f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051

General

Target

SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
Size

2.5MB
MD5

83ef95311d217e5156a2ac79ebfb9e1d
SHA1

6e33e3ac6a1d1f0949b1426275b76e7dfe21db72
SHA256

f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051
SHA512

5d8395180aa928fda17d193c3958d163e1e310bccb9ee33d5fbedcbf162148b3f1145c025c8962466ca3312c193cd5787276cc15f71b0138b18867c8a81529a7
SSDEEP

49152:qILEUZJ9W8furgfV3IbrrTbx8HvfGwlEPNIuPK2nVgTJpltBLr:qWW8fuUd3IbZ8HvOwCO2nVgTJplfL

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2640	PostUpdate.exe
2536	processlasso.exe
1252	bitsumsessionagent.exe

Loads dropped DLL 7 IoCs

pid	Process
2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
2640	PostUpdate.exe
2640	PostUpdate.exe
2536	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2536	processlasso.exe
1252	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2536	processlasso.exe
Token: SeDebugPrivilege	2536	processlasso.exe
Token: SeChangeNotifyPrivilege	2536	processlasso.exe
Token: SeIncBasePriorityPrivilege	2536	processlasso.exe
Token: SeIncreaseQuotaPrivilege	2536	processlasso.exe
Token: SeCreateGlobalPrivilege	2536	processlasso.exe
Token: SeProfSingleProcessPrivilege	2536	processlasso.exe
Token: SeBackupPrivilege	2536	processlasso.exe
Token: SeRestorePrivilege	2536	processlasso.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2292 wrote to memory of 2640	2292	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	28
PID 2640 wrote to memory of 2536	2640	PostUpdate.exe	31
PID 2640 wrote to memory of 2536	2640	PostUpdate.exe	31
PID 2640 wrote to memory of 2536	2640	PostUpdate.exe	31
PID 2640 wrote to memory of 2536	2640	PostUpdate.exe	31
PID 2588 wrote to memory of 1252	2588	taskeng.exe	32
PID 2588 wrote to memory of 1252	2588	taskeng.exe	32
PID 2588 wrote to memory of 1252	2588	taskeng.exe	32
PID 2588 wrote to memory of 1252	2588	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2536

C:\Windows\system32\taskeng.exe
taskeng.exe {111052A7-0308-469B-B683-B96533393FDA} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
  C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.0MB

MD5
663d91ce85077936538e3bb293b3fd26

SHA1
81bf3337e9a223791ba860eea97b2ef61c455125

SHA256
5b553955b11434074d9b8db0c1646426e3e2109be327a801a453e133aa1003be

SHA512
9372312e2f24664a5ce0532fefd8d6e1d21038547d315cd32354dc60ad63087b55cd6c2d162de6438dc2e48bca9d3e30bd194ab2b576fd60f033c9c3231d8e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.1MB

MD5
fe54ab60a5ca0942c7ef10cc353fb9b0

SHA1
457693f61fc72b1ba018d55a92d57e1b205c42bc

SHA256
a1edd6c91ebf3d0f837e445f33575bbacc205ee247010d299b782ca251a8b765

SHA512
c8d14982687c31317b25aa671897178a03508f253caa393fc0de69fc2ab3a4601ff427fa609d095cf82b581ba1de200abbde443d7118201fcfb54390387e8086

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
418KB

MD5
682d0048f08be81f85e47f092cbd0905

SHA1
3a628a0cafba905eca010dd8c1c7cfa9f346d7e5

SHA256
ca982a5ef3a339d5c33b4113394793e95add1baed500ddb2075f1bd009d0aff2

SHA512
5e11ee85c26543ad2884a5117baea2f706658b476b29248e86b27587b01f4edca00822230c1dbfb1e53d0af883ca3be93369387a231c03a311fe7a893dd5bf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
140KB

MD5
d24676e0d66c623fede6908fdebb0e58

SHA1
ea4a90efa62c46facabc16d457cd5cd0936265c0

SHA256
a2a47e13896b0674b23dc2ce30726892e040573d087dcf393238e99f5f31551d

SHA512
b00bfdcf6b7f8785967cccda657f1bbf7aeb65fbb4aed3bd2096e98a9f316c24860965306a33a4b92f311783082404393cb5e0c8c86d995317dd7bd9abbb9a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
4f22d6b8f5fff9bea7ee68d09e2a7f9c

SHA1
571f27c470dc61dead51e3f942e8aa7c13441e33

SHA256
ec0bb9aae6515b3e7b2459f53c7667a89bf1ed476b963952349c26dfb0aa42f4

SHA512
84a30cbee3a45b45758735a768dfafd2b727cb69897f7e26fffe565aeace850ad9f9b6cd5f24b94813124a45be91faa019681ce4a1e588f403723a868b512bea

Download Submit
\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
606KB

MD5
06345440adde3dd330adce69ef73baf2

SHA1
4658e257fdfd46aa7634a053aabd7f7e18da6752

SHA256
fb5b8384fafe43423ec4aad769565d3535c3e53687f1277774f332029e927ef9

SHA512
d46216b8ed3438f2ea792454635c71954861359a663a69b6b35270885750f693437ee3cda6921ddc1f4cd875d1393e5375f70a571dbd4bc3d8419cad471256d9

Download Submit
\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
960KB

MD5
435e6fe8ce83e3b25ec79f7315593b3a

SHA1
1cc4b7bb85d2a40f6c7be7d30d59e8d9bc28b5bd

SHA256
4b7de2ef87159e6d987ae81ea8054cd76a62d3878628b08525a18ddf8918ccab

SHA512
21c3cfb74f1fc010b6ef6cf048504ea266cd0afdd81cadec3d80dc416f4e10b9da44ee819a1a900e62d407a9c9070b2965dc4ff73d8b4c613ca863a7d0e70fbd

Download Submit
\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
545KB

MD5
f55b3a9a177c8708b5e1208a146e8088

SHA1
634da2d1ae8428869a743675e7b5680752099a84

SHA256
80c107250d8934760c72f5707a2db9a16364264eab53f13e4c9d7d4cb4253e78

SHA512
ac1fdfcba65e042068c3a3de545f3c563b308c166200cdba2d5486e96c37ccf2f0ee5dab5a61bcd07032580726aaae9d4ccdf72c070509664099eb061398dd4d

Download Submit

Analysis

Sharing