Trojan.Win64.WDFLOAD.AB
RDN/Generic.glk (McAfee); HEUR:Trojan.Win64.Agent.gen (Kaspersky); Mal/Generic-L (Sophos); Trojan.Win32.Generic!BT (Sunbelt)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
188,928 bytes
EXE
Yes
20 Jan 2020
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This Trojan deletes the following files:
- %User Temp%\s1oo.0
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9132E8B079D080E01D52631690BE18EBC2347C1E
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AD4C5429E10F4FF6C01840C20ABA344D7401209F
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
DB77E5CFEC34459146748B667C97B185619251BA
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3D496FA682E65FC122351EC29B55AB94F3BB03FC
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
ED841A61C0F76025598421BC1B00E24189E68D54
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
18DEA4EFA93B06AE997D234411F3FD72A677EECE
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
76A9295EF4343E12DFC5FE05DC57227C1AB00D29
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A5341949ABE1407DD7BF7DFE75460D9608FBC309
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
5240AB5B05D11B37900AC7712A3C6AE42F377C8C
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
872CD334B7E7B3C3D1C6114CD6B221026D505EAB
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
03D22C9C66915D58C88912B64C1F984B8344EF09
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4420C99742DF11DD0795BC15B7B0ABF090DC84DF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
5DD3D41810F28B2A13E9A004E6412061E28FA48D
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
F83099622B4A9F72CB5081F742164AD1B8D048C9
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
A59CC32724DD07A6FC33F7806945481A2D13CA2F
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
1667908C9E22EFBD0590E088715CC74BE4C60884
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
0F684EC1163281085C6AF20528878103ACEFCAAB
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
7457A3793086DBB58B3858D6476889E3311E550E
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
249BDA38A611CD746A132FA2AF995A2D3C941264
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
775B373B33B9D15B58BC02B184704332B97C3CAF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
88AD5DFE24126872B33175D1778687B642323ACF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
982D98951CF3C0CA2A02814D474A976CBFF6BDB1
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
AD96BB64BA36379D2E354660780C2067B81DA2E0
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
E22240E837B52E691C71DF248F12D27F96441C00
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
331E2046A1CCA7BFEF766724394BE6112B4CA3F7
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
CDC37C22FE9272D8F2610206AD397A45040326B8
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
DB303C9B61282DE525DC754A535CA2D6A9BD3D87
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9C43F665E690AB4D486D4717B456C5554D4BCEB5
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
SystemCertificates\Disallowed\Certificates\
3353EA609334A9F23A701B9159E30CB6C22D4C59
Blob = "{random characters}"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = "1"
SOLUTION
9.850
15.632.03
20 Jan 2020
15.633.00
21 Jan 2020
Step 1
Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.
Step 2
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9132E8B079D080E01D52631690BE18EBC2347C1E
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD4C5429E10F4FF6C01840C20ABA344D7401209F
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB77E5CFEC34459146748B667C97B185619251BA
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3D496FA682E65FC122351EC29B55AB94F3BB03FC
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\ED841A61C0F76025598421BC1B00E24189E68D54
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\18DEA4EFA93B06AE997D234411F3FD72A677EECE
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\76A9295EF4343E12DFC5FE05DC57227C1AB00D29
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A5341949ABE1407DD7BF7DFE75460D9608FBC309
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5240AB5B05D11B37900AC7712A3C6AE42F377C8C
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\872CD334B7E7B3C3D1C6114CD6B221026D505EAB
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\03D22C9C66915D58C88912B64C1F984B8344EF09
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4420C99742DF11DD0795BC15B7B0ABF090DC84DF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\5DD3D41810F28B2A13E9A004E6412061E28FA48D
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\F83099622B4A9F72CB5081F742164AD1B8D048C9
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\A59CC32724DD07A6FC33F7806945481A2D13CA2F
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\1667908C9E22EFBD0590E088715CC74BE4C60884
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\0F684EC1163281085C6AF20528878103ACEFCAAB
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\7457A3793086DBB58B3858D6476889E3311E550E
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\249BDA38A611CD746A132FA2AF995A2D3C941264
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\775B373B33B9D15B58BC02B184704332B97C3CAF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\88AD5DFE24126872B33175D1778687B642323ACF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\982D98951CF3C0CA2A02814D474A976CBFF6BDB1
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\AD96BB64BA36379D2E354660780C2067B81DA2E0
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\E22240E837B52E691C71DF248F12D27F96441C00
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\331E2046A1CCA7BFEF766724394BE6112B4CA3F7
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\CDC37C22FE9272D8F2610206AD397A45040326B8
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\DB303C9B61282DE525DC754A535CA2D6A9BD3D87
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9C43F665E690AB4D486D4717B456C5554D4BCEB5
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\3353EA609334A9F23A701B9159E30CB6C22D4C59
- Blob = {random characters}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableAntiSpyware = 1
Step 3
Scan your computer with your Trend Micro product to delete files detected as Trojan.Win64.WDFLOAD.AB. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check the following Trend Micro Support pages for more information:
Step 4
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %User Temp%\s1oo.0
Did this description help? Tell us how we did.