d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396

General

Target

SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe
Size

2.5MB
MD5

8a886bf8b3fe0dcb20aeca62ee005310
SHA1

486ee4ab017093d6e5916242fc1850c88d3f0bfa
SHA256

d53bf41616a88bda36fcc57594529271ac4abf4a568cac98af802592145d0396
SHA512

9cf5e0ead443915617db8fac7839032116e9ce12664d0556b41bd318e01820522f042c1c11382948e8ff30c1299d5f0cca9a9a68782f767962643063f2135e29
SSDEEP

49152:eILChUWDtNbT8Ad8GLLG+c1V3FDfm1VPtiQnGgyQ9OvdC:eZUIPH58iy+WvjmXPRnGgyQ9J

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2436	PostUpdate.exe
2452	processlasso.exe
628	bitsumsessionagent.exe

Loads dropped DLL 7 IoCs

pid	Process
2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe
2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe
2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe
2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe
2436	PostUpdate.exe
2436	PostUpdate.exe
2452	processlasso.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	processlasso.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	PostUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	PostUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	processlasso.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2452	processlasso.exe
628	bitsumsessionagent.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeAssignPrimaryTokenPrivilege	2452	processlasso.exe
Token: SeDebugPrivilege	2452	processlasso.exe
Token: SeChangeNotifyPrivilege	2452	processlasso.exe
Token: SeIncBasePriorityPrivilege	2452	processlasso.exe
Token: SeIncreaseQuotaPrivilege	2452	processlasso.exe
Token: SeCreateGlobalPrivilege	2452	processlasso.exe
Token: SeProfSingleProcessPrivilege	2452	processlasso.exe
Token: SeBackupPrivilege	2452	processlasso.exe
Token: SeRestorePrivilege	2452	processlasso.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2936 wrote to memory of 2436	2936	SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe	28
PID 2436 wrote to memory of 2452	2436	PostUpdate.exe	31
PID 2436 wrote to memory of 2452	2436	PostUpdate.exe	31
PID 2436 wrote to memory of 2452	2436	PostUpdate.exe	31
PID 2436 wrote to memory of 2452	2436	PostUpdate.exe	31
PID 1852 wrote to memory of 628	1852	taskeng.exe	32
PID 1852 wrote to memory of 628	1852	taskeng.exe	32
PID 1852 wrote to memory of 628	1852	taskeng.exe	32
PID 1852 wrote to memory of 628	1852	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop27.1047.540.14781.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\PostUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Users\Admin\AppData\Local\Temp\processlasso.exe
    /postupdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2452

C:\Windows\system32\taskeng.exe
taskeng.exe {9AB80BF6-E308-43A1-8EEC-983806CB7E24} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe
  C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe ----------------------------------------------------------------
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProcessLasso.exe

Filesize
1.5MB

MD5
2c877432fd4d19795bbcad79c3d530b7

SHA1
8cc9e843b3194563f58306deb60176ca5aa0cb3b

SHA256
fac77702d0ebec24d6b4c643313ca45372b42aa01e500097c51b136b05fab828

SHA512
29754c768301121a672fbb925be3cb8a6788ddfc596f6e00d1fdf04ee7ba3a88226cb142fd9545ad14a065ab31099022d1c938ceca8fcc1a81eef90c434ca75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QuickUpgrade.exe.Replacement

Filesize
433KB

MD5
dbd0b4b638ee503a27f2976a08a526d3

SHA1
ab8baf33800fe6debd579ccc9d1c5ea4edb7e488

SHA256
c6a21c179e486dbafbeade2f678f1c700349707cea379a43de4bdb5e57aeca90

SHA512
53c1fdb7f737177c8354f0950c108958208b461118aaa3c0ead0773d73a63e9d7b9d81d555ee927506b090695b9a446d67ed9ffd42d97ecd9251f405ae2d4a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\bitsumsessionagent.exe

Filesize
140KB

MD5
e1b1c11fb2e24b06bffd3a9e088dfd52

SHA1
1d38a2343c4a579f9c1260a3a12880a421d9663c

SHA256
134b446717377b11705248ef9b33d46aae0180a4d64b4fcf5ad8685232510f6b

SHA512
a5bf511918a938573958bcc5df37af3db39b25636bfe3d33f39b516f47c133c16fb639a6df6801401223f6b4da80e47e866a9f0e5f7af8cf4280f8833495ded9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pl_rsrc_english.dll

Filesize
1.9MB

MD5
e95579ec573e6b348066fb5df321c46e

SHA1
a1c9712b5841b32d312a510c268834f2203958e9

SHA256
dbbd50bb8aeac0bdcb2fecdd6835c26c7d879ab3dc82dda9e27a8061e33d6c9b

SHA512
c076d1e5cb5acbe5be7d024ca3967a16da21bd27510f87895f098cbef425d4651e05a60aa11319e636f437aa163d6327b1b0cae3b2fd404c9d4dcd78190daca2

Download Submit
\Users\Admin\AppData\Local\Temp\PostUpdate.exe

Filesize
614KB

MD5
6cee594062f859ecf16b7a6f061b8ba0

SHA1
ff021920c66b845a5d7f2d6379d40c8e0f1c9787

SHA256
dae058eeaf16c55be97bb87d70c1d32f2ddc241585fe29e9743f4b45e340573f

SHA512
a57e1c9f7b930ae77ebaa1a2905ac279c182f7c3b94b84e1363c13cd4b385790642fbbf8e7f83cbe014c7ed61417fdbe3eae5ffd4b76b97cebd4cd62f243ddde

Download Submit

Analysis

Sharing