c17f66e015691a55e7dff243d25e8c5753dd0cff125a4b9eddbc3a9811ab6ea1

General

Target

272236b631f5fa4d9db55e111b8f09cc.exe
Size

372KB
MD5

272236b631f5fa4d9db55e111b8f09cc
SHA1

b9d978a9bf0eb664b9d57d07f90a0d176caf147f
SHA256

c17f66e015691a55e7dff243d25e8c5753dd0cff125a4b9eddbc3a9811ab6ea1
SHA512

e5385d1ff6cc86bc7f631739eb5122a1fa6fbac5be36382d0c8f04879b099b1b709524d41e0dfcc382d6758d83fbde307319d119082ece59b1709af6f1a2f558
SSDEEP

6144:lHZA1kbQVjPXhe/qc+FNbHsHTUCzutSEVxCWr3rgNMPeXxEwf5I71I5Bnsz+ey:t/Q1PQIbMHIdtFxCaEN5XxEwxXmzty

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
3004	272236b631f5fa4d9db55e111b8f09cc.exe

Loads dropped DLL 5 IoCs

pid	Process
2892	272236b631f5fa4d9db55e111b8f09cc.exe
2892	272236b631f5fa4d9db55e111b8f09cc.exe
2892	272236b631f5fa4d9db55e111b8f09cc.exe
3004	272236b631f5fa4d9db55e111b8f09cc.exe
3004	272236b631f5fa4d9db55e111b8f09cc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS_prod_UPG_1.5.30_18.1.0.37} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS_prod_UPG_1.5.30_18.1.0.37}\\272236b631f5fa4d9db55e111b8f09cc.exe /m"	272236b631f5fa4d9db55e111b8f09cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS_prod_UPG_1.5.30_18.1.0.37} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS_prod_UPG_1.5.30_18.1.0.37}\\272236b631f5fa4d9db55e111b8f09cc.exe /m"	272236b631f5fa4d9db55e111b8f09cc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	272236b631f5fa4d9db55e111b8f09cc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	272236b631f5fa4d9db55e111b8f09cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3004	272236b631f5fa4d9db55e111b8f09cc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3004	272236b631f5fa4d9db55e111b8f09cc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 3004	2892	272236b631f5fa4d9db55e111b8f09cc.exe	28
PID 2892 wrote to memory of 3004	2892	272236b631f5fa4d9db55e111b8f09cc.exe	28
PID 2892 wrote to memory of 3004	2892	272236b631f5fa4d9db55e111b8f09cc.exe	28
PID 2892 wrote to memory of 3004	2892	272236b631f5fa4d9db55e111b8f09cc.exe	28

C:\Users\Admin\AppData\Local\Temp\272236b631f5fa4d9db55e111b8f09cc.exe
"C:\Users\Admin\AppData\Local\Temp\272236b631f5fa4d9db55e111b8f09cc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Public\Downloads\Norton\{NIS_prod_UPG_1.5.30_18.1.0.37}\272236b631f5fa4d9db55e111b8f09cc.exe
  C:\Users\Public\Downloads\Norton\{NIS_prod_UPG_1.5.30_18.1.0.37}\272236b631f5fa4d9db55e111b8f09cc.exe /r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
e16d6561c46a425046b50c4632e1fc65

SHA1
5d8836489e607032504aaf68f929774cba65819f

SHA256
f5624948b3bee7f6a406a0784eaff4145d9c19029bae238879e231fff8ca389c

SHA512
2e966c81b605317a41ec39fef38eab5874278d3ac2a4eb5d5e4c3ab44c488bf517ef150f994db3279337bc221eea48aacb0bba584dc35426d86ef11fb9f7a354

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\4bd07e1ba952c6aa9bf83a8d98c08949_63be8c66-23f0-4400-84bb-c1a439222555

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton-installatiebestanden.lnk

Filesize
1KB

MD5
e3aa627206427fec05b530fdfda3653a

SHA1
58b575dcf76ca6b7c38c21667473f7bbf531acf8

SHA256
d746041c088fca18de511b95b9f5181565db44550a81063b35d6d9cbf58baf51

SHA512
575947cef42e44990fbc179d361e83c03901de8546538981906fe484a3aa08f9e16261a4fa898035f75c9a9710ac683810956df800c0ec0ef7614542d69765a5

Download Submit
C:\Users\Admin\Desktop\Norton Download Manager.lnk

Filesize
1KB

MD5
ff0dfd079f11758ba5959297489bd63b

SHA1
a7aea0789668276f95d61789f04e8a55b0567131

SHA256
ea03c0c3ebe6d9dad8698d69d1c3ee6bc9981ff3b43dfeca06f6c8f5bd22e50b

SHA512
436a2235c0f449fcf2223a6295478dba37fcd2c97e2dfa8cf437c5b55cba3c6acbf06a0ab96327067a4edf6726ea7ca1ab6cf9bf58a451927693f936f6cbaf05

Download Submit
C:\Users\Public\Downloads\Norton\{NIS_prod_UPG_1.5.30_18.1.0.37}\272236b631f5fa4d9db55e111b8f09cc.exe

Filesize
372KB

MD5
272236b631f5fa4d9db55e111b8f09cc

SHA1
b9d978a9bf0eb664b9d57d07f90a0d176caf147f

SHA256
c17f66e015691a55e7dff243d25e8c5753dd0cff125a4b9eddbc3a9811ab6ea1

SHA512
e5385d1ff6cc86bc7f631739eb5122a1fa6fbac5be36382d0c8f04879b099b1b709524d41e0dfcc382d6758d83fbde307319d119082ece59b1709af6f1a2f558

Download Submit
memory/2892-18-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2892-29-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2892-22-0x0000000003000000-0x0000000003010000-memory.dmp

Filesize
64KB

Download
memory/2892-0-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/2892-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3004-31-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/3004-30-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3004-38-0x00000000008E0000-0x00000000008F0000-memory.dmp

Filesize
64KB

Download
memory/3004-46-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/3004-48-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/3004-49-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads