a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

Analysis

max time kernel
150s
max time network
92s
platform
windows7_x64
resource
win7v20201028
submitted
29-01-2021 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileSetup-v17.04.41.exe
Size

4.4MB
MD5

b7234e4a9aaaacefa890535f8117c8fc
SHA1

24c4321111ff004105c14e29662682f16900de29
SHA256

a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28
SHA512

8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Score

8^/10

bootkit macro persistence spyware xlm

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

6852B33702F6B3BD.exe6852B33702F6B3BD.exeThunderFW.exe

pid process

820 6852B33702F6B3BD.exe
556 6852B33702F6B3BD.exe
1508 ThunderFW.exe

pid	process
820	6852B33702F6B3BD.exe
556	6852B33702F6B3BD.exe
1508	ThunderFW.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe

pid	process
1696	cmd.exe

Loads dropped DLL 12 IoCs

Processes:

MsiExec.exeFileSetup-v17.04.41.exe6852B33702F6B3BD.exe6852B33702F6B3BD.exeThunderFW.exe

pid	process
768	MsiExec.exe
532	FileSetup-v17.04.41.exe
532	FileSetup-v17.04.41.exe
820	6852B33702F6B3BD.exe
556	6852B33702F6B3BD.exe
556	6852B33702F6B3BD.exe
556	6852B33702F6B3BD.exe
820	6852B33702F6B3BD.exe
820	6852B33702F6B3BD.exe
820	6852B33702F6B3BD.exe
1508	ThunderFW.exe
1508	ThunderFW.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

JavaScript code in executable 12 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe	js

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

FileSetup-v17.04.41.exe6852B33702F6B3BD.exe6852B33702F6B3BD.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	FileSetup-v17.04.41.exe
File opened for modification	\??\PhysicalDrive0	6852B33702F6B3BD.exe
File opened for modification	\??\PhysicalDrive0	6852B33702F6B3BD.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

FileSetup-v17.04.41.exe

pid process

532 FileSetup-v17.04.41.exe

pid	process
532	FileSetup-v17.04.41.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6852B33702F6B3BD.exe

description	pid	process	target process
PID 820 set thread context of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 set thread context of 912	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 set thread context of 1908	820	6852B33702F6B3BD.exe	firefox.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

788 taskkill.exe

pid	process
788	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

FileSetup-v17.04.41.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	FileSetup-v17.04.41.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	FileSetup-v17.04.41.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1740 PING.EXE
280 PING.EXE
1700 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

1876 msiexec.exe

pid	process
1740	PING.EXE
280	PING.EXE
1700	PING.EXE

pid	process
1876	msiexec.exe

Suspicious use of AdjustPrivilegeToken 93 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1428	msiexec.exe
Token: SeTakeOwnershipPrivilege	1428	msiexec.exe
Token: SeSecurityPrivilege	1428	msiexec.exe
Token: SeCreateTokenPrivilege	1876	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1876	msiexec.exe
Token: SeLockMemoryPrivilege	1876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1876	msiexec.exe
Token: SeMachineAccountPrivilege	1876	msiexec.exe
Token: SeTcbPrivilege	1876	msiexec.exe
Token: SeSecurityPrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeLoadDriverPrivilege	1876	msiexec.exe
Token: SeSystemProfilePrivilege	1876	msiexec.exe
Token: SeSystemtimePrivilege	1876	msiexec.exe
Token: SeProfSingleProcessPrivilege	1876	msiexec.exe
Token: SeIncBasePriorityPrivilege	1876	msiexec.exe
Token: SeCreatePagefilePrivilege	1876	msiexec.exe
Token: SeCreatePermanentPrivilege	1876	msiexec.exe
Token: SeBackupPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeShutdownPrivilege	1876	msiexec.exe
Token: SeDebugPrivilege	1876	msiexec.exe
Token: SeAuditPrivilege	1876	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1876	msiexec.exe
Token: SeChangeNotifyPrivilege	1876	msiexec.exe
Token: SeRemoteShutdownPrivilege	1876	msiexec.exe
Token: SeUndockPrivilege	1876	msiexec.exe
Token: SeSyncAgentPrivilege	1876	msiexec.exe
Token: SeEnableDelegationPrivilege	1876	msiexec.exe
Token: SeManageVolumePrivilege	1876	msiexec.exe
Token: SeImpersonatePrivilege	1876	msiexec.exe
Token: SeCreateGlobalPrivilege	1876	msiexec.exe
Token: SeCreateTokenPrivilege	1876	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1876	msiexec.exe
Token: SeLockMemoryPrivilege	1876	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1876	msiexec.exe
Token: SeMachineAccountPrivilege	1876	msiexec.exe
Token: SeTcbPrivilege	1876	msiexec.exe
Token: SeSecurityPrivilege	1876	msiexec.exe
Token: SeTakeOwnershipPrivilege	1876	msiexec.exe
Token: SeLoadDriverPrivilege	1876	msiexec.exe
Token: SeSystemProfilePrivilege	1876	msiexec.exe
Token: SeSystemtimePrivilege	1876	msiexec.exe
Token: SeProfSingleProcessPrivilege	1876	msiexec.exe
Token: SeIncBasePriorityPrivilege	1876	msiexec.exe
Token: SeCreatePagefilePrivilege	1876	msiexec.exe
Token: SeCreatePermanentPrivilege	1876	msiexec.exe
Token: SeBackupPrivilege	1876	msiexec.exe
Token: SeRestorePrivilege	1876	msiexec.exe
Token: SeShutdownPrivilege	1876	msiexec.exe
Token: SeDebugPrivilege	1876	msiexec.exe
Token: SeAuditPrivilege	1876	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1876	msiexec.exe
Token: SeChangeNotifyPrivilege	1876	msiexec.exe
Token: SeRemoteShutdownPrivilege	1876	msiexec.exe
Token: SeUndockPrivilege	1876	msiexec.exe
Token: SeSyncAgentPrivilege	1876	msiexec.exe
Token: SeEnableDelegationPrivilege	1876	msiexec.exe
Token: SeManageVolumePrivilege	1876	msiexec.exe
Token: SeImpersonatePrivilege	1876	msiexec.exe
Token: SeCreateGlobalPrivilege	1876	msiexec.exe
Token: SeCreateTokenPrivilege	1876	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1876 msiexec.exe

pid	process
1876	msiexec.exe

Suspicious use of WriteProcessMemory 115 IoCs

Processes:

FileSetup-v17.04.41.exemsiexec.execmd.exe6852B33702F6B3BD.execmd.exe6852B33702F6B3BD.exe

description	pid	process	target process
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 532 wrote to memory of 1876	532	FileSetup-v17.04.41.exe	msiexec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 1428 wrote to memory of 768	1428	msiexec.exe	MsiExec.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 820	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 556	532	FileSetup-v17.04.41.exe	6852B33702F6B3BD.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 532 wrote to memory of 1696	532	FileSetup-v17.04.41.exe	cmd.exe
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 1696 wrote to memory of 1740	1696	cmd.exe	PING.EXE
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 556 wrote to memory of 1896	556	6852B33702F6B3BD.exe	cmd.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 1896 wrote to memory of 788	1896	cmd.exe	taskkill.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe
PID 820 wrote to memory of 1020	820	6852B33702F6B3BD.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\FileSetup-v17.04.41.exe
"C:\Users\Admin\AppData\Local\Temp\FileSetup-v17.04.41.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1876

C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe 0011 installp3
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:820

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:1020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:912

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe"
3⤵
PID:1020

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1700

C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe 200 installp3
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:788

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe"
3⤵
PID:1052

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:280

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\FileSetup-v17.04.41.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:1740

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 89ADC471851CB6C9FC5946C0ADA515DE C
2⤵
- Loads dropped DLL
PID:768

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI78E7.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\6852B33702F6B3BD.exe
MD5
b7234e4a9aaaacefa890535f8117c8fc

SHA1
24c4321111ff004105c14e29662682f16900de29

SHA256
a8fefe8e1f92a30d1cdd4e2e2afaacf08a02c8961f496ee16e89062417ec5f28

SHA512
8590be6433943bec0867a18247e25d9821d39db1d06c6957d3895558eb5568dddff0b97acda222f0a16701c50de43d8ad667d6717add6900ec941e71ca28e513

Download Submit
\Users\Admin\AppData\Local\Temp\MSI78E7.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
memory/280-44-0x0000000000000000-mapping.dmp

Download
memory/532-3-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download
memory/532-2-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/556-33-0x00000000035B0000-0x0000000003A5F000-memory.dmp

Filesize
4.7MB

Download
memory/556-16-0x0000000000000000-mapping.dmp

Download
memory/768-8-0x0000000000000000-mapping.dmp

Download
memory/788-36-0x0000000000000000-mapping.dmp

Download
memory/820-13-0x0000000000000000-mapping.dmp

Download
memory/820-38-0x00000000034E0000-0x000000000398F000-memory.dmp

Filesize
4.7MB

Download
memory/912-47-0x000000013F518270-mapping.dmp

Download
memory/912-49-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1020-40-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/1020-39-0x000000013F218270-mapping.dmp

Download
memory/1020-60-0x0000000000000000-mapping.dmp

Download
memory/1020-41-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/1052-42-0x0000000000000000-mapping.dmp

Download
memory/1428-7-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1504-46-0x000007FEF7040000-0x000007FEF72BA000-memory.dmp

Filesize
2.5MB

Download
memory/1508-54-0x0000000000000000-mapping.dmp

Download
memory/1696-27-0x0000000000000000-mapping.dmp

Download
memory/1700-62-0x0000000000000000-mapping.dmp

Download
memory/1740-30-0x0000000000000000-mapping.dmp

Download
memory/1876-4-0x0000000000000000-mapping.dmp

Download
memory/1896-34-0x0000000000000000-mapping.dmp

Download
memory/1908-50-0x000000013FB08270-mapping.dmp

Download