47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

General

Target

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Size

4.9MB
MD5

7b7cfe46454f0f7a9c046636eb66dda0
SHA1

9ef56977d9b96e81e42f94ef29b144698685e5d3
SHA256

47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536
SHA512

28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

services64.exesihost32.exe

pid process

280 services64.exe
1464 sihost32.exe

pid	process
280	services64.exe
1464	sihost32.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services64.exeSecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	services64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	services64.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exeservices64.exe

pid process

1184 cmd.exe
280 services64.exe

pid	process
1184	cmd.exe
280	services64.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/736-58-0x000000013F360000-0x000000013F361000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\services64.exe	themida
C:\Users\Admin\AppData\Local\Temp\services64.exe	themida
behavioral1/memory/280-86-0x000000013FEE0000-0x000000013FEE1000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\services64.exe	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	services64.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exeservices64.exe

pid process

736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
280 services64.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1828 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exepowershell.exepowershell.exeservices64.exe

pid process

736 SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
596 powershell.exe
1904 powershell.exe
280 services64.exe
280 services64.exe

pid	process
736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
280	services64.exe

pid	process
1828	schtasks.exe

pid	process
736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
596	powershell.exe
1904	powershell.exe
280	services64.exe
280	services64.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exepowershell.exepowershell.exeservices64.exe

description	pid	process
Token: SeDebugPrivilege	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	280	services64.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.execmd.execmd.execmd.exeservices64.execmd.exe

description	pid	process	target process
PID 736 wrote to memory of 1008	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 736 wrote to memory of 1008	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 736 wrote to memory of 1008	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 1008 wrote to memory of 596	1008	cmd.exe	powershell.exe
PID 1008 wrote to memory of 596	1008	cmd.exe	powershell.exe
PID 1008 wrote to memory of 596	1008	cmd.exe	powershell.exe
PID 736 wrote to memory of 980	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 736 wrote to memory of 980	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 736 wrote to memory of 980	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 980 wrote to memory of 1828	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1828	980	cmd.exe	schtasks.exe
PID 980 wrote to memory of 1828	980	cmd.exe	schtasks.exe
PID 1008 wrote to memory of 1904	1008	cmd.exe	powershell.exe
PID 1008 wrote to memory of 1904	1008	cmd.exe	powershell.exe
PID 1008 wrote to memory of 1904	1008	cmd.exe	powershell.exe
PID 736 wrote to memory of 1184	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 736 wrote to memory of 1184	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 736 wrote to memory of 1184	736	SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe	cmd.exe
PID 1184 wrote to memory of 280	1184	cmd.exe	services64.exe
PID 1184 wrote to memory of 280	1184	cmd.exe	services64.exe
PID 1184 wrote to memory of 280	1184	cmd.exe	services64.exe
PID 280 wrote to memory of 1728	280	services64.exe	cmd.exe
PID 280 wrote to memory of 1728	280	services64.exe	cmd.exe
PID 280 wrote to memory of 1728	280	services64.exe	cmd.exe
PID 1728 wrote to memory of 892	1728	cmd.exe	powershell.exe
PID 1728 wrote to memory of 892	1728	cmd.exe	powershell.exe
PID 1728 wrote to memory of 892	1728	cmd.exe	powershell.exe
PID 280 wrote to memory of 1464	280	services64.exe	sihost32.exe
PID 280 wrote to memory of 1464	280	services64.exe	sihost32.exe
PID 280 wrote to memory of 1464	280	services64.exe	sihost32.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop19.10258.32603.24964.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\system32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Local\Temp\services64.exe"
3⤵
- Creates scheduled task(s)
PID:1828

C:\Windows\system32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\services64.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\services64.exe
C:\Users\Admin\AppData\Local\Temp\services64.exe
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\system32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
5⤵
PID:892

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"
4⤵
- Executes dropped EXE
PID:1464

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
7105da437756662a49da27785b01c756

SHA1
f6dce822ef6eccb95c222c20d543555ef2d96d06

SHA256
3611ca45b6d812868bedbb127b4d33af701e70a89b78b474ff635d6952275ce7

SHA512
ba3e05b2fbc1468e9022ed76b15d5f345d5fc9bc82d3b9250376eb8283f9e8729c97fcb06eb83a12ea6ac9d7d5abf63138515e04f7125dbffb7e14e5368a1331

Download Submit
\Users\Admin\AppData\Local\Temp\services64.exe
MD5
7b7cfe46454f0f7a9c046636eb66dda0

SHA1
9ef56977d9b96e81e42f94ef29b144698685e5d3

SHA256
47e2b9d18762b81536a9a236a382302f9fcb3114e3723a2e90277b903448b536

SHA512
28e5b8eca9048855829528d8e235e52168588c247e036acae791927b9f703394975c38dedcc01a6bdfcefdd1e580d882d97f6eec3a6983c1b21fb4a04cdd0cfd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
MD5
1674dd9c7a7775b73be309ad1c62ffd4

SHA1
44eca69c94e11a4ad6f186e3205d8a96150b228c

SHA256
d223e6e836d93bf5af48c21fe6ec7a9e31dd4b351111cce77f0b3cd0a2679c0a

SHA512
059918fc77df9663ad57879a50e1a2803a5d84c73117d2a991908043899a88cd16f4b1fb45bdfc93e3a446be6ddbe6546b11cc85553c245b810ea226fb93affd

Download Submit
memory/280-102-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/280-100-0x000000001C240000-0x000000001C242000-memory.dmp

Filesize
8KB

Download
memory/280-86-0x000000013FEE0000-0x000000013FEE1000-memory.dmp

Filesize
4KB

Download
memory/280-99-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/280-98-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/280-83-0x0000000000000000-mapping.dmp

Download
memory/596-61-0x0000000000000000-mapping.dmp

Download
memory/596-67-0x0000000002120000-0x0000000002122000-memory.dmp

Filesize
8KB

Download
memory/596-68-0x0000000002122000-0x0000000002124000-memory.dmp

Filesize
8KB

Download
memory/596-69-0x0000000002124000-0x0000000002127000-memory.dmp

Filesize
12KB

Download
memory/596-64-0x000007FEEDFB0000-0x000007FEEEB0D000-memory.dmp

Filesize
11.4MB

Download
memory/596-70-0x000000000212B000-0x000000000214A000-memory.dmp

Filesize
124KB

Download
memory/596-62-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download
memory/736-81-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/736-66-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/736-58-0x000000013F360000-0x000000013F361000-memory.dmp

Filesize
4KB

Download
memory/736-57-0x000007FE80010000-0x000007FE80011000-memory.dmp

Filesize
4KB

Download
memory/736-56-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/892-89-0x0000000000000000-mapping.dmp

Download
memory/980-63-0x0000000000000000-mapping.dmp

Download
memory/1008-60-0x0000000000000000-mapping.dmp

Download
memory/1184-80-0x0000000000000000-mapping.dmp

Download
memory/1464-92-0x0000000000000000-mapping.dmp

Download
memory/1464-95-0x000000013FA20000-0x000000013FA21000-memory.dmp

Filesize
4KB

Download
memory/1464-101-0x000000001BFB0000-0x000000001BFB2000-memory.dmp

Filesize
8KB

Download
memory/1728-88-0x0000000000000000-mapping.dmp

Download
memory/1828-65-0x0000000000000000-mapping.dmp

Download
memory/1904-79-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1904-78-0x000000001B780000-0x000000001BA7F000-memory.dmp

Filesize
3.0MB

Download
memory/1904-75-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/1904-76-0x0000000002592000-0x0000000002594000-memory.dmp

Filesize
8KB

Download
memory/1904-77-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1904-74-0x000007FEEDFB0000-0x000007FEEEB0D000-memory.dmp

Filesize
11.4MB

Download
memory/1904-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads