Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27/01/2024, 04:26
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
-
Size
2.5MB
-
MD5
83ef95311d217e5156a2ac79ebfb9e1d
-
SHA1
6e33e3ac6a1d1f0949b1426275b76e7dfe21db72
-
SHA256
f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051
-
SHA512
5d8395180aa928fda17d193c3958d163e1e310bccb9ee33d5fbedcbf162148b3f1145c025c8962466ca3312c193cd5787276cc15f71b0138b18867c8a81529a7
-
SSDEEP
49152:qILEUZJ9W8furgfV3IbrrTbx8HvfGwlEPNIuPK2nVgTJpltBLr:qWW8fuUd3IbZ8HvOwCO2nVgTJplfL
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe -
Executes dropped EXE 3 IoCs
pid Process 2984 PostUpdate.exe 556 bitsumsessionagent.exe 1884 processlasso.exe -
Loads dropped DLL 4 IoCs
pid Process 2984 PostUpdate.exe 2984 PostUpdate.exe 1884 processlasso.exe 1884 processlasso.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString processlasso.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 PostUpdate.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString PostUpdate.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 processlasso.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 556 bitsumsessionagent.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeAssignPrimaryTokenPrivilege 1884 processlasso.exe Token: SeDebugPrivilege 1884 processlasso.exe Token: SeChangeNotifyPrivilege 1884 processlasso.exe Token: SeIncBasePriorityPrivilege 1884 processlasso.exe Token: SeIncreaseQuotaPrivilege 1884 processlasso.exe Token: SeCreateGlobalPrivilege 1884 processlasso.exe Token: SeProfSingleProcessPrivilege 1884 processlasso.exe Token: SeBackupPrivilege 1884 processlasso.exe Token: SeRestorePrivilege 1884 processlasso.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 5072 wrote to memory of 2984 5072 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 88 PID 5072 wrote to memory of 2984 5072 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 88 PID 5072 wrote to memory of 2984 5072 SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe 88 PID 2984 wrote to memory of 1884 2984 PostUpdate.exe 92 PID 2984 wrote to memory of 1884 2984 PostUpdate.exe 92 PID 2984 wrote to memory of 1884 2984 PostUpdate.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\processlasso.exe/postupdate3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1884
-
-
-
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exeC:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
606KB
MD506345440adde3dd330adce69ef73baf2
SHA14658e257fdfd46aa7634a053aabd7f7e18da6752
SHA256fb5b8384fafe43423ec4aad769565d3535c3e53687f1277774f332029e927ef9
SHA512d46216b8ed3438f2ea792454635c71954861359a663a69b6b35270885750f693437ee3cda6921ddc1f4cd875d1393e5375f70a571dbd4bc3d8419cad471256d9
-
Filesize
1.6MB
MD5af5811262cadcb1f01b280352dbd7cfa
SHA197987f02b1cb756bd3a3e6648cbe20e929ebbd02
SHA2560814e8f9701bb91cf65da44b29e96f64f8945afb1d2173e3326dc8a26da2198f
SHA51218a957ce052e73c1b2cdae9e3552d978e00bb0d2015517eacee9dd36ba8328b9b5f86d6ff562dabeba7ea3df888c84e07de775ed872361ea717738cf31816dd6
-
Filesize
418KB
MD5682d0048f08be81f85e47f092cbd0905
SHA13a628a0cafba905eca010dd8c1c7cfa9f346d7e5
SHA256ca982a5ef3a339d5c33b4113394793e95add1baed500ddb2075f1bd009d0aff2
SHA5125e11ee85c26543ad2884a5117baea2f706658b476b29248e86b27587b01f4edca00822230c1dbfb1e53d0af883ca3be93369387a231c03a311fe7a893dd5bf9a
-
Filesize
140KB
MD5d24676e0d66c623fede6908fdebb0e58
SHA1ea4a90efa62c46facabc16d457cd5cd0936265c0
SHA256a2a47e13896b0674b23dc2ce30726892e040573d087dcf393238e99f5f31551d
SHA512b00bfdcf6b7f8785967cccda657f1bbf7aeb65fbb4aed3bd2096e98a9f316c24860965306a33a4b92f311783082404393cb5e0c8c86d995317dd7bd9abbb9a53
-
Filesize
1.3MB
MD5ad4e53b4bc4191f842100b38ebd64f3c
SHA16a964c560c1b85c4412dcc22794ae7abdd63ea16
SHA25609ef34780bb6074337b05529a32b6809b4d97b278825528180bef1a89d0d5316
SHA51288ddb48c353b5b2d36f4a6e38ddd928288e369c95e9c44d72163a742a8391d3dfe2ce9e8e6a067bbac476649029db0a75b1531c103071a7e296d65f5136d72e4
-
Filesize
1.6MB
MD550a8d8922ce7fca3debe1211188a271f
SHA1a4698c1e1a7561401b0ad3e1a4da8af6ecaf8507
SHA256bc410c8e2373201951810b3a37f5b0fe430d6062ee35ed04f53a519422d3ab2d
SHA5124e115936a303ea54494a6c5d81cd1bf23dcb6483fa16e14cb2b96eec29d7b0294855ceca969264dffe7d810b4c8d206aecd231a1bb4da284e4179f8ae107cda7
-
Filesize
1.8MB
MD57a29d1a0259ab6e68125a6eee44a3b8d
SHA1ca6b3a9498958f49e11eda6aaadb01907ad6ac11
SHA2566fd36fe4cb18f74361cc6789f72e703455dcf85e532bc7863b3f8bc5a2dee97c
SHA5127f003ff489211d5551acf72769d0f9ead74931ed28c9751ecccbc48c857a77a12fe4513e6daa6a9c95a7c95bf16e2510bef55313cdbe04b30b4b097b436568fe
-
Filesize
1.9MB
MD54f22d6b8f5fff9bea7ee68d09e2a7f9c
SHA1571f27c470dc61dead51e3f942e8aa7c13441e33
SHA256ec0bb9aae6515b3e7b2459f53c7667a89bf1ed476b963952349c26dfb0aa42f4
SHA51284a30cbee3a45b45758735a768dfafd2b727cb69897f7e26fffe565aeace850ad9f9b6cd5f24b94813124a45be91faa019681ce4a1e588f403723a868b512bea