Overview

overview

8

Static

static

1

trojan-rem...82.exe

windows7-x64

4

trojan-rem...82.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    63s
  • max time network
    57s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/06/2023, 05:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    trojan-remover-6-9-5-build-2982.exe

  • Size

    14.7MB

  • MD5

    9ea5babf6100f16074566aef293b41fa

  • SHA1

    e640da514782aa7e10534eb94e7292d6ef9b7f7c

  • SHA256

    09bb73b82c2c50e3de03fc1f00e703d2a4fabcb777ef51bade09e0f142b24bb2

  • SHA512

    7cef8cd181313bb1cf58edf3c15444dfc28f520013f93fe4a27818e8c3542bb7adcb155031aa9039dbf6c38db3decc3c5a31eb8453ecfdaa1487b06621fc7a0d

  • SSDEEP

    393216:gML27lzHSgAsU7WWBIia6iZuXiCSOefVytt6o0LHAm6:NulzygAsguiYkAtyPqgm6

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Sets file execution options in registry 2 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 18 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Modifies system executable filetype association 2 TTPs 5 IoCs
    persistence
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\trojan-remover-6-9-5-build-2982.exe
    "C:\Users\Admin\AppData\Local\Temp\trojan-remover-6-9-5-build-2982.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\is-KQQ6E.tmp\trojan-remover-6-9-5-build-2982.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-KQQ6E.tmp\trojan-remover-6-9-5-build-2982.tmp" /SL5="$C005E,14611967,499712,C:\Users\Admin\AppData\Local\Temp\trojan-remover-6-9-5-build-2982.exe"
      2⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4768
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\Trshlex64.dll"
        3⤵
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Registers COM server for autorun
        • Modifies registry class
        PID:840
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:672
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:4564
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Set-ProcessMitigation -Name rmvtrjan.exe -Disable ForceRelocateImages
        3⤵
        • Sets file execution options in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3892
      • C:\Users\Admin\AppData\Local\Temp\is-KEHHM.tmp\TaskInst.exe
        "C:\Users\Admin\AppData\Local\Temp\is-KEHHM.tmp\TaskInst.exe"
        3⤵
        • Executes dropped EXE
        PID:5112
      • C:\Program Files (x86)\Trojan Remover\trupd.exe
        "C:\Program Files (x86)\Trojan Remover\trupd.exe" /dbinstall
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:4108

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll
          Filesize

          1.0MB

          MD5

          4af801176ac79f0a2a32b2d71d6ef691

          SHA1

          e4ad5d68fbd01d31d13e3737879c5adfaa05518b

          SHA256

          f0cd8bcd09a72de3bd900776fb129416877df869f27e8b2a1bb86d04ca8856f1

          SHA512

          dffb0ad4ea97fdfd58642eeeec6c2138de8cf5f2562e72d4503fe8da40b020595aa3e3cd5c4d1522335b9d64e8b83871f8c54365dbc2b6d2ee50e11df78d42c4

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\TRElevationHelper.dll
          Filesize

          1.0MB

          MD5

          4af801176ac79f0a2a32b2d71d6ef691

          SHA1

          e4ad5d68fbd01d31d13e3737879c5adfaa05518b

          SHA256

          f0cd8bcd09a72de3bd900776fb129416877df869f27e8b2a1bb86d04ca8856f1

          SHA512

          dffb0ad4ea97fdfd58642eeeec6c2138de8cf5f2562e72d4503fe8da40b020595aa3e3cd5c4d1522335b9d64e8b83871f8c54365dbc2b6d2ee50e11df78d42c4

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll
          Filesize

          2.2MB

          MD5

          4214adca95cec26e3cf661678a6c3705

          SHA1

          57604b65ef8ca91927dcfe2b4cf8ca0b4e0f1286

          SHA256

          03c6998fc83a8b89deb233e571e0ae1a5c07905578304440a06b5a912cc20700

          SHA512

          c0e980dab170caa2cad8b04bb34d12a65378e4d925efe2a3d3b9eb8a66ae487c573c6d6ba2d6565005f90defcf93e93273b1e6650b049ad3f250af5d3a14e084

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\TRElevationHelper32.dll
          Filesize

          2.2MB

          MD5

          4214adca95cec26e3cf661678a6c3705

          SHA1

          57604b65ef8ca91927dcfe2b4cf8ca0b4e0f1286

          SHA256

          03c6998fc83a8b89deb233e571e0ae1a5c07905578304440a06b5a912cc20700

          SHA512

          c0e980dab170caa2cad8b04bb34d12a65378e4d925efe2a3d3b9eb8a66ae487c573c6d6ba2d6565005f90defcf93e93273b1e6650b049ad3f250af5d3a14e084

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\Trshlex64.dll
          Filesize

          3.4MB

          MD5

          bc168257a6d847002c942f725e6c4d45

          SHA1

          252e52be7982fd7cf69ed1ae0d7b9d5246b76cae

          SHA256

          8332bd218920b6bec2a043ca6409d672335c0269b2d437cd7c1b00456e6f1726

          SHA512

          3ebad8455a440eb5bb87503fea557e3e30f136a461199bf66aa4ad11307d4dd52914469c59f0c8627310221f80c6048beada8275358c4db5c89eb4de26e16732

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\Trshlex64.dll
          Filesize

          3.4MB

          MD5

          bc168257a6d847002c942f725e6c4d45

          SHA1

          252e52be7982fd7cf69ed1ae0d7b9d5246b76cae

          SHA256

          8332bd218920b6bec2a043ca6409d672335c0269b2d437cd7c1b00456e6f1726

          SHA512

          3ebad8455a440eb5bb87503fea557e3e30f136a461199bf66aa4ad11307d4dd52914469c59f0c8627310221f80c6048beada8275358c4db5c89eb4de26e16732

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\Win32\libeay32.dll
          Filesize

          1.3MB

          MD5

          de66601165d003a7dbe444b128461694

          SHA1

          b6daca91c628bfeac760fb41f22ac591a6bb98e3

          SHA256

          ed98fc88dfe77719474dbe680cafdb1ec1ff6311513ac4e2cf233f7520ec59ef

          SHA512

          21812241e34ff8b3cc98add32df719aa4947d6d7250dbaec9c4135b51c8e017f0d108da22ece878d0a59289433fb286d9ae9dc82ae34f4f5af2b1e8f8f27378f

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\Win32\libeay32.dll
          Filesize

          1.3MB

          MD5

          de66601165d003a7dbe444b128461694

          SHA1

          b6daca91c628bfeac760fb41f22ac591a6bb98e3

          SHA256

          ed98fc88dfe77719474dbe680cafdb1ec1ff6311513ac4e2cf233f7520ec59ef

          SHA512

          21812241e34ff8b3cc98add32df719aa4947d6d7250dbaec9c4135b51c8e017f0d108da22ece878d0a59289433fb286d9ae9dc82ae34f4f5af2b1e8f8f27378f

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\Win32\ssleay32.dll
          Filesize

          350KB

          MD5

          9f487404116e9718f3b62bad39891488

          SHA1

          efedbce65290163364db72796ea38331c605b063

          SHA256

          e04f10dc724496de19c5201d045e7951e5d508e71c13139523cdc42ed96707cc

          SHA512

          f56bf9df702a37dd625f5732bf8a0d24c8259d2ba4cbfb3b1ee9d48aeaed27eb485032b3bd4ba28e8d51b102daa5e14712aca40af43d1141b160968303e52d53

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\Win32\ssleay32.dll
          Filesize

          350KB

          MD5

          9f487404116e9718f3b62bad39891488

          SHA1

          efedbce65290163364db72796ea38331c605b063

          SHA256

          e04f10dc724496de19c5201d045e7951e5d508e71c13139523cdc42ed96707cc

          SHA512

          f56bf9df702a37dd625f5732bf8a0d24c8259d2ba4cbfb3b1ee9d48aeaed27eb485032b3bd4ba28e8d51b102daa5e14712aca40af43d1141b160968303e52d53

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\trupd.exe
          Filesize

          6.4MB

          MD5

          259c6fc84a6095e4a1d4e2242e2ceda1

          SHA1

          3992009312d8650ba787251c28b1fe6616304e19

          SHA256

          389f0fd6b713d894b624e114728c3a4dba971bbe2af0cee16d237f9ae5451bf0

          SHA512

          ef2843818922e16ffc55e2265416ac4669b1f198b961ec46c2f9f32e73263fd7a5aae7494a642a95a1ecedf447a75e2f48e335cafddde90bd40375066029b8c7

          Download Submit

        • C:\Program Files (x86)\Trojan Remover\trupd.exe
          Filesize

          6.4MB

          MD5

          259c6fc84a6095e4a1d4e2242e2ceda1

          SHA1

          3992009312d8650ba787251c28b1fe6616304e19

          SHA256

          389f0fd6b713d894b624e114728c3a4dba971bbe2af0cee16d237f9ae5451bf0

          SHA512

          ef2843818922e16ffc55e2265416ac4669b1f198b961ec46c2f9f32e73263fd7a5aae7494a642a95a1ecedf447a75e2f48e335cafddde90bd40375066029b8c7

          Download Submit

        • C:\ProgramData\Simply Super Software\Trojan Remover\Data\dlservers.dta
          Filesize

          522B

          MD5

          11da9dbdee7dd02901cddaed4841802b

          SHA1

          a53152510c5f81e423355deda4502abc29ea8af7

          SHA256

          11956755580ed92378df8fb11cccf980ec134943c6a2e08581dcbf6b770411f9

          SHA512

          137985e2dde65c70056ac618fcb617ead6d9ce75bfadb25310ca45c5c6670663b8ecd8218b7ce2beb8022c7847a48a607f5725df48e05b56282ecc5d2e8992aa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npepqqg5.2gb.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-KEHHM.tmp\TaskInst.exe
          Filesize

          2.3MB

          MD5

          0ea8f3f88f2433777d6d950978d71e3e

          SHA1

          7dfeecbb71a8a6fd65735e9b967692de09d67d2a

          SHA256

          b53fad3e0294a5b364b2aa85de3e651c9b39b290b6545698374435982def5bb1

          SHA512

          ca367d10ea7c94e110958b3f1c6a1cd939acce4c7f4ccfe4212e704534a667abf376cdd45f9610bb39cf9bc042fb23781073a67146fdf86ff55b3669264e284a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-KQQ6E.tmp\trojan-remover-6-9-5-build-2982.tmp
          Filesize

          1.5MB

          MD5

          4aaacbe93ee7ad2d86fe3533068ade70

          SHA1

          01c3403b90d4c43fa07a13c89035a9a78c2b62c1

          SHA256

          1e10e564609c79febd65d446fd40f865413d7d82e92836e5ca6c6c0d4ba08d7d

          SHA512

          ca132148954d30b76a1652e9cce63d7a15adfb3017d25c5acec97d4b59a591e9ee592f0938adb5a6d62bbf7a38865807eb9cfbbc6dbaed3707b937822162ab75

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\is-KQQ6E.tmp\trojan-remover-6-9-5-build-2982.tmp
          Filesize

          1.5MB

          MD5

          4aaacbe93ee7ad2d86fe3533068ade70

          SHA1

          01c3403b90d4c43fa07a13c89035a9a78c2b62c1

          SHA256

          1e10e564609c79febd65d446fd40f865413d7d82e92836e5ca6c6c0d4ba08d7d

          SHA512

          ca132148954d30b76a1652e9cce63d7a15adfb3017d25c5acec97d4b59a591e9ee592f0938adb5a6d62bbf7a38865807eb9cfbbc6dbaed3707b937822162ab75

          Download Submit

        • memory/1560-133-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/1560-140-0x0000000000400000-0x0000000000484000-memory.dmp

          Filesize

          528KB

          Download

        • memory/3892-216-0x000002442EA30000-0x000002442EA40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3892-217-0x000002442EA30000-0x000002442EA40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3892-218-0x000002442EA30000-0x000002442EA40000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3892-215-0x0000024416560000-0x000002441657E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/3892-207-0x00000244163A0000-0x00000244163C2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4108-228-0x00000000029C0000-0x00000000029C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4108-229-0x00000000030F0000-0x00000000033FA000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/4768-187-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4768-142-0x0000000000840000-0x0000000000841000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4768-141-0x0000000000400000-0x000000000058A000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/4768-138-0x0000000000840000-0x0000000000841000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5112-223-0x0000000000400000-0x000000000066E000-memory.dmp

          Filesize

          2.4MB

          Download