149ded86c52aee0bf1dc303181495af988334c9c0c6b81048d8388a7f797dc5b

General

Target

trig_149ded86c52aee0bf1dc30.exe
Size

1.1MB
MD5

882f792ef927f4e8321e082d9a4d85ff
SHA1

0f7989d7ae20d6be6f18c38ae255a5ca1397a8df
SHA256

149ded86c52aee0bf1dc303181495af988334c9c0c6b81048d8388a7f797dc5b
SHA512

350040e5611aa21bc637f465a4c898c7473cd21e2a71c269593196c6866b709cefdf9610b411679cdd1f6b213ee130e058b93f5c2578457450aa4b3dd49a9673
SSDEEP

24576:LYxvmwliqDHWHVjdzuM7Br+e5rA+u7ziSX:evmw3UjnrP9jQis

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

trig_149ded86c52aee0bf1dc30.exetrig_149ded86c52aee0bf1dc30.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\693791EE6037E1718044FACFFF162387 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trig_149ded86c52aee0bf1dc30.exe"	trig_149ded86c52aee0bf1dc30.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\693791EE6037E1718044FACFFF162387 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trig_149ded86c52aee0bf1dc30.exe"	trig_149ded86c52aee0bf1dc30.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Drops desktop.ini file(s) 6 IoCs

Processes:

trig_149ded86c52aee0bf1dc30.exetrig_149ded86c52aee0bf1dc30.exe

description	ioc	process
File opened for modification	\??\c:\program files\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\dataservices\DESKTOP.INI	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\desktop.ini	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\dataservices\DESKTOP.INI	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\$recycle.bin\s-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini	trig_149ded86c52aee0bf1dc30.exe

Drops file in Program Files directory 64 IoCs

Processes:

trig_149ded86c52aee0bf1dc30.exetrig_149ded86c52aee0bf1dc30.exe

description	ioc	process
File opened for modification	\??\c:\program files\microsoft office\root\office16\media\WIND.WAV	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\pagesize\PGLBL097.XML	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-nodes.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\document themes 16\Integral.thmx	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\meta-inf\ECLIPSE_.RSA	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\arctic\ARCTIC.ELM	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\7-zip\lang\ba.txt	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\en-us\oregres.dll.mui	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\google\chrome\application\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\jre\lib\accessibility.properties	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\1033\osmia32.msi	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\datamodel\cartridges\informix.xsl	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\jre\bin\server\classes.jsa	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\modules\org-netbeans-modules-spi-actions.xml	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\echo\THMBNAIL.PNG	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\SkypeforBusinessR_Grace-ppd.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\VisioProR_OEM_Perp-pl.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\blueprnt\BLUEPRNT.ELM	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\breeze\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\Microsoft.Mashup.Container.exe.config	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\microsoft office\root\office16\fpa_f4\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\HomeBusinessR_OEM_Perp2-ul-phn.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\VisioProO365R_SubTest-ul-oob.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\system\ole db\de-de\sqloledb.rll.mui	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\system\ole db\oledbvbs.inc	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\O365HomePremR_SubTrial5-pl.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\en-us\TabTip.exe.mui	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-api_zh_CN.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\system\ado\fr-fr\msader15.dll.mui	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\packagemanifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\microsoft office\root\office16\msipc\pt\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\pagesize\PGLBL117.XML	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\platform\config\moduleautodeps\org-openide-explorer.xml	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\SETLANG_F_COL.HXK	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\slate\THMBNAIL.PNG	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\1033\ClientSub_eula.txt	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\Personal2019R_OEM_Perp-ul-phn.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\packagemanifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\microsoft office\root\office16\odbc drivers\salesforce\lib\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\common files\microsoft shared\ink\ja-jp\TipTsf.dll.mui	trig_149ded86c52aee0bf1dc30.exe
File created	\??\c:\program files\java\how_to_decrypt.hta	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\ExcelVL_KMS_Client-ul.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\visualvm\visualvm\config\modules\com-sun-tools-visualvm-threaddump.xml	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\Access2019R_Grace-ul-oob.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\templates\1033\Office Word 2003 Look.dotx	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\meta-inf\ECLIPSE_.RSA	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\licenses16\ProjectProR_Retail-pl.xrm-ms	trig_149ded86c52aee0bf1dc30.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\themes16\water\THMBNAIL.PNG	trig_149ded86c52aee0bf1dc30.exe

C:\Users\Admin\AppData\Local\Temp\trig_149ded86c52aee0bf1dc30.exe
"C:\Users\Admin\AppData\Local\Temp\trig_149ded86c52aee0bf1dc30.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2264

C:\Users\Admin\AppData\Local\Temp\trig_149ded86c52aee0bf1dc30.exe
"C:\Users\Admin\AppData\Local\Temp\trig_149ded86c52aee0bf1dc30.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
PID:2264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Network Service Scanning

1

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini
Filesize
886B

MD5
adabd397b1a54d6d15a985f733b3964c

SHA1
18e78845b051427c148ce8baecf752b3b9779712

SHA256
c55b2568b810d81bc753620f5da0e6fee99039c810acf89d389ee70fdad94dfb

SHA512
23dd1c52b59a1112914dc7a964dd6d1d27291c11bb057f1df6511b7174c1318809539e481315348e7898706c4a9f997253d119c2dab1ad5aee5fd0159d23e0b1

Download Submit
C:\$Recycle.Bin\S-1-5-21-2971393436-602173351-1645505021-1000\desktop.ini
Filesize
886B

MD5
adabd397b1a54d6d15a985f733b3964c

SHA1
18e78845b051427c148ce8baecf752b3b9779712

SHA256
c55b2568b810d81bc753620f5da0e6fee99039c810acf89d389ee70fdad94dfb

SHA512
23dd1c52b59a1112914dc7a964dd6d1d27291c11bb057f1df6511b7174c1318809539e481315348e7898706c4a9f997253d119c2dab1ad5aee5fd0159d23e0b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads