SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067

backendhorse2
featuresanalog, overview
max_time_kernel124160
max_time_network125223
platformwindows7_x64
resourcewin7v20201028
submitted26-11-2020 08:13

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Filesize

631KB

Completed

26-11-2020 08:15

Score

10 ^/10

MD5

cdc8f3a824491953dbc51dbd65c25446

SHA1

7fd96c92dee132e74cbf6a2f0dfef4d0c4fa38ed

SHA256

2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343

Defense Evasion

Discovery

Persistence

Modifies WinLogon for persistence

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

TTPs

Winlogon Helper DLLModify Registry

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\spiderlaunch.exe"	SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Disables Task Manager via registry modification

Tags

evasion
Modifies WinLogon to allow AutoLogon
LogonUI.exe

Description

Enables rebooting of the machine without requiring login credentials.

Tags

ransomware bootkit

TTPs

Winlogon Helper DLLModify Registry

Reported IOCs

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Drops file in Windows directory

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Reported IOCs

description	ioc	process
File created	C:\WINDOWS\spiderlaunch.exe	SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
File created	C:\WINDOWS\spidergame.exe	SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Enumerates system info in registry

csrss.exe

TTPs

Query RegistrySystem Information Discovery

Reported IOCs

description	ioc	process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe

Modifies data under HKEY_USERS

winlogon.exe

Reported IOCs

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe

Suspicious use of AdjustPrivilegeToken
LogonUI.exe

Reported IOCs

description pid process

Token: SeShutdownPrivilege 1436 LogonUI.exe
Token: SeShutdownPrivilege 1436 LogonUI.exe

description	pid	process
Token: SeShutdownPrivilege	1436	LogonUI.exe
Token: SeShutdownPrivilege	1436	LogonUI.exe

Suspicious use of WriteProcessMemory

csrss.exewinlogon.exe

Reported IOCs

description	pid	process	target process
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 1948 wrote to memory of 1436	1948	winlogon.exe	LogonUI.exe
PID 1948 wrote to memory of 1436	1948	winlogon.exe	LogonUI.exe
PID 1948 wrote to memory of 1436	1948	winlogon.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe
PID 636 wrote to memory of 1436	636	csrss.exe	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"

Modifies WinLogon for persistence
Drops file in Windows directory

PID:1632

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

PID:1904

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Enumerates system info in registry
Suspicious use of WriteProcessMemory

PID:636

C:\Windows\system32\winlogon.exe

winlogon.exe

Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory

PID:1948

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

Modifies WinLogon to allow AutoLogon
Suspicious use of AdjustPrivilegeToken

PID:1436

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Winlogon Helper DLL

Privilege Escalation

00:00 00:00

memory/636-8-0x00000000008C0000-0x00000000008C2000-memory.dmp

Download
memory/636-9-0x00000000008C0000-0x00000000008C2000-memory.dmp

Download
memory/636-3-0x00000000008C0000-0x00000000008C2000-memory.dmp

Download
memory/636-5-0x00000000008C0000-0x00000000008C2000-memory.dmp

Download
memory/636-6-0x00000000008C0000-0x00000000008C2000-memory.dmp

Download
memory/636-7-0x00000000008C0000-0x00000000008C2000-memory.dmp

Download
memory/1436-2-0x0000000000000000-mapping.dmp

Download
memory/1904-0-0x0000000002820000-0x0000000002821000-memory.dmp

Download
memory/1948-10-0x0000000002030000-0x0000000002031000-memory.dmp

Download

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067

Filter: none

Tags

TTPs

Reported IOCs

Tags

Description

Tags

TTPs

Reported IOCs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title