4feb056769f2ac7fb07a65bfd3d5ca0fc22e8f3b3cf046fc586c782935ca2445

General

Target

Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
Size

4.6MB
MD5

7130e2694cca996709191b76808eef93
SHA1

b1365ba832f6c4d6e03fc82404b966a8fa851145
SHA256

4feb056769f2ac7fb07a65bfd3d5ca0fc22e8f3b3cf046fc586c782935ca2445
SHA512

a2ce34dcb242d7925e610c88ad7faf8ff4396044c5da4f798bcde88e61f3643e9aff97da91a2b5a939c5007b0774517058729be17dadd45a27c6fa34a68ae024

Score

8^/10

persistence

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Shipmet_Documents_DHL_AWB #7849402748,pdf.exeTriou.exe

description pid process

Token: SeDebugPrivilege 1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
Token: SeDebugPrivilege 568 Triou.exe

description	pid	process
Token: SeDebugPrivilege	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
Token: SeDebugPrivilege	568	Triou.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Shipmet_Documents_DHL_AWB #7849402748,pdf.exeTriou.exe

pid	process
1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
568	Triou.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Shipmet_Documents_DHL_AWB #7849402748,pdf.execmd.exe

description	pid	process	target process
PID 1312 wrote to memory of 1840	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	cmd.exe
PID 1312 wrote to memory of 1840	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	cmd.exe
PID 1312 wrote to memory of 1840	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	cmd.exe
PID 1312 wrote to memory of 1840	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	cmd.exe
PID 1840 wrote to memory of 1780	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 1780	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 1780	1840	cmd.exe	reg.exe
PID 1840 wrote to memory of 1780	1840	cmd.exe	reg.exe
PID 1312 wrote to memory of 568	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	Triou.exe
PID 1312 wrote to memory of 568	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	Triou.exe
PID 1312 wrote to memory of 568	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	Triou.exe
PID 1312 wrote to memory of 568	1312	Shipmet_Documents_DHL_AWB #7849402748,pdf.exe	Triou.exe

Loads dropped DLL 1 IoCs

Processes:

Shipmet_Documents_DHL_AWB #7849402748,pdf.exe

pid process

1312 Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
Executes dropped EXE 1 IoCs

Processes:

Triou.exe

pid process

568 Triou.exe

pid	process
568	Triou.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Awrade = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\AppData\\Roaming\\Triou.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

C:\Users\Admin\AppData\Local\Temp\Shipmet_Documents_DHL_AWB #7849402748,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Shipmet_Documents_DHL_AWB #7849402748,pdf.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1312

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Awrade /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Triou.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v Awrade /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Triou.exe"
3⤵
- Adds Run entry to start application
PID:1780

C:\Users\Admin\AppData\Roaming\Triou.exe
"C:\Users\Admin\AppData\Roaming\Triou.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Executes dropped EXE
PID:568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Triou.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Triou.exe

Download Submit
\Users\Admin\AppData\Roaming\Triou.exe

Download Submit
memory/568-7-0x0000000000000000-mapping.dmp

Download
memory/1312-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1780-5-0x0000000000000000-mapping.dmp

Download
memory/1840-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads