109ca116c41d294401cc8e42762345e8142d507ddbd811f9964d4689654968e9

Analysis

max time kernel
55s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 01:23

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe
Size

918KB
MD5

6471ca1fff20cba037debfb9a30c0cb4
SHA1

e6416093f18940d1851be733a86a8425a1e9219c
SHA256

109ca116c41d294401cc8e42762345e8142d507ddbd811f9964d4689654968e9
SHA512

d984c648de27045e3e25ee3a45bf8a66f49684f6313ccab82958899cfa1d76001942ecefe5dfff2dd2279e84df6f9de53372fb171394a54bbd42236bc1397b51
SSDEEP

24576:tcSxLTUxroZyli6OHnVi235/wZRtTjqUibLSgT2Hd:2eErvTAnwE/wf5qUiXSgT2Hd

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
4692	Eaccleaner.exe

Executes dropped EXE 3 IoCs

pid	Process
3964	setup.exe
3196	Eaccleaner.exe
4692	Eaccleaner.exe

Loads dropped DLL 2 IoCs

pid	Process
3196	Eaccleaner.exe
4692	Eaccleaner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\stops_dlg_header_tl.gif	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\kully12CustomCure.cnr	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\eac_install00.dat	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\EacCleaner.exe	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\EacCleaner.exe	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\vclnr.dll	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\stops_dlg_header_tl.gif	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\kully12CustomCure.cnr	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\vclnr.dll	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\setup.ini	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\setup.exe	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\stops_dlg_header_tm.gif	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\setup.ini	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\setup.exe	setup.exe
File created	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\sfx.exe	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\sfx.exe	setup.exe
File opened for modification	C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\stops_dlg_header_tm.gif	setup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4692	Eaccleaner.exe
4692	Eaccleaner.exe
4692	Eaccleaner.exe
4692	Eaccleaner.exe
4692	Eaccleaner.exe
4692	Eaccleaner.exe
4692	Eaccleaner.exe
4692	Eaccleaner.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4692	Eaccleaner.exe
Token: SeDebugPrivilege	4692	Eaccleaner.exe
Token: SeDebugPrivilege	4692	Eaccleaner.exe
Token: SeDebugPrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe
Token: SeBackupPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeTakeOwnershipPrivilege	4692	Eaccleaner.exe
Token: SeRestorePrivilege	4692	Eaccleaner.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 3964	4124	SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe	89
PID 4124 wrote to memory of 3964	4124	SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe	89
PID 4124 wrote to memory of 3964	4124	SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe	89
PID 3964 wrote to memory of 3196	3964	setup.exe	90
PID 3964 wrote to memory of 3196	3964	setup.exe	90
PID 3964 wrote to memory of 3196	3964	setup.exe	90
PID 3964 wrote to memory of 4692	3964	setup.exe	91
PID 3964 wrote to memory of 4692	3964	setup.exe	91
PID 3964 wrote to memory of 4692	3964	setup.exe	91

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Local\Temp\EAC1673555749_00000000\setup.exe
  C:\Users\Admin\AppData\Local\Temp\EAC1673555749_00000000\setup.exe /Cmd C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop6.20495.25795.10208.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\EAC167~1\Eaccleaner.exe
    C:\Users\Admin\AppData\Local\Temp\EAC167~1\Eaccleaner.exe -d
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3196
- - C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe
    C:\PROGRA~2\ACCELE~1\ANTI-V~1\CUSTOM~1\Eaccleaner.exe
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39aa855 /state1:0x41c64e6d
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EAC1673555749_00000000\EacCleaner.exe

Filesize
261KB

MD5
e59296fbd02590c3b596c45e4f0fb1c6

SHA1
9a3cccdc250cd7a901f4069a97ba3a096f3bd9a7

SHA256
1e9574f3e8c5013f971d8fa9dba0dfa56466f1a06d44e95c83d149b9041ee380

SHA512
34b3a380105c194235de539cbebc6152c488abf75fed6254b6ca24c52e42762e365b23200b50997c61fd8b13ad6983ca1d7707837b111c56a1cf91cade4aaeac

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC1673555749_00000000\setup.exe

Filesize
177KB

MD5
3b81d4123064a71453e6cb120a695c8e

SHA1
0afec0c1f1ad3bfd3847f0a8aba9fda0aa8a8669

SHA256
320ec75aad0ed0c77a9eb13442f97fa38847230f33bc7fe6352075ccc0c524e1

SHA512
382ec9882be6ff9e9ca0359d0c17ef832ae8b2b76bf987cc14da0860d2b881401826eaddcf716a87bd853ed2e0189e6d682b2f7534899bdba220376e2cc78cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC167~1\kully12CustomCure.cnr

Filesize
48KB

MD5
f6395e2127c5bf2f8a93675e6e7e264d

SHA1
4adf792c874319792491af0ad57459a3b5c7fb82

SHA256
eeda5aa43bff1eec971eef7b00f8bd02e799a5847f01a4ebc2da7e92f088136d

SHA512
7482943368d248f663a0877ba8cc9daa5a4a6a07a4da869f17419eecb1b6fca7550677e9a6bc6a569b4aeec5d99ee27c20e29c5f9f464b6745ec8a2da6096d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC167~1\setup.ini

Filesize
602B

MD5
29deffb038b23260b96cadbdb76f19b3

SHA1
4bcf748ca0952ea568c7e9880d8dd563382f53da

SHA256
3433236c627b01eed767dfa4d21e400fce027840e72b11c1170ae7389789b950

SHA512
4b46bef71edba4306acd04a357a6ae8fcc22b424732ba996a5733a97fd268b94e60f8796dc342c526a25f59bc58d39895957e3d3c52ba2ef744e31d18e99e964

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC167~1\sfx.exe

Filesize
145KB

MD5
83dc8617494a971af3569c0076b62061

SHA1
adf365112f7fbf8a0668fe1691584ec34bb36de1

SHA256
99a2d819c3f159d23b622e9c27e502d41ac9dcaf772bbab6dc33db0632938699

SHA512
d451d278b47302bd8b8d8731fa993823dfea1f461e66f36f898b00149d3a050475d76fe58bc3388d28da73516e868aa8dae07ea3701870ac4f0b225e4132849a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC167~1\stops_dlg_header_tl.gif

Filesize
6KB

MD5
addd5db15abab9efe2426177913c175c

SHA1
38a9d26a8379083cfe3b6e1a95d77e6f66cef498

SHA256
81d2f3ac9a5024ab72f71c6c4dd6d39a8d87e7383249fd63287108cee9668220

SHA512
438c95af0ddecc1ae96dc40c7334790bcfe7ae6b5fd7e8ff6577edf5629fed5cb329b2449d71149d0da087f13eee07489f4b408c4798e629f85c734988aaaefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC167~1\stops_dlg_header_tm.gif

Filesize
1KB

MD5
c415dba8f9a7fc0939e50460da171ac1

SHA1
703bbe66038705e0a410f5506810e3777ebe5f05

SHA256
300b17e374d0170f7d4b8afefe09d57aeaa4354b952026305e7fcfdfa5a17ff3

SHA512
5faba12c954b9f77d80c22e0fe7ad4d7ba9727d714aa63dccebe9acb5123fa4fcd324d9775c02b3ff8372c05230d7f866eb7c9fca1e1121fef9a8db13e27cc5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EAC167~1\vclnr.dll

Filesize
1.1MB

MD5
93ed06bfe1454a396824a638c2bb89f1

SHA1
d952977dfefe77fc068e3263a13f0427ca237cec

SHA256
433368db62ed5320c639fbf39106ba6c7c262211c2d9cdb845c86b56a985e6f4

SHA512
7cf6ee0fd09deacd515571068d6c8765731fe24fcae8c34b1f83e01a16afbbbd52151231fefb5ec17a161096a7e7d24ab0b1762b4bb6273f1f3396b31dc9a814

Download Submit
memory/4692-52-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/4692-56-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download