Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
27/01/2024, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
-
Size
2.5MB
-
MD5
83ef95311d217e5156a2ac79ebfb9e1d
-
SHA1
6e33e3ac6a1d1f0949b1426275b76e7dfe21db72
-
SHA256
f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051
-
SHA512
5d8395180aa928fda17d193c3958d163e1e310bccb9ee33d5fbedcbf162148b3f1145c025c8962466ca3312c193cd5787276cc15f71b0138b18867c8a81529a7
-
SSDEEP
49152:qILEUZJ9W8furgfV3IbrrTbx8HvfGwlEPNIuPK2nVgTJpltBLr:qWW8fuUd3IbZ8HvOwCO2nVgTJplfL
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2640 PostUpdate.exe 2536 processlasso.exe 1252 bitsumsessionagent.exe -
Loads dropped DLL 7 IoCs
pid Process 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 2640 PostUpdate.exe 2640 PostUpdate.exe 2536 processlasso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PostUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PostUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processlasso.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processlasso.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2536 processlasso.exe 1252 bitsumsessionagent.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 2536 processlasso.exe Token: SeDebugPrivilege 2536 processlasso.exe Token: SeChangeNotifyPrivilege 2536 processlasso.exe Token: SeIncBasePriorityPrivilege 2536 processlasso.exe Token: SeIncreaseQuotaPrivilege 2536 processlasso.exe Token: SeCreateGlobalPrivilege 2536 processlasso.exe Token: SeProfSingleProcessPrivilege 2536 processlasso.exe Token: SeBackupPrivilege 2536 processlasso.exe Token: SeRestorePrivilege 2536 processlasso.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2292 wrote to memory of 2640 2292 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 28 PID 2640 wrote to memory of 2536 2640 PostUpdate.exe 31 PID 2640 wrote to memory of 2536 2640 PostUpdate.exe 31 PID 2640 wrote to memory of 2536 2640 PostUpdate.exe 31 PID 2640 wrote to memory of 2536 2640 PostUpdate.exe 31 PID 2588 wrote to memory of 1252 2588 taskeng.exe 32 PID 2588 wrote to memory of 1252 2588 taskeng.exe 32 PID 2588 wrote to memory of 1252 2588 taskeng.exe 32 PID 2588 wrote to memory of 1252 2588 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\processlasso.exe/postupdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {111052A7-0308-469B-B683-B96533393FDA} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exeC:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1252
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5663d91ce85077936538e3bb293b3fd26
SHA181bf3337e9a223791ba860eea97b2ef61c455125
SHA2565b553955b11434074d9b8db0c1646426e3e2109be327a801a453e133aa1003be
SHA5129372312e2f24664a5ce0532fefd8d6e1d21038547d315cd32354dc60ad63087b55cd6c2d162de6438dc2e48bca9d3e30bd194ab2b576fd60f033c9c3231d8e43
-
Filesize
1.1MB
MD5fe54ab60a5ca0942c7ef10cc353fb9b0
SHA1457693f61fc72b1ba018d55a92d57e1b205c42bc
SHA256a1edd6c91ebf3d0f837e445f33575bbacc205ee247010d299b782ca251a8b765
SHA512c8d14982687c31317b25aa671897178a03508f253caa393fc0de69fc2ab3a4601ff427fa609d095cf82b581ba1de200abbde443d7118201fcfb54390387e8086
-
Filesize
418KB
MD5682d0048f08be81f85e47f092cbd0905
SHA13a628a0cafba905eca010dd8c1c7cfa9f346d7e5
SHA256ca982a5ef3a339d5c33b4113394793e95add1baed500ddb2075f1bd009d0aff2
SHA5125e11ee85c26543ad2884a5117baea2f706658b476b29248e86b27587b01f4edca00822230c1dbfb1e53d0af883ca3be93369387a231c03a311fe7a893dd5bf9a
-
Filesize
140KB
MD5d24676e0d66c623fede6908fdebb0e58
SHA1ea4a90efa62c46facabc16d457cd5cd0936265c0
SHA256a2a47e13896b0674b23dc2ce30726892e040573d087dcf393238e99f5f31551d
SHA512b00bfdcf6b7f8785967cccda657f1bbf7aeb65fbb4aed3bd2096e98a9f316c24860965306a33a4b92f311783082404393cb5e0c8c86d995317dd7bd9abbb9a53
-
Filesize
1.9MB
MD54f22d6b8f5fff9bea7ee68d09e2a7f9c
SHA1571f27c470dc61dead51e3f942e8aa7c13441e33
SHA256ec0bb9aae6515b3e7b2459f53c7667a89bf1ed476b963952349c26dfb0aa42f4
SHA51284a30cbee3a45b45758735a768dfafd2b727cb69897f7e26fffe565aeace850ad9f9b6cd5f24b94813124a45be91faa019681ce4a1e588f403723a868b512bea
-
Filesize
606KB
MD506345440adde3dd330adce69ef73baf2
SHA14658e257fdfd46aa7634a053aabd7f7e18da6752
SHA256fb5b8384fafe43423ec4aad769565d3535c3e53687f1277774f332029e927ef9
SHA512d46216b8ed3438f2ea792454635c71954861359a663a69b6b35270885750f693437ee3cda6921ddc1f4cd875d1393e5375f70a571dbd4bc3d8419cad471256d9
-
Filesize
960KB
MD5435e6fe8ce83e3b25ec79f7315593b3a
SHA11cc4b7bb85d2a40f6c7be7d30d59e8d9bc28b5bd
SHA2564b7de2ef87159e6d987ae81ea8054cd76a62d3878628b08525a18ddf8918ccab
SHA51221c3cfb74f1fc010b6ef6cf048504ea266cd0afdd81cadec3d80dc416f4e10b9da44ee819a1a900e62d407a9c9070b2965dc4ff73d8b4c613ca863a7d0e70fbd
-
Filesize
545KB
MD5f55b3a9a177c8708b5e1208a146e8088
SHA1634da2d1ae8428869a743675e7b5680752099a84
SHA25680c107250d8934760c72f5707a2db9a16364264eab53f13e4c9d7d4cb4253e78
SHA512ac1fdfcba65e042068c3a3de545f3c563b308c166200cdba2d5486e96c37ccf2f0ee5dab5a61bcd07032580726aaae9d4ccdf72c070509664099eb061398dd4d