0x000400000001b0ea-1226.exe

General
Target

0x000400000001b0ea-1226.exe

Filesize

504MB

Completed

25-11-2020 10:18

Score
8 /10
MD5

0f88fd9d557ffbe67a8897fb0fc08ee7

SHA1

61ab5f32d49b08173ee8470f0e332abda0c13471

SHA256

2f1436120017a1b23d27c9adc8ce999ef60080703a0971f183348498809785cf

Malware Config
Signatures 18

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • Executes dropped EXE
    85F91A36E275562F.exe85F91A36E275562F.exe1606299648547.exe1606299653845.exe1606299659314.exe1606299662111.exeThunderFW.exe

    Reported IOCs

    pidprocess
    304885F91A36E275562F.exe
    58485F91A36E275562F.exe
    44201606299648547.exe
    29841606299653845.exe
    39641606299659314.exe
    26481606299662111.exe
    192ThunderFW.exe
  • Suspicious Office macro

    Description

    Office document equipped with 4.0 macros.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral3/files/0x000100000001ab5c-2.datoffice_xlm_macros
  • Loads dropped DLL
    MsiExec.exe

    Reported IOCs

    pidprocess
    2808MsiExec.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks whether UAC is enabled
    0x000400000001b0ea-1226.exe85F91A36E275562F.exe85F91A36E275562F.exe

    TTPs

    System Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA0x000400000001b0ea-1226.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA85F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA85F91A36E275562F.exe
  • Enumerates connected drives
    msiexec.exemsiexec.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\U:msiexec.exe
    File opened (read-only)\??\I:msiexec.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\U:msiexec.exe
    File opened (read-only)\??\T:msiexec.exe
    File opened (read-only)\??\F:msiexec.exe
    File opened (read-only)\??\T:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\R:msiexec.exe
    File opened (read-only)\??\L:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\E:msiexec.exe
    File opened (read-only)\??\Y:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\J:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\W:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\A:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\N:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\M:msiexec.exe
    File opened (read-only)\??\O:msiexec.exe
    File opened (read-only)\??\K:msiexec.exe
    File opened (read-only)\??\Q:msiexec.exe
    File opened (read-only)\??\S:msiexec.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\P:msiexec.exe
    File opened (read-only)\??\X:msiexec.exe
    File opened (read-only)\??\E:msiexec.exe
    File opened (read-only)\??\G:msiexec.exe
    File opened (read-only)\??\H:msiexec.exe
    File opened (read-only)\??\Y:msiexec.exe
    File opened (read-only)\??\V:msiexec.exe
    File opened (read-only)\??\K:msiexec.exe
    File opened (read-only)\??\Z:msiexec.exe
    File opened (read-only)\??\B:msiexec.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral3/files/0x000100000001ab5c-2.datjs
  • Writes to the Master Boot Record (MBR)
    0x000400000001b0ea-1226.exe85F91A36E275562F.exe85F91A36E275562F.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive00x000400000001b0ea-1226.exe
    File opened for modification\??\PhysicalDrive085F91A36E275562F.exe
    File opened for modification\??\PhysicalDrive085F91A36E275562F.exe
  • Suspicious use of NtSetInformationThreadHideFromDebugger
    0x000400000001b0ea-1226.exe

    Reported IOCs

    pidprocess
    46360x000400000001b0ea-1226.exe
  • Suspicious use of SetThreadContext
    85F91A36E275562F.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3048 set thread context of 3244304885F91A36E275562F.exefirefox.exe
    PID 3048 set thread context of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 set thread context of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 set thread context of 4596304885F91A36E275562F.exefirefox.exe
  • Checks SCSI registry key(s)
    85F91A36E275562F.exe85F91A36E275562F.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&01000085F91A36E275562F.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&01000085F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName85F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc85F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName85F91A36E275562F.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&00000085F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc85F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName85F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc85F91A36E275562F.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&00000085F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc85F91A36E275562F.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName85F91A36E275562F.exe
  • Kills process with taskkill
    taskkill.exe

    Tags

    Reported IOCs

    pidprocess
    312taskkill.exe
  • Modifies system certificate store
    0x000400000001b0ea-1226.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD0x000400000001b0ea-1226.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d765760x000400000001b0ea-1226.exe
  • Runs ping.exe
    PING.EXEPING.EXE

    TTPs

    Remote System Discovery

    Reported IOCs

    pidprocess
    1196PING.EXE
    2572PING.EXE
  • Suspicious behavior: EnumeratesProcesses
    1606299648547.exe1606299653845.exe1606299659314.exe1606299662111.exe

    Reported IOCs

    pidprocess
    44201606299648547.exe
    44201606299648547.exe
    29841606299653845.exe
    29841606299653845.exe
    39641606299659314.exe
    39641606299659314.exe
    26481606299662111.exe
    26481606299662111.exe
  • Suspicious use of AdjustPrivilegeToken
    msiexec.exemsiexec.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeShutdownPrivilege3704msiexec.exe
    Token: SeIncreaseQuotaPrivilege3704msiexec.exe
    Token: SeSecurityPrivilege520msiexec.exe
    Token: SeCreateTokenPrivilege3704msiexec.exe
    Token: SeAssignPrimaryTokenPrivilege3704msiexec.exe
    Token: SeLockMemoryPrivilege3704msiexec.exe
    Token: SeIncreaseQuotaPrivilege3704msiexec.exe
    Token: SeMachineAccountPrivilege3704msiexec.exe
    Token: SeTcbPrivilege3704msiexec.exe
    Token: SeSecurityPrivilege3704msiexec.exe
    Token: SeTakeOwnershipPrivilege3704msiexec.exe
    Token: SeLoadDriverPrivilege3704msiexec.exe
    Token: SeSystemProfilePrivilege3704msiexec.exe
    Token: SeSystemtimePrivilege3704msiexec.exe
    Token: SeProfSingleProcessPrivilege3704msiexec.exe
    Token: SeIncBasePriorityPrivilege3704msiexec.exe
    Token: SeCreatePagefilePrivilege3704msiexec.exe
    Token: SeCreatePermanentPrivilege3704msiexec.exe
    Token: SeBackupPrivilege3704msiexec.exe
    Token: SeRestorePrivilege3704msiexec.exe
    Token: SeShutdownPrivilege3704msiexec.exe
    Token: SeDebugPrivilege3704msiexec.exe
    Token: SeAuditPrivilege3704msiexec.exe
    Token: SeSystemEnvironmentPrivilege3704msiexec.exe
    Token: SeChangeNotifyPrivilege3704msiexec.exe
    Token: SeRemoteShutdownPrivilege3704msiexec.exe
    Token: SeUndockPrivilege3704msiexec.exe
    Token: SeSyncAgentPrivilege3704msiexec.exe
    Token: SeEnableDelegationPrivilege3704msiexec.exe
    Token: SeManageVolumePrivilege3704msiexec.exe
    Token: SeImpersonatePrivilege3704msiexec.exe
    Token: SeCreateGlobalPrivilege3704msiexec.exe
    Token: SeCreateTokenPrivilege3704msiexec.exe
    Token: SeAssignPrimaryTokenPrivilege3704msiexec.exe
    Token: SeLockMemoryPrivilege3704msiexec.exe
    Token: SeIncreaseQuotaPrivilege3704msiexec.exe
    Token: SeMachineAccountPrivilege3704msiexec.exe
    Token: SeTcbPrivilege3704msiexec.exe
    Token: SeSecurityPrivilege3704msiexec.exe
    Token: SeTakeOwnershipPrivilege3704msiexec.exe
    Token: SeLoadDriverPrivilege3704msiexec.exe
    Token: SeSystemProfilePrivilege3704msiexec.exe
    Token: SeSystemtimePrivilege3704msiexec.exe
    Token: SeProfSingleProcessPrivilege3704msiexec.exe
    Token: SeIncBasePriorityPrivilege3704msiexec.exe
    Token: SeCreatePagefilePrivilege3704msiexec.exe
    Token: SeCreatePermanentPrivilege3704msiexec.exe
    Token: SeBackupPrivilege3704msiexec.exe
    Token: SeRestorePrivilege3704msiexec.exe
    Token: SeShutdownPrivilege3704msiexec.exe
    Token: SeDebugPrivilege3704msiexec.exe
    Token: SeAuditPrivilege3704msiexec.exe
    Token: SeSystemEnvironmentPrivilege3704msiexec.exe
    Token: SeChangeNotifyPrivilege3704msiexec.exe
    Token: SeRemoteShutdownPrivilege3704msiexec.exe
    Token: SeUndockPrivilege3704msiexec.exe
    Token: SeSyncAgentPrivilege3704msiexec.exe
    Token: SeEnableDelegationPrivilege3704msiexec.exe
    Token: SeManageVolumePrivilege3704msiexec.exe
    Token: SeImpersonatePrivilege3704msiexec.exe
    Token: SeCreateGlobalPrivilege3704msiexec.exe
    Token: SeCreateTokenPrivilege3704msiexec.exe
    Token: SeAssignPrimaryTokenPrivilege3704msiexec.exe
    Token: SeLockMemoryPrivilege3704msiexec.exe
  • Suspicious use of FindShellTrayWindow
    msiexec.exe

    Reported IOCs

    pidprocess
    3704msiexec.exe
  • Suspicious use of WriteProcessMemory
    0x000400000001b0ea-1226.exemsiexec.execmd.exe85F91A36E275562F.exe85F91A36E275562F.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4636 wrote to memory of 370446360x000400000001b0ea-1226.exemsiexec.exe
    PID 4636 wrote to memory of 370446360x000400000001b0ea-1226.exemsiexec.exe
    PID 4636 wrote to memory of 370446360x000400000001b0ea-1226.exemsiexec.exe
    PID 520 wrote to memory of 2808520msiexec.exeMsiExec.exe
    PID 520 wrote to memory of 2808520msiexec.exeMsiExec.exe
    PID 520 wrote to memory of 2808520msiexec.exeMsiExec.exe
    PID 4636 wrote to memory of 304846360x000400000001b0ea-1226.exe85F91A36E275562F.exe
    PID 4636 wrote to memory of 304846360x000400000001b0ea-1226.exe85F91A36E275562F.exe
    PID 4636 wrote to memory of 304846360x000400000001b0ea-1226.exe85F91A36E275562F.exe
    PID 4636 wrote to memory of 58446360x000400000001b0ea-1226.exe85F91A36E275562F.exe
    PID 4636 wrote to memory of 58446360x000400000001b0ea-1226.exe85F91A36E275562F.exe
    PID 4636 wrote to memory of 58446360x000400000001b0ea-1226.exe85F91A36E275562F.exe
    PID 4636 wrote to memory of 93246360x000400000001b0ea-1226.execmd.exe
    PID 4636 wrote to memory of 93246360x000400000001b0ea-1226.execmd.exe
    PID 4636 wrote to memory of 93246360x000400000001b0ea-1226.execmd.exe
    PID 932 wrote to memory of 1196932cmd.exePING.EXE
    PID 932 wrote to memory of 1196932cmd.exePING.EXE
    PID 932 wrote to memory of 1196932cmd.exePING.EXE
    PID 584 wrote to memory of 159658485F91A36E275562F.execmd.exe
    PID 584 wrote to memory of 159658485F91A36E275562F.execmd.exe
    PID 584 wrote to memory of 159658485F91A36E275562F.execmd.exe
    PID 3048 wrote to memory of 3244304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3244304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3244304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3244304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3244304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3244304885F91A36E275562F.exefirefox.exe
    PID 1596 wrote to memory of 3121596cmd.exetaskkill.exe
    PID 1596 wrote to memory of 3121596cmd.exetaskkill.exe
    PID 1596 wrote to memory of 3121596cmd.exetaskkill.exe
    PID 3048 wrote to memory of 4420304885F91A36E275562F.exe1606299648547.exe
    PID 3048 wrote to memory of 4420304885F91A36E275562F.exe1606299648547.exe
    PID 3048 wrote to memory of 4420304885F91A36E275562F.exe1606299648547.exe
    PID 584 wrote to memory of 254858485F91A36E275562F.execmd.exe
    PID 584 wrote to memory of 254858485F91A36E275562F.execmd.exe
    PID 584 wrote to memory of 254858485F91A36E275562F.execmd.exe
    PID 2548 wrote to memory of 25722548cmd.exePING.EXE
    PID 2548 wrote to memory of 25722548cmd.exePING.EXE
    PID 2548 wrote to memory of 25722548cmd.exePING.EXE
    PID 3048 wrote to memory of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2912304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2984304885F91A36E275562F.exe1606299653845.exe
    PID 3048 wrote to memory of 2984304885F91A36E275562F.exe1606299653845.exe
    PID 3048 wrote to memory of 2984304885F91A36E275562F.exe1606299653845.exe
    PID 3048 wrote to memory of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3864304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 3964304885F91A36E275562F.exe1606299659314.exe
    PID 3048 wrote to memory of 3964304885F91A36E275562F.exe1606299659314.exe
    PID 3048 wrote to memory of 3964304885F91A36E275562F.exe1606299659314.exe
    PID 3048 wrote to memory of 4596304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 4596304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 4596304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 4596304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 4596304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 4596304885F91A36E275562F.exefirefox.exe
    PID 3048 wrote to memory of 2648304885F91A36E275562F.exe1606299662111.exe
Processes 22
  • C:\Users\Admin\AppData\Local\Temp\0x000400000001b0ea-1226.exe
    "C:\Users\Admin\AppData\Local\Temp\0x000400000001b0ea-1226.exe"
    Checks whether UAC is enabled
    Writes to the Master Boot Record (MBR)
    Suspicious use of NtSetInformationThreadHideFromDebugger
    Modifies system certificate store
    Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3704
    • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
      C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetThreadContext
      Checks SCSI registry key(s)
      Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        PID:3244
      • C:\Users\Admin\AppData\Roaming\1606299648547.exe
        "C:\Users\Admin\AppData\Roaming\1606299648547.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299648547.txt"
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:4420
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        PID:2912
      • C:\Users\Admin\AppData\Roaming\1606299653845.exe
        "C:\Users\Admin\AppData\Roaming\1606299653845.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299653845.txt"
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:2984
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        PID:3864
      • C:\Users\Admin\AppData\Roaming\1606299659314.exe
        "C:\Users\Admin\AppData\Roaming\1606299659314.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299659314.txt"
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:3964
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        PID:4596
      • C:\Users\Admin\AppData\Roaming\1606299662111.exe
        "C:\Users\Admin\AppData\Roaming\1606299662111.exe" /sjson "C:\Users\Admin\AppData\Roaming\1606299662111.txt"
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        PID:2648
      • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        Executes dropped EXE
        PID:192
    • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
      C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Checks SCSI registry key(s)
      Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c taskkill /f /im chrome.exe
        Suspicious use of WriteProcessMemory
        PID:1596
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im chrome.exe
          Kills process with taskkill
          PID:312
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          Runs ping.exe
          PID:2572
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\0x000400000001b0ea-1226.exe"
      Suspicious use of WriteProcessMemory
      PID:932
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        Runs ping.exe
        PID:1196
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    Enumerates connected drives
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B9E32B1A4C3EBE599301DDA4003C1C58 C
      Loads dropped DLL
      PID:2808
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    PID:1344
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Persistence
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe

                  MD5

                  81164d547c58c886824d685fcad156c9

                  SHA1

                  6e65df34c92ab288d23236f81ac36a9b7f3941e9

                  SHA256

                  14384142a9ff4d96ff5c131ab86aeb551249dbe7ec4ab49d041cd4fb93ed7c03

                  SHA512

                  63e327f660187d4c41fa22f7e881a1a210ea77c8c6860dfe57bd96af5a39f8914c9ac27f53938d4c28ae7aac9fc4c59afc8e417f8e7926699a9616b9d1c698d2

                • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe

                  MD5

                  37735a5f61da0ef0f5fb31f01a624779

                  SHA1

                  90fe0a70ec30b167c4791f6e56f72e260afc6495

                  SHA256

                  c19e0eee7149de4e05a9fcbfb4437905353d11225cfea87e10b4307718a2e157

                  SHA512

                  195a220a19f5439ffe012da8ddea0a024b8a7ff84290a48c69cb16b0effb9ba380570fe83c4d90abdc4ba048d364ad2a48046f10969c9e6edbe68596aa44602f

                • C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe

                  MD5

                  332e9e363bbfee656ec62a0d8d71fc23

                  SHA1

                  a4e64594182d986f0fcea1b4c5c20924e1072028

                  SHA256

                  d0e14da267bd8fca64ccd6a3f9c2086d456fb7f819820b07fc0a957af5d4d437

                  SHA512

                  2104bc5dba4c72bebe33973c2330f652260d3147b7bb4d1eacfa5f94fce7508e9d3cff1f64cf358394c22bde21df021f31fa637bec89727a87c736cd914689bd

                • C:\Users\Admin\AppData\Local\Temp\MSI7804.tmp

                  MD5

                  84878b1a26f8544bda4e069320ad8e7d

                  SHA1

                  51c6ee244f5f2fa35b563bffb91e37da848a759c

                  SHA256

                  809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

                  SHA512

                  4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

                • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

                  MD5

                  f0372ff8a6148498b19e04203dbb9e69

                  SHA1

                  27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

                  SHA256

                  298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

                  SHA512

                  65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

                • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

                  MD5

                  f0372ff8a6148498b19e04203dbb9e69

                  SHA1

                  27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

                  SHA256

                  298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

                  SHA512

                  65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

                • C:\Users\Admin\AppData\Local\Temp\gdiview.msi

                  MD5

                  7cc103f6fd70c6f3a2d2b9fca0438182

                  SHA1

                  699bd8924a27516b405ea9a686604b53b4e23372

                  SHA256

                  dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

                  SHA512

                  92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

                • C:\Users\Admin\AppData\Roaming\1606299648547.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299648547.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299648547.txt

                  MD5

                  f3a55ae79aa1a18000ccac4d16761dcd

                  SHA1

                  7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

                  SHA256

                  a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

                  SHA512

                  5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

                • C:\Users\Admin\AppData\Roaming\1606299653845.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299653845.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299653845.txt

                  MD5

                  f3a55ae79aa1a18000ccac4d16761dcd

                  SHA1

                  7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

                  SHA256

                  a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

                  SHA512

                  5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

                • C:\Users\Admin\AppData\Roaming\1606299659314.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299659314.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299659314.txt

                  MD5

                  f3a55ae79aa1a18000ccac4d16761dcd

                  SHA1

                  7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

                  SHA256

                  a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

                  SHA512

                  5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

                • C:\Users\Admin\AppData\Roaming\1606299662111.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299662111.exe

                  MD5

                  ef6f72358cb02551caebe720fbc55f95

                  SHA1

                  b5ee276e8d479c270eceb497606bd44ee09ff4b8

                  SHA256

                  6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

                  SHA512

                  ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

                • C:\Users\Admin\AppData\Roaming\1606299662111.txt

                  MD5

                  f3a55ae79aa1a18000ccac4d16761dcd

                  SHA1

                  7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

                  SHA256

                  a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

                  SHA512

                  5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

                • \Users\Admin\AppData\Local\Temp\MSI7804.tmp

                  MD5

                  84878b1a26f8544bda4e069320ad8e7d

                  SHA1

                  51c6ee244f5f2fa35b563bffb91e37da848a759c

                  SHA256

                  809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

                  SHA512

                  4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

                • memory/192-45-0x0000000000000000-mapping.dmp

                • memory/312-19-0x0000000000000000-mapping.dmp

                • memory/584-8-0x0000000000000000-mapping.dmp

                • memory/584-16-0x00000000041E0000-0x0000000004691000-memory.dmp

                • memory/932-11-0x0000000000000000-mapping.dmp

                • memory/1196-14-0x0000000000000000-mapping.dmp

                • memory/1596-17-0x0000000000000000-mapping.dmp

                • memory/2548-25-0x0000000000000000-mapping.dmp

                • memory/2572-26-0x0000000000000000-mapping.dmp

                • memory/2648-41-0x0000000000000000-mapping.dmp

                • memory/2808-3-0x0000000000000000-mapping.dmp

                • memory/2912-27-0x00007FF728B88270-mapping.dmp

                • memory/2984-28-0x0000000000000000-mapping.dmp

                • memory/3048-12-0x0000000010000000-0x000000001033D000-memory.dmp

                • memory/3048-15-0x0000000004240000-0x00000000046F1000-memory.dmp

                • memory/3048-6-0x0000000000000000-mapping.dmp

                • memory/3244-18-0x00007FF728B88270-mapping.dmp

                • memory/3244-20-0x0000000010000000-0x0000000010057000-memory.dmp

                • memory/3704-1-0x0000000000000000-mapping.dmp

                • memory/3864-33-0x00007FF728B88270-mapping.dmp

                • memory/3964-34-0x0000000000000000-mapping.dmp

                • memory/4420-21-0x0000000000000000-mapping.dmp

                • memory/4596-39-0x00007FF728B88270-mapping.dmp

                • memory/4636-0-0x0000000010000000-0x000000001033D000-memory.dmp