e41de7a1056c3c9a28ca6d1b40424e4ca07d51607cb5f86e1c65df09fa47c7f5

General

Target

4d90c6e133e8c1c3cf498585e7ec3362.exe
Size

388KB
MD5

4d90c6e133e8c1c3cf498585e7ec3362
SHA1

596840f025a80a26d608e0a35582ef4f6f3d5e6b
SHA256

e41de7a1056c3c9a28ca6d1b40424e4ca07d51607cb5f86e1c65df09fa47c7f5
SHA512

04eb302f56fca1c17d002f405322db1a4268bb4d440dc35c17752ba6d04e9cc2974739972860dcfdd3d3dc2ae0330d6ca2f41e8750ffd7e59fca607a2d9b88db
SSDEEP

6144:wq/+ep82m8Anc7amzdxyQEf5d+vheNaENwg6DutB4aeqq/SDrdmmklBnsz+uYA:wz6MAamJxof5EheN9wg6NaeqUS0pmzoA

Score

6^/10

evasion persistence trojan

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{N360S_prod_1.6.18_5.0.0.125} = "C:\\Users\\Public\\Downloads\\Norton\\{N360S_prod_1.6.18_5.0.0.125}\\4d90c6e133e8c1c3cf498585e7ec3362.exe /m"	4d90c6e133e8c1c3cf498585e7ec3362.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4d90c6e133e8c1c3cf498585e7ec3362.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	4d90c6e133e8c1c3cf498585e7ec3362.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	4d90c6e133e8c1c3cf498585e7ec3362.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	4d90c6e133e8c1c3cf498585e7ec3362.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2640	4d90c6e133e8c1c3cf498585e7ec3362.exe

C:\Users\Admin\AppData\Local\Temp\4d90c6e133e8c1c3cf498585e7ec3362.exe
"C:\Users\Admin\AppData\Local\Temp\4d90c6e133e8c1c3cf498585e7ec3362.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
1e6deb12a530dc08727eaefb68dd87ab

SHA1
84642f43593ce9283a9825482ede72d0b411ff75

SHA256
6eae57a2d58ab2d1d4d5f5e5e7ab99afe311aad9bb565b075e09fb09f991f64c

SHA512
54aed90359e453ca3048978183aeefd089322e0f700af43531036b28f1f22cb5e571e0d8b3f0438097a2aba92cb93c6588078641f8e6903292f2accc9e8eec5d

Download Submit
C:\Users\Public\Downloads\Norton\{N360S_prod_1.6.18_5.0.0.125}\4d90c6e133e8c1c3cf498585e7ec3362.exe

Filesize
388KB

MD5
4d90c6e133e8c1c3cf498585e7ec3362

SHA1
596840f025a80a26d608e0a35582ef4f6f3d5e6b

SHA256
e41de7a1056c3c9a28ca6d1b40424e4ca07d51607cb5f86e1c65df09fa47c7f5

SHA512
04eb302f56fca1c17d002f405322db1a4268bb4d440dc35c17752ba6d04e9cc2974739972860dcfdd3d3dc2ae0330d6ca2f41e8750ffd7e59fca607a2d9b88db

Download Submit
memory/2640-0-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2640-1-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2640-25-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download
memory/2640-27-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2640-29-0x00000000005F0000-0x00000000005F2000-memory.dmp

Filesize
8KB

Download
memory/2640-30-0x0000000002E60000-0x0000000002E61000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads