c17f66e015691a55e7dff243d25e8c5753dd0cff125a4b9eddbc3a9811ab6ea1

General

Target

272236b631f5fa4d9db55e111b8f09cc.exe
Size

372KB
MD5

272236b631f5fa4d9db55e111b8f09cc
SHA1

b9d978a9bf0eb664b9d57d07f90a0d176caf147f
SHA256

c17f66e015691a55e7dff243d25e8c5753dd0cff125a4b9eddbc3a9811ab6ea1
SHA512

e5385d1ff6cc86bc7f631739eb5122a1fa6fbac5be36382d0c8f04879b099b1b709524d41e0dfcc382d6758d83fbde307319d119082ece59b1709af6f1a2f558
SSDEEP

6144:lHZA1kbQVjPXhe/qc+FNbHsHTUCzutSEVxCWr3rgNMPeXxEwf5I71I5Bnsz+ey:t/Q1PQIbMHIdtFxCaEN5XxEwxXmzty

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1620	272236b631f5fa4d9db55e111b8f09cc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS_prod_UPG_1.5.30_18.1.0.37} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS_prod_UPG_1.5.30_18.1.0.37}\\272236b631f5fa4d9db55e111b8f09cc.exe /m"	272236b631f5fa4d9db55e111b8f09cc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Norton Download Manager{NIS_prod_UPG_1.5.30_18.1.0.37} = "C:\\Users\\Public\\Downloads\\Norton\\{NIS_prod_UPG_1.5.30_18.1.0.37}\\272236b631f5fa4d9db55e111b8f09cc.exe /m"	272236b631f5fa4d9db55e111b8f09cc.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	272236b631f5fa4d9db55e111b8f09cc.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	272236b631f5fa4d9db55e111b8f09cc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	272236b631f5fa4d9db55e111b8f09cc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	272236b631f5fa4d9db55e111b8f09cc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1620	272236b631f5fa4d9db55e111b8f09cc.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1620	272236b631f5fa4d9db55e111b8f09cc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1620	1264	272236b631f5fa4d9db55e111b8f09cc.exe	85
PID 1264 wrote to memory of 1620	1264	272236b631f5fa4d9db55e111b8f09cc.exe	85
PID 1264 wrote to memory of 1620	1264	272236b631f5fa4d9db55e111b8f09cc.exe	85

C:\Users\Admin\AppData\Local\Temp\272236b631f5fa4d9db55e111b8f09cc.exe
"C:\Users\Admin\AppData\Local\Temp\272236b631f5fa4d9db55e111b8f09cc.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Public\Downloads\Norton\{NIS_prod_UPG_1.5.30_18.1.0.37}\272236b631f5fa4d9db55e111b8f09cc.exe
  C:\Users\Public\Downloads\Norton\{NIS_prod_UPG_1.5.30_18.1.0.37}\272236b631f5fa4d9db55e111b8f09cc.exe /r
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
3cb9bd7426a4ca5998a2224b81ba6485

SHA1
b23c049b795fc71c628d970c1b2a5efabf328144

SHA256
b669ba29a5aac082fdca6abdbb982e0b341392ce8d80eeba61db3e7caae74693

SHA512
f4d1e03ad98b5b3a407502888fbdf5fff43374ac79a93bf4bc6591b40b58cf0a58d2d0b66bcdf4f752aa4963a57f1400ce45cbeb5534bdeda18b89a842b3b577

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3642458265-1901903390-453309326-1000\4bd07e1ba952c6aa9bf83a8d98c08949_5bcbec04-14ea-4af4-ad61-da8ce2826342

Filesize
54B

MD5
9499c2f308410e48386f58ca7afccd2e

SHA1
e2ef9dec757aec938d801dd720fddc0c387da7af

SHA256
87e4fc1f82d5a89c7f10ca58cf5de66d184cc3ce02954a13ade3100414a3bc97

SHA512
ff68637e2b3b62cf6ca812bf4d067606edacb353825628048396c45e9be8ca7725c93787b8bcf82e610cf795f69a52b20d4ac48ade5405b114643af6515cf457

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Norton\Norton-installatiebestanden.lnk

Filesize
1KB

MD5
e52cae22fb5c50e9e7593f169b04a5dc

SHA1
ead3608fad905d05b62429dda1e679b1962ba733

SHA256
3f672550eccc33c377ed3b70a4ebb92c5e89e96e12670cf0305fe075aa2b4e24

SHA512
d76147504839a479ba699e17a92a48c31c63aa84c1f6e77f7102d9becb84b9a069678be812d106717c758443e3ea56889da59d8d243835aab3643bfb52a24f0e

Download Submit
C:\Users\Admin\Desktop\Norton Download Manager.lnk

Filesize
1KB

MD5
39074eb413e401a45d143c3240f74661

SHA1
53cc4d6744e23dfc841b647dde2fb6201e6f66cc

SHA256
57bb8850c43349bd4264742a1508e1acdab94121312adeb4327768d8a5a0fce4

SHA512
563037a20a2b386a3c8dc0ae654cedb725c5d82e3ba597d676a29b8ffc60ccb539fe198f8c374406c05af84620d084ada375323d2119b0707fe65ddac8510015

Download Submit
C:\Users\Public\Downloads\Norton\{NIS_prod_UPG_1.5.30_18.1.0.37}\272236b631f5fa4d9db55e111b8f09cc.exe

Filesize
372KB

MD5
272236b631f5fa4d9db55e111b8f09cc

SHA1
b9d978a9bf0eb664b9d57d07f90a0d176caf147f

SHA256
c17f66e015691a55e7dff243d25e8c5753dd0cff125a4b9eddbc3a9811ab6ea1

SHA512
e5385d1ff6cc86bc7f631739eb5122a1fa6fbac5be36382d0c8f04879b099b1b709524d41e0dfcc382d6758d83fbde307319d119082ece59b1709af6f1a2f558

Download Submit
memory/1264-28-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1264-0-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1264-1-0x00000000006F0000-0x00000000006F2000-memory.dmp

Filesize
8KB

Download
memory/1620-24-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1620-25-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1620-37-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/1620-38-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1620-40-0x0000000000400000-0x0000000000543000-memory.dmp

Filesize
1.3MB

Download
memory/1620-41-0x00000000005B0000-0x00000000005B2000-memory.dmp

Filesize
8KB

Download
memory/1620-42-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads