f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051

General

Target

SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
Size

2.5MB
MD5

83ef95311d217e5156a2ac79ebfb9e1d
SHA1

6e33e3ac6a1d1f0949b1426275b76e7dfe21db72
SHA256

f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051
SHA512

5d8395180aa928fda17d193c3958d163e1e310bccb9ee33d5fbedcbf162148b3f1145c025c8962466ca3312c193cd5787276cc15f71b0138b18867c8a81529a7
SSDEEP

49152:qILEUZJ9W8furgfV3IbrrTbx8HvfGwlEPNIuPK2nVgTJpltBLr:qWW8fuUd3IbZ8HvOwCO2nVgTJplfL

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe

Executes dropped EXE 3 IoCs

pid	Process
2984	PostUpdate.exe
556	bitsumsessionagent.exe
1884	processlasso.exe

Loads dropped DLL 4 IoCs

pid	Process
2984	PostUpdate.exe
2984	PostUpdate.exe
1884	processlasso.exe
1884	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
556	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	1884	processlasso.exe
Token: SeDebugPrivilege	1884	processlasso.exe
Token: SeChangeNotifyPrivilege	1884	processlasso.exe
Token: SeIncBasePriorityPrivilege	1884	processlasso.exe
Token: SeIncreaseQuotaPrivilege	1884	processlasso.exe
Token: SeCreateGlobalPrivilege	1884	processlasso.exe
Token: SeProfSingleProcessPrivilege	1884	processlasso.exe
Token: SeBackupPrivilege	1884	processlasso.exe
Token: SeRestorePrivilege	1884	processlasso.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2984	5072	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	88
PID 5072 wrote to memory of 2984	5072	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	88
PID 5072 wrote to memory of 2984	5072	SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe	88
PID 2984 wrote to memory of 1884	2984	PostUpdate.exe	92
PID 2984 wrote to memory of 1884	2984	PostUpdate.exe	92
PID 2984 wrote to memory of 1884	2984	PostUpdate.exe	92

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:1884

C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
606KB

MD5
06345440adde3dd330adce69ef73baf2

SHA1
4658e257fdfd46aa7634a053aabd7f7e18da6752

SHA256
fb5b8384fafe43423ec4aad769565d3535c3e53687f1277774f332029e927ef9

SHA512
d46216b8ed3438f2ea792454635c71954861359a663a69b6b35270885750f693437ee3cda6921ddc1f4cd875d1393e5375f70a571dbd4bc3d8419cad471256d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.6MB

MD5
af5811262cadcb1f01b280352dbd7cfa

SHA1
97987f02b1cb756bd3a3e6648cbe20e929ebbd02

SHA256
0814e8f9701bb91cf65da44b29e96f64f8945afb1d2173e3326dc8a26da2198f

SHA512
18a957ce052e73c1b2cdae9e3552d978e00bb0d2015517eacee9dd36ba8328b9b5f86d6ff562dabeba7ea3df888c84e07de775ed872361ea717738cf31816dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
418KB

MD5
682d0048f08be81f85e47f092cbd0905

SHA1
3a628a0cafba905eca010dd8c1c7cfa9f346d7e5

SHA256
ca982a5ef3a339d5c33b4113394793e95add1baed500ddb2075f1bd009d0aff2

SHA512
5e11ee85c26543ad2884a5117baea2f706658b476b29248e86b27587b01f4edca00822230c1dbfb1e53d0af883ca3be93369387a231c03a311fe7a893dd5bf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
140KB

MD5
d24676e0d66c623fede6908fdebb0e58

SHA1
ea4a90efa62c46facabc16d457cd5cd0936265c0

SHA256
a2a47e13896b0674b23dc2ce30726892e040573d087dcf393238e99f5f31551d

SHA512
b00bfdcf6b7f8785967cccda657f1bbf7aeb65fbb4aed3bd2096e98a9f316c24860965306a33a4b92f311783082404393cb5e0c8c86d995317dd7bd9abbb9a53

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.3MB

MD5
ad4e53b4bc4191f842100b38ebd64f3c

SHA1
6a964c560c1b85c4412dcc22794ae7abdd63ea16

SHA256
09ef34780bb6074337b05529a32b6809b4d97b278825528180bef1a89d0d5316

SHA512
88ddb48c353b5b2d36f4a6e38ddd928288e369c95e9c44d72163a742a8391d3dfe2ce9e8e6a067bbac476649029db0a75b1531c103071a7e296d65f5136d72e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.6MB

MD5
50a8d8922ce7fca3debe1211188a271f

SHA1
a4698c1e1a7561401b0ad3e1a4da8af6ecaf8507

SHA256
bc410c8e2373201951810b3a37f5b0fe430d6062ee35ed04f53a519422d3ab2d

SHA512
4e115936a303ea54494a6c5d81cd1bf23dcb6483fa16e14cb2b96eec29d7b0294855ceca969264dffe7d810b4c8d206aecd231a1bb4da284e4179f8ae107cda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.8MB

MD5
7a29d1a0259ab6e68125a6eee44a3b8d

SHA1
ca6b3a9498958f49e11eda6aaadb01907ad6ac11

SHA256
6fd36fe4cb18f74361cc6789f72e703455dcf85e532bc7863b3f8bc5a2dee97c

SHA512
7f003ff489211d5551acf72769d0f9ead74931ed28c9751ecccbc48c857a77a12fe4513e6daa6a9c95a7c95bf16e2510bef55313cdbe04b30b4b097b436568fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
4f22d6b8f5fff9bea7ee68d09e2a7f9c

SHA1
571f27c470dc61dead51e3f942e8aa7c13441e33

SHA256
ec0bb9aae6515b3e7b2459f53c7667a89bf1ed476b963952349c26dfb0aa42f4

SHA512
84a30cbee3a45b45758735a768dfafd2b727cb69897f7e26fffe565aeace850ad9f9b6cd5f24b94813124a45be91faa019681ce4a1e588f403723a868b512bea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads