Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03/02/2024, 12:46
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MulDrop3.26100.10656.22623.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.MulDrop3.26100.10656.22623.dll
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Trojan.MulDrop3.26100.10656.22623.dll
-
Size
1.8MB
-
MD5
ff9f837f2e437d55dab3110bfc17b0a2
-
SHA1
bf3a403e81a5db31e8ea3d34f01408ba47d1fab6
-
SHA256
6ac207559706d6f6e7f95d6cb3754f75e9f0b3b962cadb2a3f85a46a1aff3422
-
SHA512
d1a161567514bba1e20d53334e23bf654416d91261ec3981dde65a846f584b03a90abee534fe93973b28389a83e2293c7619ba58f1a0b35a5b4a899143362947
-
SSDEEP
24576:203bWVWrpjTfAVkpy+WH1/Q0cisbEqwV47AaZbTaA3ssy3ll43I5xMVsbOOOjygs:5bEQj4m9nIFVsL/Tc5lGsiojtqIbb
Malware Config
Signatures
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4936 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe 4936 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1408 wrote to memory of 4936 1408 rundll32.exe 84 PID 1408 wrote to memory of 4936 1408 rundll32.exe 84 PID 1408 wrote to memory of 4936 1408 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop3.26100.10656.22623.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop3.26100.10656.22623.dll,#12⤵
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4936
-