da51aca27777c2fd13be2e099f6657b7815633bbbfe3240b4d8ed171867786ad | Triage

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2024 12:29

Sharing

Report Analysis Logs

General

Target

True2Scan.exe
Size

2.4MB
MD5

7682a598ae6622ce1fc3b666a9a9dafe
SHA1

cc59865ea7605126764c009cc0be2351daa62197
SHA256

4b988a9aa2f81cc6329bd057f3d8e9144ef83ce95cc7524da1e3a03749d370e1
SHA512

289bc425aaf09787a654f8bb4389198e9c7f3517907cd7889d4d8cc1f31ac0d91a108cbfacf17f724096fb31018c754fd8e2c03768741e9aaca2320a3291b8f9
SSDEEP

49152:pRG2J9c6RA2L+zox3s31Z+Yelyd+zox3s31Z+Yel5:pR79hRAuv3s3X+YCuv3s3X+YC5

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

True2Scan.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\True2Scan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\True2ScanLaunch.exe"	True2Scan.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

True2Scan.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	True2Scan.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	True2Scan.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

True2Scan.exe

pid process

3688 True2Scan.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

True2Scan.exe

pid process

3688 True2Scan.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

True2Scan.exe

pid process

3688 True2Scan.exe
3688 True2Scan.exe

C:\Users\Admin\AppData\Local\Temp\True2Scan.exe
"C:\Users\Admin\AppData\Local\Temp\True2Scan.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3688-0-0x00000000006F0000-0x000000000071D000-memory.dmp

Filesize
180KB

Download