Analysis
-
max time kernel
89s -
max time network
88s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 20:31
General
-
Target
SecuriteInfo.com.Trojan.MulDrop12.44210.25533.6581.exe
-
Size
89KB
-
MD5
d617629cc616053d970ce78ec2df19ec
-
SHA1
778298b7d67c4b10d6ee0025142cbd2656f80452
-
SHA256
c70f085a5bb6b5589088374114bbd7a7e097ad8dce5343aec499cd7bc070f061
-
SHA512
3e15af84c04e70631c5efab857e58b8fb46c968b355bbd91915c2b8098fda6a9c8a32b98591c7d87cec8cc2571e3f40983c893ce7d7970258f101b5e683534e4
Score
10/10
Malware Config
Signatures
-
Contains code to disable Windows Defender 4 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
rezer0 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Windows security modification 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop12.44210.25533.6581.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop12.44210.25533.6581.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop12.44210.25533.6581.exe"{path}"2⤵
- Windows security modification
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/536-0-0x0000000074360000-0x0000000074A4E000-memory.dmpFilesize
6.9MB
-
memory/536-1-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/536-3-0x00000000005A0000-0x00000000005A2000-memory.dmpFilesize
8KB
-
memory/536-4-0x00000000005D0000-0x00000000005DB000-memory.dmpFilesize
44KB
-
memory/1064-5-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1064-6-0x0000000000403BEE-mapping.dmp
-
memory/1064-8-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1064-7-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1064-9-0x0000000074360000-0x0000000074A4E000-memory.dmpFilesize
6.9MB
-
memory/1896-12-0x0000000000000000-mapping.dmp
-
memory/1896-13-0x0000000074360000-0x0000000074A4E000-memory.dmpFilesize
6.9MB
-
memory/1896-14-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1896-15-0x00000000047D0000-0x00000000047D1000-memory.dmpFilesize
4KB
-
memory/1896-16-0x0000000002580000-0x0000000002581000-memory.dmpFilesize
4KB
-
memory/1896-17-0x0000000005260000-0x0000000005261000-memory.dmpFilesize
4KB
-
memory/1896-20-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/1896-25-0x0000000005710000-0x0000000005711000-memory.dmpFilesize
4KB
-
memory/1896-26-0x00000000061D0000-0x00000000061D1000-memory.dmpFilesize
4KB
-
memory/1896-33-0x00000000062A0000-0x00000000062A1000-memory.dmpFilesize
4KB
-
memory/1896-34-0x0000000006260000-0x0000000006261000-memory.dmpFilesize
4KB
-
memory/1896-48-0x0000000006320000-0x0000000006321000-memory.dmpFilesize
4KB
-
memory/1896-49-0x0000000006330000-0x0000000006331000-memory.dmpFilesize
4KB