Analysis
-
max time kernel
150s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-11-2020 08:13
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe
-
Size
631KB
-
MD5
cdc8f3a824491953dbc51dbd65c25446
-
SHA1
7fd96c92dee132e74cbf6a2f0dfef4d0c4fa38ed
-
SHA256
2889a2beb9447078c976fd8d27e4c0fb4b73542a9a2c13f87a6f122651b59343
-
SHA512
47a4bd0021d6b1f7f6c166ea6ee0137bbf5dbfd4badd353a02040aae1fbe1c9410119a00e4709172ed23611889664f05c47f7d65c7256244dde8515c8bd81c42
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\spiderlaunch.exe" SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe -
Disables Task Manager via registry modification
-
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Drops file in Windows directory 2 IoCs
Processes:
SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exedescription ioc process File created C:\WINDOWS\spiderlaunch.exe SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe File created C:\WINDOWS\spidergame.exe SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Suspicious behavior: LoadsDriver 36075 IoCs
Processes:
pid process 2680 2120 3596 2072 496 4056 2728 508 3132 2724 2504 2284 1732 196 2136 3992 1924 1012 2720 2224 3764 2836 1704 744 1372 1712 2556 2608 2592 3328 3660 768 3848 1068 1500 3304 812 2656 652 1000 3948 1412 3628 1936 1476 2040 3936 3960 3732 3976 3964 3768 3836 3916 820 3760 3852 3816 792 3740 3688 2328 2752 1780 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 1580 LogonUI.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop15.61633.207.22067.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3ac6055 /state1:0x41c64e6d1⤵
- Modifies WinLogon to allow AutoLogon
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx