Analysis

  • max time kernel
    124s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-11-2020 08:13

General

  • Target

    SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

  • Size

    631KB

  • MD5

    cdc8f3a824491953dbc51dbd65c25446

  • SHA1

    7fd96c92dee132e74cbf6a2f0dfef4d0c4fa38ed

  • SHA256

    2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343

  • SHA512

    47a4bd0021d6b1f7f6c166ea6ee0137bbf5dbfd4badd353a02040aae1fbe1c9410119a00e4709172ed23611889664f05c47f7d65c7256244dde8515c8bd81c42

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Disables Task Manager via registry modification
  • Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs

    Enables rebooting of the machine without requiring login credentials.

  • Drops file in Windows directory 2 IoCs
  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    PID:1632
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1904
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:636
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        2⤵
        • Modifies WinLogon to allow AutoLogon
        • Suspicious use of AdjustPrivilegeToken
        PID:1436

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Winlogon Helper DLL

    2
    T1004

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/636-3-0x00000000008C0000-0x00000000008C2000-memory.dmp
      Filesize

      8KB

    • memory/636-5-0x00000000008C0000-0x00000000008C2000-memory.dmp
      Filesize

      8KB

    • memory/636-6-0x00000000008C0000-0x00000000008C2000-memory.dmp
      Filesize

      8KB

    • memory/636-7-0x00000000008C0000-0x00000000008C2000-memory.dmp
      Filesize

      8KB

    • memory/636-8-0x00000000008C0000-0x00000000008C2000-memory.dmp
      Filesize

      8KB

    • memory/636-9-0x00000000008C0000-0x00000000008C2000-memory.dmp
      Filesize

      8KB

    • memory/1436-2-0x0000000000000000-mapping.dmp
    • memory/1904-0-0x0000000002820000-0x0000000002821000-memory.dmp
      Filesize

      4KB

    • memory/1948-10-0x0000000002030000-0x0000000002031000-memory.dmp
      Filesize

      4KB