Overview

overview

8

Static

static

3

SecuriteIn...54.exe

windows7-x64

8

SecuriteIn...54.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    141s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/04/2024, 17:33

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.exe

  • Size

    4.3MB

  • MD5

    ca3ac4dfe395961c7b9f1dae6e3e48e5

  • SHA1

    e96a107ba62c7229b7d0f9bd37f08719cfea8156

  • SHA256

    cc95aa91015b7193036acb6354420c2008d95cb4685c7a68a66826c71b631954

  • SHA512

    c0cd4548f1ec13ffc2bbe2c486a96aefc43dd4089a363fa870896f84290262ac2553f0c8f9b4fa63fe5cdd19bea4edeb723b31e97fa7c1c94a10ba3252502ea3

  • SSDEEP

    98304:dkL3u62LxixFn+p5OdbmbCdwKl08sQkkay2TzpRtrcm9kSkr96:u3v2Lsc8bILe08sZkay2Tzrtom9kZw

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Kills process with taskkill 1 IoCs
    evasion
  • Runs net.exe
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2356
    • C:\Users\Admin\AppData\Local\Temp\is-3IA5O.tmp\SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-3IA5O.tmp\SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.tmp" /SL5="$3023A,3651722,825344,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrpc
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2312
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • Runs ping.exe
          PID:412
        • C:\Windows\SysWOW64\net.exe
          net stop tacticalrpc
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:740
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop tacticalrpc
            5⤵
              PID:1448
        • C:\Windows\SysWOW64\cmd.exe
          "cmd.exe" /c net stop tacticalagent
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Windows\SysWOW64\net.exe
            net stop tacticalagent
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop tacticalagent
              5⤵
                PID:1740
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /c ping 127.0.0.1 -n 2 && net stop tacticalrmm
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2008
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1 -n 2
              4⤵
              • Runs ping.exe
              PID:3080
            • C:\Windows\SysWOW64\net.exe
              net stop tacticalrmm
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:4412
              • C:\Windows\SysWOW64\net1.exe
                C:\Windows\system32\net1 stop tacticalrmm
                5⤵
                  PID:4768
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c taskkill /F /IM tacticalrmm.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4892
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /F /IM tacticalrmm.exe
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3492
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c sc delete tacticalagent
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3644
              • C:\Windows\SysWOW64\sc.exe
                sc delete tacticalagent
                4⤵
                • Launches sc.exe
                PID:3076
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /c sc delete tacticalrpc
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4452
              • C:\Windows\SysWOW64\sc.exe
                sc delete tacticalrpc
                4⤵
                • Launches sc.exe
                PID:1476

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\is-3IA5O.tmp\SecuriteInfo.com.Trojan.MulDrop26.46211.13516.19754.tmp
                Filesize

                3.0MB

                MD5

                98a6f8a5951e0cd9165797e1d3e076f7

                SHA1

                ed4258de26752f4fa26c5dbd4c6586563bb8ba93

                SHA256

                0017f703e8fd9af50ac081c0e34a059fee81fc9593db4cba0e113aa5069f34b6

                SHA512

                7294b8b5113a24df4e538bf294d133b8fd50c89a3ca0102312c0ab80030c70d87745cfc36bca9f7538682d2ad26468f4e4e3adecb921744bb0b2d54844d0ab54

                Download Submit

              • memory/1604-5-0x0000000000910000-0x0000000000911000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1604-8-0x0000000000400000-0x0000000000712000-memory.dmp

                Filesize

                3.1MB

                Download

              • memory/1604-11-0x0000000000910000-0x0000000000911000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2356-0-0x0000000000400000-0x00000000004D7000-memory.dmp

                Filesize

                860KB

                Download

              • memory/2356-7-0x0000000000400000-0x00000000004D7000-memory.dmp

                Filesize

                860KB

                Download