4AE3-8599-438B-AE59-6BCFC5FCBE2A} {3255A68F-3CCE-407F-B75B-A4FFDC92426A} 2244' (with hidden window)

Executes the following

'<SYSTEM32>\wusa.exe' "%ALLUSERSPROFILE%\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64\Windows6.1-KB2999226-x64.msu" /quiet /norestart

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial