SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067

General
Target

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Filesize

631KB

Completed

26-11-2020 08:15

Score
10 /10
MD5

cdc8f3a824491953dbc51dbd65c25446

SHA1

7fd96c92dee132e74cbf6a2f0dfef4d0c4fa38ed

SHA256

2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • Modifies WinLogon for persistence
    SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\spiderlaunch.exe"SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
  • Disables Task Manager via registry modification

    Tags

  • Modifies WinLogon to allow AutoLogon
    LogonUI.exe

    Description

    Enables rebooting of the machine without requiring login credentials.

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonCheckedLogonUI.exe
  • Drops file in Windows directory
    SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\WINDOWS\spiderlaunch.exeSecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
    File createdC:\WINDOWS\spidergame.exeSecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
  • Enumerates system info in registry
    csrss.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardControllercsrss.exe
    Key queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheralcsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifiercsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Informationcsrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardControllercsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Datacsrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0csrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Informationcsrss.exe
    Key queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0csrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Informationcsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifiercsrss.exe
    Key queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1csrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0csrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Informationcsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifiercsrss.exe
    Key queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdaptercsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Informationcsrss.exe
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0csrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2csrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheralcsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Datacsrss.exe
    Key queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2csrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdaptercsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Datacsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifiercsrss.exe
    Key enumerated\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdaptercsrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0csrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifiercsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Datacsrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardControllercsrss.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Datacsrss.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1csrss.exe
  • Modifies data under HKEY_USERS
    winlogon.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"winlogon.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManagerwinlogon.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"winlogon.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"winlogon.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"winlogon.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"winlogon.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"winlogon.exe
    Set value (data)\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000winlogon.exe
    Set value (str)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"winlogon.exe
  • Suspicious use of AdjustPrivilegeToken
    LogonUI.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege1436LogonUI.exe
    Token: SeShutdownPrivilege1436LogonUI.exe
  • Suspicious use of WriteProcessMemory
    csrss.exewinlogon.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 1948 wrote to memory of 14361948winlogon.exeLogonUI.exe
    PID 1948 wrote to memory of 14361948winlogon.exeLogonUI.exe
    PID 1948 wrote to memory of 14361948winlogon.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
    PID 636 wrote to memory of 1436636csrss.exeLogonUI.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"
    Modifies WinLogon for persistence
    Drops file in Windows directory
    PID:1632
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    PID:1904
  • C:\Windows\system32\csrss.exe
    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
    Enumerates system info in registry
    Suspicious use of WriteProcessMemory
    PID:636
  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    Modifies data under HKEY_USERS
    Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      Modifies WinLogon to allow AutoLogon
      Suspicious use of AdjustPrivilegeToken
      PID:1436
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • memory/636-8-0x00000000008C0000-0x00000000008C2000-memory.dmp

                    • memory/636-9-0x00000000008C0000-0x00000000008C2000-memory.dmp

                    • memory/636-3-0x00000000008C0000-0x00000000008C2000-memory.dmp

                    • memory/636-5-0x00000000008C0000-0x00000000008C2000-memory.dmp

                    • memory/636-6-0x00000000008C0000-0x00000000008C2000-memory.dmp

                    • memory/636-7-0x00000000008C0000-0x00000000008C2000-memory.dmp

                    • memory/1436-2-0x0000000000000000-mapping.dmp

                    • memory/1904-0-0x0000000002820000-0x0000000002821000-memory.dmp

                    • memory/1948-10-0x0000000002030000-0x0000000002031000-memory.dmp