Overview
overview
7Static
static
7attachment-100.js
windows7-x64
3attachment-100.js
windows10-2004-x64
3attachment-101.js
windows7-x64
3attachment-101.js
windows10-2004-x64
3attachment-102.js
windows7-x64
3attachment-102.js
windows10-2004-x64
3attachment-103.js
windows7-x64
3attachment-103.js
windows10-2004-x64
3attachment-95.js
windows7-x64
3attachment-95.js
windows10-2004-x64
3attachment-96.js
windows7-x64
3attachment-96.js
windows10-2004-x64
3attachment-97.js
windows7-x64
3attachment-97.js
windows10-2004-x64
3attachment-98.js
windows7-x64
3attachment-98.js
windows10-2004-x64
3attachment-99.js
windows7-x64
3attachment-99.js
windows10-2004-x64
3norton/Nor....0.exe
windows7-x64
7norton/Nor....0.exe
windows10-2004-x64
7attachment-100.js
windows7-x64
3attachment-100.js
windows10-2004-x64
3attachment-101.js
windows7-x64
3attachment-101.js
windows10-2004-x64
3attachment-102.js
windows7-x64
3attachment-102.js
windows10-2004-x64
3attachment-103.js
windows7-x64
3attachment-103.js
windows10-2004-x64
3attachment-95.js
windows7-x64
3attachment-95.js
windows10-2004-x64
3attachment-96.js
windows7-x64
3attachment-96.js
windows10-2004-x64
3Analysis
-
max time kernel
13s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
22-07-2024 00:35
Behavioral task
behavioral1
Sample
attachment-100.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
attachment-100.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
attachment-101.js
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral4
Sample
attachment-101.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
attachment-102.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
attachment-102.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
attachment-103.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
attachment-103.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
attachment-95.js
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral10
Sample
attachment-95.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
attachment-96.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
attachment-96.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
attachment-97.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
attachment-97.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
attachment-98.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
attachment-98.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
attachment-99.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
attachment-99.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
norton/Norton 2011 TrialReset v3.1.0.exe
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral20
Sample
norton/Norton 2011 TrialReset v3.1.0.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
attachment-100.js
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral22
Sample
attachment-100.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
attachment-101.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
attachment-101.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
attachment-102.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
attachment-102.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
attachment-103.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
attachment-103.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
attachment-95.js
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral30
Sample
attachment-95.js
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
attachment-96.js
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
attachment-96.js
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
norton/Norton 2011 TrialReset v3.1.0.exe
-
Size
2.2MB
-
MD5
86a7610a736a68246a4bd8b7f225f7c7
-
SHA1
a8575f13280e627aa189ecc096ac6ba78ba86e4a
-
SHA256
25b9feac6c3516cbee34a69b5cbbc4ef2a0362f7b3a7c22e12504fbab7813642
-
SHA512
0fdd55e0e7239caf412f54e2c3b40217bab131b16e6e9c159bbb815b610ef509f01604ca397984ae79e4f9fa3aff289158b41a9c5bd0a584d04798ca23cdc152
-
SSDEEP
49152:iD0tM85DJjl/i/jmi2oQ55+ug230U2+QJgxa9OjtFQZFm7N:dKeDBgai2F5/gE0UEJgEMZFQZ0N
Malware Config
Signatures
-
resource yara_rule behavioral19/memory/712-0-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral19/memory/712-8-0x0000000000400000-0x00000000004C1000-memory.dmp upx behavioral19/memory/712-9-0x0000000000400000-0x00000000004C1000-memory.dmp upx -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral19/memory/712-8-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe behavioral19/memory/712-9-0x0000000000400000-0x00000000004C1000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 712 Norton 2011 TrialReset v3.1.0.exe 712 Norton 2011 TrialReset v3.1.0.exe 712 Norton 2011 TrialReset v3.1.0.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 712 Norton 2011 TrialReset v3.1.0.exe 712 Norton 2011 TrialReset v3.1.0.exe 712 Norton 2011 TrialReset v3.1.0.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 712 wrote to memory of 2404 712 Norton 2011 TrialReset v3.1.0.exe 30 PID 712 wrote to memory of 2404 712 Norton 2011 TrialReset v3.1.0.exe 30 PID 712 wrote to memory of 2404 712 Norton 2011 TrialReset v3.1.0.exe 30 PID 712 wrote to memory of 2404 712 Norton 2011 TrialReset v3.1.0.exe 30 PID 2404 wrote to memory of 2804 2404 cmd.exe 32 PID 2404 wrote to memory of 2804 2404 cmd.exe 32 PID 2404 wrote to memory of 2804 2404 cmd.exe 32 PID 2404 wrote to memory of 2804 2404 cmd.exe 32 PID 712 wrote to memory of 2944 712 Norton 2011 TrialReset v3.1.0.exe 33 PID 712 wrote to memory of 2944 712 Norton 2011 TrialReset v3.1.0.exe 33 PID 712 wrote to memory of 2944 712 Norton 2011 TrialReset v3.1.0.exe 33 PID 712 wrote to memory of 2944 712 Norton 2011 TrialReset v3.1.0.exe 33 PID 2944 wrote to memory of 2288 2944 cmd.exe 35 PID 2944 wrote to memory of 2288 2944 cmd.exe 35 PID 2944 wrote to memory of 2288 2944 cmd.exe 35 PID 2944 wrote to memory of 2288 2944 cmd.exe 35 PID 712 wrote to memory of 1660 712 Norton 2011 TrialReset v3.1.0.exe 36 PID 712 wrote to memory of 1660 712 Norton 2011 TrialReset v3.1.0.exe 36 PID 712 wrote to memory of 1660 712 Norton 2011 TrialReset v3.1.0.exe 36 PID 712 wrote to memory of 1660 712 Norton 2011 TrialReset v3.1.0.exe 36 PID 1660 wrote to memory of 2824 1660 cmd.exe 38 PID 1660 wrote to memory of 2824 1660 cmd.exe 38 PID 1660 wrote to memory of 2824 1660 cmd.exe 38 PID 1660 wrote to memory of 2824 1660 cmd.exe 38 PID 712 wrote to memory of 2800 712 Norton 2011 TrialReset v3.1.0.exe 39 PID 712 wrote to memory of 2800 712 Norton 2011 TrialReset v3.1.0.exe 39 PID 712 wrote to memory of 2800 712 Norton 2011 TrialReset v3.1.0.exe 39 PID 712 wrote to memory of 2800 712 Norton 2011 TrialReset v3.1.0.exe 39 PID 2800 wrote to memory of 2960 2800 cmd.exe 41 PID 2800 wrote to memory of 2960 2800 cmd.exe 41 PID 2800 wrote to memory of 2960 2800 cmd.exe 41 PID 2800 wrote to memory of 2960 2800 cmd.exe 41 PID 712 wrote to memory of 2836 712 Norton 2011 TrialReset v3.1.0.exe 42 PID 712 wrote to memory of 2836 712 Norton 2011 TrialReset v3.1.0.exe 42 PID 712 wrote to memory of 2836 712 Norton 2011 TrialReset v3.1.0.exe 42 PID 712 wrote to memory of 2836 712 Norton 2011 TrialReset v3.1.0.exe 42 PID 2836 wrote to memory of 2700 2836 cmd.exe 44 PID 2836 wrote to memory of 2700 2836 cmd.exe 44 PID 2836 wrote to memory of 2700 2836 cmd.exe 44 PID 2836 wrote to memory of 2700 2836 cmd.exe 44 PID 712 wrote to memory of 2272 712 Norton 2011 TrialReset v3.1.0.exe 45 PID 712 wrote to memory of 2272 712 Norton 2011 TrialReset v3.1.0.exe 45 PID 712 wrote to memory of 2272 712 Norton 2011 TrialReset v3.1.0.exe 45 PID 712 wrote to memory of 2272 712 Norton 2011 TrialReset v3.1.0.exe 45 PID 2272 wrote to memory of 2392 2272 cmd.exe 47 PID 2272 wrote to memory of 2392 2272 cmd.exe 47 PID 2272 wrote to memory of 2392 2272 cmd.exe 47 PID 2272 wrote to memory of 2392 2272 cmd.exe 47 PID 712 wrote to memory of 2932 712 Norton 2011 TrialReset v3.1.0.exe 48 PID 712 wrote to memory of 2932 712 Norton 2011 TrialReset v3.1.0.exe 48 PID 712 wrote to memory of 2932 712 Norton 2011 TrialReset v3.1.0.exe 48 PID 712 wrote to memory of 2932 712 Norton 2011 TrialReset v3.1.0.exe 48 PID 2932 wrote to memory of 2728 2932 cmd.exe 50 PID 2932 wrote to memory of 2728 2932 cmd.exe 50 PID 2932 wrote to memory of 2728 2932 cmd.exe 50 PID 2932 wrote to memory of 2728 2932 cmd.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\norton\Norton 2011 TrialReset v3.1.0.exe"C:\Users\Admin\AppData\Local\Temp\norton\Norton 2011 TrialReset v3.1.0.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM /f2⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MSSYCLM /f3⤵PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eeCtrl /f2⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eeCtrl /f3⤵PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilDrv10910 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilDrv10910 /f3⤵PID:2824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilRebootDrv /f2⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EraserUtilRebootDrv /f3⤵PID:2960
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Norton /f2⤵
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\Norton /f3⤵PID:2700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_CURRENT_USER\Software\Norton /f2⤵
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_CURRENT_USER\Software\Norton /f3⤵PID:2392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\SymNRT /f2⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\reg.exeREG DELETE HKEY_LOCAL_MACHINE\SOFTWARE\SymNRT /f3⤵PID:2728
-
-