SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067

General
Target

SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

Filesize

631KB

Completed

26-11-2020 08:15

Score
10 /10
MD5

cdc8f3a824491953dbc51dbd65c25446

SHA1

7fd96c92dee132e74cbf6a2f0dfef4d0c4fa38ed

SHA256

2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343

Malware Config
Signatures 7

Filter: none

Defense Evasion
Persistence
  • Modifies WinLogon for persistence
    SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\spiderlaunch.exe"SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
  • Disables Task Manager via registry modification

    Tags

  • Modifies WinLogon to allow AutoLogon
    LogonUI.exe

    Description

    Enables rebooting of the machine without requiring login credentials.

    TTPs

    Winlogon Helper DLLModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonCheckedLogonUI.exe
  • Drops file in Windows directory
    SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\WINDOWS\spiderlaunch.exeSecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
    File createdC:\WINDOWS\spidergame.exeSecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
  • Modifies data under HKEY_USERS
    LogonUI.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00LogonUI.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWMLogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"LogonUI.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\AccentLogonUI.exe
    Key created\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\HistoryLogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"LogonUI.exe
    Set value (int)\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"LogonUI.exe
  • Suspicious behavior: LoadsDriver

    Reported IOCs

    pidprocess
    2680
    2120
    3596
    2072
    496
    4056
    2728
    508
    3132
    2724
    2504
    2284
    1732
    196
    2136
    3992
    1924
    1012
    2720
    2224
    3764
    2836
    1704
    744
    1372
    1712
    2556
    2608
    2592
    3328
    3660
    768
    3848
    1068
    1500
    3304
    812
    2656
    652
    1000
    3948
    1412
    3628
    1936
    1476
    2040
    3936
    3960
    3732
    3976
    3964
    3768
    3836
    3916
    820
    3760
    3852
    3816
    792
    3740
    3688
    2328
    2752
    1780
  • Suspicious use of SetWindowsHookEx
    LogonUI.exe

    Reported IOCs

    pidprocess
    1580LogonUI.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"
    Modifies WinLogon for persistence
    Drops file in Windows directory
    PID:636
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3ac6055 /state1:0x41c64e6d
    Modifies WinLogon to allow AutoLogon
    Modifies data under HKEY_USERS
    Suspicious use of SetWindowsHookEx
    PID:1580
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads