2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343

General

Target

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
Size

631KB
MD5

cdc8f3a824491953dbc51dbd65c25446
SHA1

7fd96c92dee132e74cbf6a2f0dfef4d0c4fa38ed
SHA256

2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343
SHA512

47a4bd0021d6b1f7f6c166ea6ee0137bbf5dbfd4badd353a02040aae1fbe1c9410119a00e4709172ed23611889664f05c47f7d65c7256244dde8515c8bd81c42

Score

10^/10

bootkit evasion persistence ransomware

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\spiderlaunch.exe"	SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Disables Task Manager via registry modification
evasion
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
ransomware bootkit

Winlogon Helper DLL
T1004

Modify Registry
T1112

Processes:

LogonUI.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked	LogonUI.exe

Drops file in Windows directory 2 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

description	ioc	process
File created	C:\WINDOWS\spiderlaunch.exe	SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
File created	C:\WINDOWS\spidergame.exe	SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Suspicious behavior: LoadsDriver 36075 IoCs

Processes:

pid	process
2680
2120
3596
2072
496
4056
2728
508
3132
2724
2504
2284
1732
196
2136
3992
1924
1012
2720
2224
3764
2836
1704
744
1372
1712
2556
2608
2592
3328
3660
768
3848
1068
1500
3304
812
2656
652
1000
3948
1412
3628
1936
1476
2040
3936
3960
3732
3976
3964
3768
3836
3916
820
3760
3852
3816
792
3740
3688
2328
2752
1780

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

1580 LogonUI.exe

pid	process
1580	LogonUI.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
PID:636

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3ac6055 /state1:0x41c64e6d
1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1580

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

2

T1004

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads