Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2024, 04:26

General

  • Target

    SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe

  • Size

    2.5MB

  • MD5

    83ef95311d217e5156a2ac79ebfb9e1d

  • SHA1

    6e33e3ac6a1d1f0949b1426275b76e7dfe21db72

  • SHA256

    f9ba39cc36ba8dd4cfb3f461e834660d55f12f76c8696dd04244db1e9db87051

  • SHA512

    5d8395180aa928fda17d193c3958d163e1e310bccb9ee33d5fbedcbf162148b3f1145c025c8962466ca3312c193cd5787276cc15f71b0138b18867c8a81529a7

  • SSDEEP

    49152:qILEUZJ9W8furgfV3IbrrTbx8HvfGwlEPNIuPK2nVgTJpltBLr:qWW8fuUd3IbZ8HvOwCO2nVgTJplfL

Score
5/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop24.57126.22451.19833.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5072
    • C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2984
      • C:\Users\Admin\AppData\Local\Temp\processlasso.exe
        /postupdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:1884
  • C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
    C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: GetForegroundWindowSpam
    PID:556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe

    Filesize

    606KB

    MD5

    06345440adde3dd330adce69ef73baf2

    SHA1

    4658e257fdfd46aa7634a053aabd7f7e18da6752

    SHA256

    fb5b8384fafe43423ec4aad769565d3535c3e53687f1277774f332029e927ef9

    SHA512

    d46216b8ed3438f2ea792454635c71954861359a663a69b6b35270885750f693437ee3cda6921ddc1f4cd875d1393e5375f70a571dbd4bc3d8419cad471256d9

  • C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

    Filesize

    1.6MB

    MD5

    af5811262cadcb1f01b280352dbd7cfa

    SHA1

    97987f02b1cb756bd3a3e6648cbe20e929ebbd02

    SHA256

    0814e8f9701bb91cf65da44b29e96f64f8945afb1d2173e3326dc8a26da2198f

    SHA512

    18a957ce052e73c1b2cdae9e3552d978e00bb0d2015517eacee9dd36ba8328b9b5f86d6ff562dabeba7ea3df888c84e07de775ed872361ea717738cf31816dd6

  • C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

    Filesize

    418KB

    MD5

    682d0048f08be81f85e47f092cbd0905

    SHA1

    3a628a0cafba905eca010dd8c1c7cfa9f346d7e5

    SHA256

    ca982a5ef3a339d5c33b4113394793e95add1baed500ddb2075f1bd009d0aff2

    SHA512

    5e11ee85c26543ad2884a5117baea2f706658b476b29248e86b27587b01f4edca00822230c1dbfb1e53d0af883ca3be93369387a231c03a311fe7a893dd5bf9a

  • C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

    Filesize

    140KB

    MD5

    d24676e0d66c623fede6908fdebb0e58

    SHA1

    ea4a90efa62c46facabc16d457cd5cd0936265c0

    SHA256

    a2a47e13896b0674b23dc2ce30726892e040573d087dcf393238e99f5f31551d

    SHA512

    b00bfdcf6b7f8785967cccda657f1bbf7aeb65fbb4aed3bd2096e98a9f316c24860965306a33a4b92f311783082404393cb5e0c8c86d995317dd7bd9abbb9a53

  • C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

    Filesize

    1.3MB

    MD5

    ad4e53b4bc4191f842100b38ebd64f3c

    SHA1

    6a964c560c1b85c4412dcc22794ae7abdd63ea16

    SHA256

    09ef34780bb6074337b05529a32b6809b4d97b278825528180bef1a89d0d5316

    SHA512

    88ddb48c353b5b2d36f4a6e38ddd928288e369c95e9c44d72163a742a8391d3dfe2ce9e8e6a067bbac476649029db0a75b1531c103071a7e296d65f5136d72e4

  • C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

    Filesize

    1.6MB

    MD5

    50a8d8922ce7fca3debe1211188a271f

    SHA1

    a4698c1e1a7561401b0ad3e1a4da8af6ecaf8507

    SHA256

    bc410c8e2373201951810b3a37f5b0fe430d6062ee35ed04f53a519422d3ab2d

    SHA512

    4e115936a303ea54494a6c5d81cd1bf23dcb6483fa16e14cb2b96eec29d7b0294855ceca969264dffe7d810b4c8d206aecd231a1bb4da284e4179f8ae107cda7

  • C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

    Filesize

    1.8MB

    MD5

    7a29d1a0259ab6e68125a6eee44a3b8d

    SHA1

    ca6b3a9498958f49e11eda6aaadb01907ad6ac11

    SHA256

    6fd36fe4cb18f74361cc6789f72e703455dcf85e532bc7863b3f8bc5a2dee97c

    SHA512

    7f003ff489211d5551acf72769d0f9ead74931ed28c9751ecccbc48c857a77a12fe4513e6daa6a9c95a7c95bf16e2510bef55313cdbe04b30b4b097b436568fe

  • C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

    Filesize

    1.9MB

    MD5

    4f22d6b8f5fff9bea7ee68d09e2a7f9c

    SHA1

    571f27c470dc61dead51e3f942e8aa7c13441e33

    SHA256

    ec0bb9aae6515b3e7b2459f53c7667a89bf1ed476b963952349c26dfb0aa42f4

    SHA512

    84a30cbee3a45b45758735a768dfafd2b727cb69897f7e26fffe565aeace850ad9f9b6cd5f24b94813124a45be91faa019681ce4a1e588f403723a868b512bea