2d830ab6e960a0352b557bddd62f0e86f56318387ba712c5502c581805a6262f

General

Target

69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe
Size

831KB
MD5

cd2747fbc6e7c4caf42d4d863a69792f
SHA1

ff4aa4aa60373f808b62de5fa2bac4deac817644
SHA256

69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969
SHA512

2240d6d89c1affe45f30d026cc707c53916f19ecf58204d24e3ac5b245da67fb59847dbc0ddad7adba4ea9afe41047a7bd6dd90a2912257ab6c8800dac8186cc
SSDEEP

12288:yN9d1yTGrYZ9bZAMa504xdrDZKb8ZZvzedCRKd/BadIS67pWfir:cPrYZ9A504xdrDZKb8ZZvzeIQ5BadOh

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

Trio.Net.exe

pid process

3960 Trio.Net.exe
Loads dropped DLL 6 IoCs

Processes:

Trio.Net.exe

pid process

3960 Trio.Net.exe
3960 Trio.Net.exe
3960 Trio.Net.exe
3960 Trio.Net.exe
3960 Trio.Net.exe
3960 Trio.Net.exe

pid	process
3960	Trio.Net.exe

pid	process
3960	Trio.Net.exe
3960	Trio.Net.exe
3960	Trio.Net.exe
3960	Trio.Net.exe
3960	Trio.Net.exe
3960	Trio.Net.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Trio.Net.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Trio.WakeNet = "C:\\Users\\Admin\\AppData\\Local\\TrioNet\\Trio.Net.exe"	Trio.Net.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exeTrio.Net.exe

description	pid	process
Token: SeDebugPrivilege	1516	69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe
Token: SeDebugPrivilege	3960	Trio.Net.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe

description	pid	process	target process
PID 1516 wrote to memory of 3960	1516	69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe	Trio.Net.exe
PID 1516 wrote to memory of 3960	1516	69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe	Trio.Net.exe
PID 1516 wrote to memory of 3960	1516	69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe	Trio.Net.exe

C:\Users\Admin\AppData\Local\Temp\69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe
"C:\Users\Admin\AppData\Local\Temp\69d1e288d7a88cca768aaec4cfd0b05d2319c910e1d8a872b40148656d042969.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\TrioNet\Trio.Net.exe
"C:\Users\Admin\AppData\Local\TrioNet\Trio.Net.exe" C:\Users\Admin\AppData\Local\TrioNet\Trio.Net.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4456 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TrioNet\Newtonsoft.Json.dll
Filesize
639KB

MD5
2b770cea3a15c2b0eb36e9061ac5bc64

SHA1
b0c61c2e026fe4ebc2814ada65a6d17e7b0a604f

SHA256
1c245f4c85c2ada130bc59942c90b701c24c06edbe3eb25838ed8de4f852535c

SHA512
b5ce67a8558f37ffc6b85ee911808466aa3bb0f38dbcf6a221f7adb55e112f18aa7128244aa70bb2c0e36ec6082e94c8654d827c76dee71ae39e6bbdbe824bda

Download Submit
C:\Users\Admin\AppData\Local\TrioNet\RestSharp.dll
Filesize
165KB

MD5
54842df150e2cff6c457bc51522a7d00

SHA1
d4252f823034a87f2b27750aeb5d167fc67f4d32

SHA256
0a74d75dfbf2193390969008ec0f6eceb29c8b20363e05192c959b0fac12f231

SHA512
0840ba54b2de6aa7ab865f5b792262c09a74c39cb9b9394a7f1737df7e9ffae767cd908f6a0760755a11c70cd7bd35fd6ee516009489e6225cad72c39ad0dc1c

Download Submit
C:\Users\Admin\AppData\Local\TrioNet\Trio.Net.exe
Filesize
6KB

MD5
e806729db3ae4dc37c042d8f1002a6e2

SHA1
d2c53d95fc6588feaa7ca60e389ed014e3c1490a

SHA256
85f28d66c4b7b400c7c7a39076c5bea56adfeb2e7bedcbcd5bbef9f759b16bd1

SHA512
90041fa3d40b153458d3be9c4e36cdcb36aa294172c7b5d8c875e64b21b4993ceef3611beeac417020dadce408ac5706da26f2f2ac4e7988cf390bfe16241242

Download Submit
C:\Users\Admin\AppData\Local\TrioNet\TrioSdk.Support.dll
Filesize
18KB

MD5
fe88c0800f0decdcb69c4485a278a707

SHA1
0f051a6174cd80b2a8c36885504774b2bb0a460c

SHA256
51d00c20fdbd2ebd37d14519114a9660a435120b28a5acac1d7aca9915e4b2eb

SHA512
0b6bef9f60cfb020b8aedc778f573d4ce9bcb93030ff62a28377b91663b78cf522087949449f15889d795303bc9619b286f7471ab8952ec017310dce639122bc

Download Submit
memory/1516-1-0x0000000000220000-0x00000000002F6000-memory.dmp

Filesize
856KB

Download
memory/1516-2-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1516-11-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/1516-0-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/1516-13-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

Filesize
64KB

Download
memory/1516-25-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3960-12-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3960-23-0x0000000004CA0000-0x0000000004CD0000-memory.dmp

Filesize
192KB

Download
memory/3960-24-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3960-19-0x0000000002770000-0x000000000277A000-memory.dmp

Filesize
40KB

Download
memory/3960-15-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/3960-29-0x0000000004DF0000-0x0000000004E96000-memory.dmp

Filesize
664KB

Download
memory/3960-30-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3960-31-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3960-32-0x0000000005820000-0x0000000005842000-memory.dmp

Filesize
136KB

Download
memory/3960-33-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/3960-35-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads