Malware Analysis Report

2025-08-10 21:19

Sample ID 241031-mhfhgswhqn
Target bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3
SHA256 bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3
Tags
discovery evasion trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3

Threat Level: Shows suspicious behavior

The file bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan

Checks whether UAC is enabled

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 10:27

Reported

2024-10-31 10:30

Platform

win7-20240903-en

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000558a27f2bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000b060f286901c7d7b1bb11addb52853ba2f43679a218d0ce3e7d77930f328f41c000000000e800000000200002000000038899b0b0965d2a9861b4c9219aa6dd3dc5d9d94506b81a1de09ab15c71619e79000000016553e13dccc49d2da5f2cbd302de5d9bb5e9c1ae220a3fd21d1311a83f7ff5e3e6379deada1a9093d2ef375c3a0946e7805878a6469a093cbc953bcc6224fc277e56ba5190f4c2debe8e338404219e384278c61bf26407ca0a833fee4ce74a87ef60bfb824541e718d54920f892a68c3eb981c7f284abea0bd72a2f8c0e1aca28dcdc6b297586c54510988389c894414000000046a76f747d45e093ba1192437738fc46e95c30c601f717d6895abb4009df69708a5103b1184b5abb4aca033de623a422f9f68d10cc7a85996f698ea1a8f74a4c C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000001d748fff80501023b6e6ef2db90e15b0ebabae0869355ecd9baf9af42a7b281d000000000e8000000002000020000000c8d09186bebe59adb360a1b3b5eaa7ca003032a3e526937a09ef5497f33b5fd7200000001a4c5e5a5d4cf8f69bde74e847605fac8a78722278a7aab9386cfcfb6aa2a75a4000000022df2d7732aff9e2c71bafae511e964101642ab7ff19f5daa57b1cf274b2366705294c0524ca7e5904e6457bec93f6f73719e5da009a2f12665051b62e4a1308 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436532346" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CC106861-9772-11EF-89F5-527E38F5B48B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe

"C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://buy-download.norton.com/downloads/2024/22.24.7/DSPN360/US/DSP-N360-ESD-22.24.7.8-EN.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats.norton.com udp
US 13.64.142.149:443 stats.norton.com tcp
US 13.64.142.149:443 stats.norton.com tcp
US 8.8.8.8:53 faults.norton.com udp
US 13.93.204.83:443 faults.norton.com tcp
US 8.8.8.8:53 buy-download.norton.com udp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
GB 184.26.56.35:443 buy-download.norton.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

MD5 b26f99eff65a32fba60307b7002f7e8a
SHA1 041840a2b183b225444990f753222176b8b9fb76
SHA256 a50e078a05c680421f4da4f7a08ea7ac4f9bec03073ab92d61810c7a1e8746e0
SHA512 48e80810434de2a605193009fbd1510826b8284b0ac1511272103138d768e75d5177801cfced222cae7a30fd1b5ce9d33b73d2b09a0a081d3acd173c7be0b99e

memory/2052-9-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 ea97ca8780a58d320a2435a0196f695b
SHA1 03291fa7f84be7fa5324358d84f29aa3d1689f88
SHA256 4348b273bb8ffb68e0e2cb0c39d730119ae6eb1046522fdce25e37ac429436cc
SHA512 430c9c15cbb8a38da8d57ad65d8bf93e270a299ec233f5833fd30aa02f15947f11b40d4646f6b4bfc3a56c42c18f2ba3878507f5ca48cbf2d11d4c7575d82417

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 b55d5e1c3860337177b9df16cc9d8a64
SHA1 2f9e382a52c9259966cecf375081f18bb80a6ef0
SHA256 f7c699816d8a716f84cbaba14b95d90932b3f97e04d2b80bdb0d701bfa7e6746
SHA512 381987d138e5f299ae4bb0f71ec0da6d7d8212e9772db2de3283eec8ef59dc185acbce0add5147d9e399865be907f9e309014290f04893ed12663912a5ec73a5

C:\ProgramData\Norton\FSDErMgt\ErrorInstances\A67AD9B2\6C8FA706-BFA6-488A-A9C7-284FB14BC5D0.dat

MD5 942846a35294b861c3b75083164cb872
SHA1 2e7e143c8f97b41a3152868197c711a62dea9a5c
SHA256 50ab98102f2b7052cedec47d314298b7d84636cf16286c15721465f565f9e464
SHA512 0af4becaad72a203d2cc8fd96ab7461cfb5ac6767b63d95fba33e716c3e279b792f3c258845bbe7ce5511992bd91818b1f74fd6244d15f46f3b4f5a93d52990e

memory/2052-59-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 00917bdb73c5596e30eb1f7e947afd1b
SHA1 3a63d3fb0cfc5b1db91e7808bcbec08aefa466d7
SHA256 69275802dfadb3a4a7606b171645907bea8d31a06ecb4e01f08da3e89b90a05e
SHA512 658c38cdf7dcee9fce2c91bd183a535e0f8dd2fbf3163cb0eca068966026bc16a8d208aeb3c7b0f2a3bae21c5a63d8a063793409f16715a36b348c8d7c9354b0

C:\Users\Admin\AppData\Local\Temp\Cab1AA5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1B44.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ced428981beae9d1f99f4406dc717a8
SHA1 88b4ef9074e014caf084a0a4ea3b7bf94debd00f
SHA256 301a653183e9a4b0a3619996c92b8efc3520c9ff882aafbc2cef587693226a87
SHA512 7eb3a65d3de31900d71340c6c876240fb965ca39ae03a16bd47856c001e8318f51f43fec6b964ba7a31ed3d94590a5ae233fa295cdb29f8060d980f3a905b07c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7ae1d138e78b92ec4af0c3f09a36df0
SHA1 bdf3a305c1bdab0684028efc5e011f709f799779
SHA256 aa3403cea684d603e2aa6eb2e6cdf635b82892341899c5557f49594e8abf348c
SHA512 f4c7ac7197eba8a8c54f03e3dfbf598b1a92133d93a7b31d4a1d73beda8a95cd5fbb1d91a24976742be801912d549058ef8b01de4e7bb6538d508872896e9b95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee6e62143e734808c4278ea9a8417a5b
SHA1 a7c28d3bcc5690c4a8f30378b87a81a246a03590
SHA256 671ddda5579d1c4a93c656c6c119f4476d439790371f4678f7216dc8423e59e4
SHA512 2a7fe7533591fbcb306054ed7275b393f1c073ff0451d935b52e287fc4e694fb5999aa6f2e47e88ed35ed8231c20a1487eaff7af01c42cea47748be07afc6799

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b6f7188a1863af2218f24236b4a7623
SHA1 6fdec1ff1a4d4a8d9b7af0e3108ef1543e39e7bf
SHA256 79a818a5ae3358afa5b4d2aa2e632076f40cfd29660749dbd4ad141044d82abe
SHA512 5efad375b38483aa82e7de1302d9afe817cfdfddaa12e5a4281fa31a0b51189071c866083eca5b6040409c759dca07904f486e16f0f2823e2877ea37c3bbcea9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b9604d940d11ddb7844af48e68d0184
SHA1 948f5c7bf772dac640a7705f3901e7b47e8f067f
SHA256 03b38cace2ebc9ca247201985fb4127de04c8876b66295988eae5f0f88868259
SHA512 91bcc7f758caf37147f911f73343589194d15d92597dee7667095d1321a1eef809cc00a4973962c61a62a19840e94ad0ffb6a25c680183754dbb811f9cc14531

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64c981801c9f604eef0bf0c50d1e996a
SHA1 ab5c18b932ed099192a83d29681a4501eb71e13c
SHA256 64b85ef33d41f3f769d18c8d959135f009ce5ac64b4c502447ee83b1fc715f3e
SHA512 59642a442570a4b1e58b236f32050403eea2819aef1c0af0229cd60009923d1e2b7635a2caa730c68843a9bba9c6ed967033e2d31862824c9863c9be8c095e5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e1c89d03cc9f4e468afd81b2bd787fe
SHA1 a1b1ceb977cb38d4a10e258961ed91eac7953535
SHA256 ffd91f7394386293bf350413eb16e7a9ee2f941f46d22096333af3f2d871c8aa
SHA512 b44113603ece4e43ddc65b6ee73655ab99f23fd4673bcbda040bfa35590ca0d2807c869917b98221595cd4e1dd7f0b014436f34e6363f96861900494b6d97449

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fc0d57cfa3a52dcd882f7135b3ef13b
SHA1 7bc993c7fc319dbfaa720e4f4a398643e065879e
SHA256 c9ec373e0e716cfc4f6392e03cbdb43268e8a629fb99d3dd2d8b4de9c1c3ba3c
SHA512 b50830f3ae3e455c4fb47a3b926abedf4895854cc5bd23327106fc5856ad2e7be765ceb8e5d50666dd79785a9213226cff81a207a91d93724028578d99c0106a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 49798dcaccb0102dbb7016317a973e83
SHA1 33a4ddaf5012d41e8091c05f53068767abaa105e
SHA256 619d31356f3812057fed56af26722e2b0f9389f7d0a5a765a4dd8df633a77723
SHA512 b120f14d36069d48d2fec84aca282eb368639d0b0081d97c7685df9c34e7b90d1c927560df0a759083ca49d04d007577e06e8d4a0e7cf36f0bc889a9b73b6e91

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e6a9cd0ba6de6289439e36fabebd58f
SHA1 c6db23fa2a5cbb8aaef3b486ac71ea3071cca870
SHA256 c0b3765ba2231d1f621e93cb24383575128c9f3cb1c2ca1f6555882cbe1ab632
SHA512 7cbbb44cc10dba051599243542407f3a191d0de82456c30aa589c51b78486f213a1b85e48e1e11722e050b4ab612eac30e1fc4b551919993eee2b2736ecc6e5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55732de0106213b4eb1c9fd1d20d4205
SHA1 85ee88a194b644ba7706df57e1589d0fe92abb19
SHA256 e18e5ba485ac7ef6944b78f0ea45f0c8f44f5cf435528b32f695ca8934831657
SHA512 20cc96be91bf25a9e83356b9c31fe73bed77a8eeac32218d24271f8886ee5721dd4a1468bc016d36e9d4c0e1dd2851edf9772c6155807fd1216b9b8fc723a667

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dae8c2fc2a74182b324ef83c8f1450bc
SHA1 2d1b2147f3ffa96129ac076716a3b7291ad9e5dd
SHA256 a3b8077a771044d4a95fe3fc87fb4f76f747460b34cee7214aef25b0437ac6fa
SHA512 dbc0789d2d9018d39d84699a4839871ec9a370982f9c752bfebf20c98f8ca61a951be45c3f9ad2c2de0104d318efc441805225cd7f8687747486712dc6d007bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 339c21b91186fdfc20a5bed3d74f23b0
SHA1 c96e7c9bcdd4565312dbd11841247e19b7a79e87
SHA256 759f8bf93759627c0b86557dedc91c34be4019609b362d32b93db02025156214
SHA512 57afe7400d1bd2ea395bcbedaa081801047deee6a19885cc7cf223a2717c89272e33ebb358ab01ef2fe77e57198ecd4ada3df6a73b041b1828ad4a63c5a6f355

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb0a08e207ed235ba3903954964647a0
SHA1 6f95c081efca4a4e6afb36aad55b351fd84ca2e3
SHA256 c9eb706ede6bef17cd685f7b304315a2115d607990aa5e6d0a5595e60c29f6bd
SHA512 b9bd9655a2494f6c4f211ce98282bd692a05a83033358d9b3f6eb4edc3db848d2fe50206956f2a61c659414d008d0e4ca32c7eac8c6f2dc527d4658b4543e3e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1aa06283264b91d14b714b5f879c97b5
SHA1 59f6d9fa9251cb9ca72de53f1d4c9360b00d4eb2
SHA256 de8915ed04c7058674b056cbdc43168bfb07b1543c3de3f2980dbec7ce337b7c
SHA512 0e01120d7f9af0efb301d2af33bb25c65733e960942214b8519b06db9b2b1d91af335c35b7289e0f2f2123f47039043d111da00878bfe119e96bd0232287f297

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 10:27

Reported

2024-10-31 10:30

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe

"C:\Users\Admin\AppData\Local\Temp\bf5555d6466e3d90234292bf04bdad2c08dc2adc620107c8f4de91f53f2684d3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats.norton.com udp
US 13.64.142.149:443 stats.norton.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.142.64.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 13.64.142.149:443 stats.norton.com tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 faults.norton.com udp
US 13.93.204.83:443 faults.norton.com tcp
US 8.8.8.8:53 83.204.93.13.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

MD5 d63ac3ce59eb0dc4a1362af3941f94b7
SHA1 ceede13e358827cbec65e6c49567361bca06f784
SHA256 1e7c140a98003fc763aec736d866c215a7415f732522da2599a3fb9f99922ac1
SHA512 e2c2c847d1f998f94e877752ec2b576d6046fd17c9e00f5348cb2adcbfd2da2358e5762ef0b31eca7c08120ad793ae4a064b601f4b84abea2eff0ddc68ffed2e

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 6c320a254ca94f4a2d64088d1eac6677
SHA1 895863a64538dd9db66f6c580b7bcc3b8b99fd0c
SHA256 5a3f4b09f11730be53a9e0b828c8d9168e8dbd3bf29b58666e318efb89f04a22
SHA512 a5145f8aeb6484878eec2e47af457fa9e0a7f598b099004e94e86ae19068d7b2113266b8b5ddd5c6d40d7416d09e40abf322c0ca079b76b561bcddf038cf50f2

C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

MD5 0bf0f47d1e67a6c42e48b3cc5145b834
SHA1 70f2c976a696e50bf569113a72a1e651fc41609a
SHA256 0de36c3a4ddc4a5cdc7c8bbbf847472a7c517a2aa9ce0cee8c6652811aae2665
SHA512 c3f1575a7eb24b895609bf0e8882e6a3ee7679e327eb855ca0d1dd6f9922d97e2f32bce8fc074a3276655aeb3d2e35630558cc59aa957e6ff56381171254ab0f

C:\ProgramData\Norton\FSDErMgt\ErrorInstances\A67AD9B2\67BA37BE-1FA3-4CEF-B2E8-50A5B1663166.dat

MD5 b0fe2e9c4f32b363c5e5fd0d09e81c27
SHA1 20cb145bc87133e11dedeaa1812ff40a32cbf8f7
SHA256 5794bd1f6c0460576c971aaedea0228f4fdc3410ed19bc619836629517b547b6
SHA512 7d2f4caa74a48a0be7e74362e2af303727ef569d56a83fc2d8a331113d73603c345186ffd42a7ba4416b984bc6aaf717d814a7c3e25707559554d1ff74dda2ec