Analysis

  • max time kernel
    61s
  • max time network
    64s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 10:14

General

  • Target

    0x000400000001b0ea-1226.exe

  • Size

    504MB

  • MD5

    0f88fd9d557ffbe67a8897fb0fc08ee7

  • SHA1

    61ab5f32d49b08173ee8470f0e332abda0c13471

  • SHA256

    2f1436120017a1b23d27c9adc8ce999ef60080703a0971f183348498809785cf

  • SHA512

    f28f9a5a71ecc82f6160a167c12835b44c67d707434265a88f72ab9249d48109a546ef31d968aa0dbcd6513648267221f9998e80250683a06605b007ea2c1a7c

Malware Config

Signatures

  • Executes dropped EXE 7 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with 4.0 macros.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks whether UAC is enabled 1 TTPs 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • JavaScript code in executable 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 96 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 69 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x000400000001b0ea-1226.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000400000001b0ea-1226.exe"
    1⤵
    • Checks whether UAC is enabled
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3704
    • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
      C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
      2⤵
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of SetThreadContext
      • Checks SCSI registry key(s)
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        3⤵
          PID:3244
        • C:\Users\Admin\AppData\Roaming\1606299648547.exe
          "C:\Users\Admin\AppData\Roaming\1606299648547.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299648547.txt"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4420
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe"
          3⤵
            PID:2912
          • C:\Users\Admin\AppData\Roaming\1606299653845.exe
            "C:\Users\Admin\AppData\Roaming\1606299653845.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299653845.txt"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2984
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe"
            3⤵
              PID:3864
            • C:\Users\Admin\AppData\Roaming\1606299659314.exe
              "C:\Users\Admin\AppData\Roaming\1606299659314.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299659314.txt"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:3964
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe"
              3⤵
                PID:4596
              • C:\Users\Admin\AppData\Roaming\1606299662111.exe
                "C:\Users\Admin\AppData\Roaming\1606299662111.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299662111.txt"
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2648
              • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
                C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
                3⤵
                • Executes dropped EXE
                PID:192
            • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
              C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
              2⤵
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Writes to the Master Boot Record (MBR)
              • Checks SCSI registry key(s)
              • Suspicious use of WriteProcessMemory
              PID:584
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c taskkill /f /im chrome.exe
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1596
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im chrome.exe
                  4⤵
                  • Kills process with taskkill
                  PID:312
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2548
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 3
                  4⤵
                  • Runs ping.exe
                  PID:2572
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0x000400000001b0ea-1226.exe"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:932
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 3
                3⤵
                • Runs ping.exe
                PID:1196
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:520
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding B9E32B1A4C3EBE599301DDA4003C1C58 C
              2⤵
              • Loads dropped DLL
              PID:2808
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:1344

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Persistence

            Bootkit

            1
            T1067

            Defense Evasion

            Install Root Certificate

            1
            T1130

            Modify Registry

            1
            T1112

            Credential Access

            Credentials in Files

            1
            T1081

            Discovery

            System Information Discovery

            3
            T1082

            Query Registry

            2
            T1012

            Peripheral Device Discovery

            2
            T1120

            Remote System Discovery

            1
            T1018

            Collection

            Data from Local System

            1
            T1005

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
              MD5

              81164d547c58c886824d685fcad156c9

              SHA1

              6e65df34c92ab288d23236f81ac36a9b7f3941e9

              SHA256

              14384142a9ff4d96ff5c131ab86aeb551249dbe7ec4ab49d041cd4fb93ed7c03

              SHA512

              63e327f660187d4c41fa22f7e881a1a210ea77c8c6860dfe57bd96af5a39f8914c9ac27f53938d4c28ae7aac9fc4c59afc8e417f8e7926699a9616b9d1c698d2

            • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
              MD5

              37735a5f61da0ef0f5fb31f01a624779

              SHA1

              90fe0a70ec30b167c4791f6e56f72e260afc6495

              SHA256

              c19e0eee7149de4e05a9fcbfb4437905353d11225cfea87e10b4307718a2e157

              SHA512

              195a220a19f5439ffe012da8ddea0a024b8a7ff84290a48c69cb16b0effb9ba380570fe83c4d90abdc4ba048d364ad2a48046f10969c9e6edbe68596aa44602f

            • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
              MD5

              332e9e363bbfee656ec62a0d8d71fc23

              SHA1

              a4e64594182d986f0fcea1b4c5c20924e1072028

              SHA256

              d0e14da267bd8fca64ccd6a3f9c2086d456fb7f819820b07fc0a957af5d4d437

              SHA512

              2104bc5dba4c72bebe33973c2330f652260d3147b7bb4d1eacfa5f94fce7508e9d3cff1f64cf358394c22bde21df021f31fa637bec89727a87c736cd914689bd

            • C:\Users\Admin\AppData\Local\Temp\MSI7804.tmp
              MD5

              84878b1a26f8544bda4e069320ad8e7d

              SHA1

              51c6ee244f5f2fa35b563bffb91e37da848a759c

              SHA256

              809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

              SHA512

              4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

            • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
              MD5

              f0372ff8a6148498b19e04203dbb9e69

              SHA1

              27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

              SHA256

              298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

              SHA512

              65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

            • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
              MD5

              f0372ff8a6148498b19e04203dbb9e69

              SHA1

              27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

              SHA256

              298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

              SHA512

              65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

            • C:\Users\Admin\AppData\Local\Temp\gdiview.msi
              MD5

              7cc103f6fd70c6f3a2d2b9fca0438182

              SHA1

              699bd8924a27516b405ea9a686604b53b4e23372

              SHA256

              dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

              SHA512

              92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

            • C:\Users\Admin\AppData\Roaming\1606299648547.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299648547.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299648547.txt
              MD5

              f3a55ae79aa1a18000ccac4d16761dcd

              SHA1

              7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

              SHA256

              a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

              SHA512

              5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

            • C:\Users\Admin\AppData\Roaming\1606299653845.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299653845.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299653845.txt
              MD5

              f3a55ae79aa1a18000ccac4d16761dcd

              SHA1

              7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

              SHA256

              a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

              SHA512

              5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

            • C:\Users\Admin\AppData\Roaming\1606299659314.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299659314.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299659314.txt
              MD5

              f3a55ae79aa1a18000ccac4d16761dcd

              SHA1

              7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

              SHA256

              a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

              SHA512

              5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

            • C:\Users\Admin\AppData\Roaming\1606299662111.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299662111.exe
              MD5

              ef6f72358cb02551caebe720fbc55f95

              SHA1

              b5ee276e8d479c270eceb497606bd44ee09ff4b8

              SHA256

              6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

              SHA512

              ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

            • C:\Users\Admin\AppData\Roaming\1606299662111.txt
              MD5

              f3a55ae79aa1a18000ccac4d16761dcd

              SHA1

              7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

              SHA256

              a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

              SHA512

              5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

            • \Users\Admin\AppData\Local\Temp\MSI7804.tmp
              MD5

              84878b1a26f8544bda4e069320ad8e7d

              SHA1

              51c6ee244f5f2fa35b563bffb91e37da848a759c

              SHA256

              809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

              SHA512

              4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

            • memory/192-45-0x0000000000000000-mapping.dmp
            • memory/312-19-0x0000000000000000-mapping.dmp
            • memory/584-8-0x0000000000000000-mapping.dmp
            • memory/584-16-0x00000000041E0000-0x0000000004691000-memory.dmp
              Filesize

              4MB

            • memory/932-11-0x0000000000000000-mapping.dmp
            • memory/1196-14-0x0000000000000000-mapping.dmp
            • memory/1596-17-0x0000000000000000-mapping.dmp
            • memory/2548-25-0x0000000000000000-mapping.dmp
            • memory/2572-26-0x0000000000000000-mapping.dmp
            • memory/2648-41-0x0000000000000000-mapping.dmp
            • memory/2808-3-0x0000000000000000-mapping.dmp
            • memory/2912-27-0x00007FF728B88270-mapping.dmp
            • memory/2984-28-0x0000000000000000-mapping.dmp
            • memory/3048-12-0x0000000010000000-0x000000001033D000-memory.dmp
              Filesize

              3MB

            • memory/3048-6-0x0000000000000000-mapping.dmp
            • memory/3048-15-0x0000000004240000-0x00000000046F1000-memory.dmp
              Filesize

              4MB

            • memory/3244-20-0x0000000010000000-0x0000000010057000-memory.dmp
              Filesize

              348KB

            • memory/3244-18-0x00007FF728B88270-mapping.dmp
            • memory/3704-1-0x0000000000000000-mapping.dmp
            • memory/3864-33-0x00007FF728B88270-mapping.dmp
            • memory/3964-34-0x0000000000000000-mapping.dmp
            • memory/4420-21-0x0000000000000000-mapping.dmp
            • memory/4596-39-0x00007FF728B88270-mapping.dmp
            • memory/4636-0-0x0000000010000000-0x000000001033D000-memory.dmp
              Filesize

              3MB