Analysis
-
max time kernel
40s -
max time network
70s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-01-2021 16:23
Static task
static1
Behavioral task
behavioral1
Sample
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
Resource
win7v20201028
General
-
Target
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
-
Size
4.8MB
-
MD5
f7d7c89f3f5cbc925480b46b7b934157
-
SHA1
73e389b70cf3d8975ccbaf7d04f4c45cc80be860
-
SHA256
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
-
SHA512
9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb
Malware Config
Signatures
-
Nirsoft 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1611941213509.exe Nirsoft C:\Users\Admin\AppData\Roaming\1611941213509.exe Nirsoft C:\Users\Admin\AppData\Roaming\1611941215337.exe Nirsoft C:\Users\Admin\AppData\Roaming\1611941215337.exe Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
6272167835D47591.exe6272167835D47591.exe1611941213509.exe1611941215337.exeThunderFW.exepid process 2764 6272167835D47591.exe 2456 6272167835D47591.exe 2172 1611941213509.exe 2364 1611941215337.exe 3632 ThunderFW.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gdiview.msi office_xlm_macros -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 1192 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe6272167835D47591.exe6272167835D47591.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6272167835D47591.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gdiview.msi js -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe6272167835D47591.exe6272167835D47591.exedescription ioc process File opened for modification \??\PhysicalDrive0 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe File opened for modification \??\PhysicalDrive0 6272167835D47591.exe File opened for modification \??\PhysicalDrive0 6272167835D47591.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exepid process 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
6272167835D47591.exedescription pid process target process PID 2764 set thread context of 2348 2764 6272167835D47591.exe firefox.exe PID 2764 set thread context of 1368 2764 6272167835D47591.exe firefox.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6272167835D47591.exe6272167835D47591.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 6272167835D47591.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6272167835D47591.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6272167835D47591.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6272167835D47591.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6272167835D47591.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6272167835D47591.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 4040 taskkill.exe -
Processes:
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 880 PING.EXE 3064 PING.EXE 3968 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1611941213509.exe1611941215337.exepid process 2172 1611941213509.exe 2172 1611941213509.exe 2364 1611941215337.exe 2364 1611941215337.exe -
Suspicious use of AdjustPrivilegeToken 91 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4076 msiexec.exe Token: SeIncreaseQuotaPrivilege 4076 msiexec.exe Token: SeSecurityPrivilege 2352 msiexec.exe Token: SeCreateTokenPrivilege 4076 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4076 msiexec.exe Token: SeLockMemoryPrivilege 4076 msiexec.exe Token: SeIncreaseQuotaPrivilege 4076 msiexec.exe Token: SeMachineAccountPrivilege 4076 msiexec.exe Token: SeTcbPrivilege 4076 msiexec.exe Token: SeSecurityPrivilege 4076 msiexec.exe Token: SeTakeOwnershipPrivilege 4076 msiexec.exe Token: SeLoadDriverPrivilege 4076 msiexec.exe Token: SeSystemProfilePrivilege 4076 msiexec.exe Token: SeSystemtimePrivilege 4076 msiexec.exe Token: SeProfSingleProcessPrivilege 4076 msiexec.exe Token: SeIncBasePriorityPrivilege 4076 msiexec.exe Token: SeCreatePagefilePrivilege 4076 msiexec.exe Token: SeCreatePermanentPrivilege 4076 msiexec.exe Token: SeBackupPrivilege 4076 msiexec.exe Token: SeRestorePrivilege 4076 msiexec.exe Token: SeShutdownPrivilege 4076 msiexec.exe Token: SeDebugPrivilege 4076 msiexec.exe Token: SeAuditPrivilege 4076 msiexec.exe Token: SeSystemEnvironmentPrivilege 4076 msiexec.exe Token: SeChangeNotifyPrivilege 4076 msiexec.exe Token: SeRemoteShutdownPrivilege 4076 msiexec.exe Token: SeUndockPrivilege 4076 msiexec.exe Token: SeSyncAgentPrivilege 4076 msiexec.exe Token: SeEnableDelegationPrivilege 4076 msiexec.exe Token: SeManageVolumePrivilege 4076 msiexec.exe Token: SeImpersonatePrivilege 4076 msiexec.exe Token: SeCreateGlobalPrivilege 4076 msiexec.exe Token: SeCreateTokenPrivilege 4076 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4076 msiexec.exe Token: SeLockMemoryPrivilege 4076 msiexec.exe Token: SeIncreaseQuotaPrivilege 4076 msiexec.exe Token: SeMachineAccountPrivilege 4076 msiexec.exe Token: SeTcbPrivilege 4076 msiexec.exe Token: SeSecurityPrivilege 4076 msiexec.exe Token: SeTakeOwnershipPrivilege 4076 msiexec.exe Token: SeLoadDriverPrivilege 4076 msiexec.exe Token: SeSystemProfilePrivilege 4076 msiexec.exe Token: SeSystemtimePrivilege 4076 msiexec.exe Token: SeProfSingleProcessPrivilege 4076 msiexec.exe Token: SeIncBasePriorityPrivilege 4076 msiexec.exe Token: SeCreatePagefilePrivilege 4076 msiexec.exe Token: SeCreatePermanentPrivilege 4076 msiexec.exe Token: SeBackupPrivilege 4076 msiexec.exe Token: SeRestorePrivilege 4076 msiexec.exe Token: SeShutdownPrivilege 4076 msiexec.exe Token: SeDebugPrivilege 4076 msiexec.exe Token: SeAuditPrivilege 4076 msiexec.exe Token: SeSystemEnvironmentPrivilege 4076 msiexec.exe Token: SeChangeNotifyPrivilege 4076 msiexec.exe Token: SeRemoteShutdownPrivilege 4076 msiexec.exe Token: SeUndockPrivilege 4076 msiexec.exe Token: SeSyncAgentPrivilege 4076 msiexec.exe Token: SeEnableDelegationPrivilege 4076 msiexec.exe Token: SeManageVolumePrivilege 4076 msiexec.exe Token: SeImpersonatePrivilege 4076 msiexec.exe Token: SeCreateGlobalPrivilege 4076 msiexec.exe Token: SeCreateTokenPrivilege 4076 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4076 msiexec.exe Token: SeLockMemoryPrivilege 4076 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 4076 msiexec.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.execmd.exemsiexec.exe6272167835D47591.exe6272167835D47591.execmd.execmd.execmd.exedescription pid process target process PID 832 wrote to memory of 4076 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe msiexec.exe PID 832 wrote to memory of 4076 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe msiexec.exe PID 832 wrote to memory of 4076 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe msiexec.exe PID 832 wrote to memory of 2764 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe 6272167835D47591.exe PID 832 wrote to memory of 2764 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe 6272167835D47591.exe PID 832 wrote to memory of 2764 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe 6272167835D47591.exe PID 832 wrote to memory of 2456 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe 6272167835D47591.exe PID 832 wrote to memory of 2456 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe 6272167835D47591.exe PID 832 wrote to memory of 2456 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe 6272167835D47591.exe PID 832 wrote to memory of 196 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe cmd.exe PID 832 wrote to memory of 196 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe cmd.exe PID 832 wrote to memory of 196 832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe cmd.exe PID 196 wrote to memory of 3064 196 cmd.exe PING.EXE PID 196 wrote to memory of 3064 196 cmd.exe PING.EXE PID 196 wrote to memory of 3064 196 cmd.exe PING.EXE PID 2352 wrote to memory of 1192 2352 msiexec.exe MsiExec.exe PID 2352 wrote to memory of 1192 2352 msiexec.exe MsiExec.exe PID 2352 wrote to memory of 1192 2352 msiexec.exe MsiExec.exe PID 2456 wrote to memory of 384 2456 6272167835D47591.exe cmd.exe PID 2456 wrote to memory of 384 2456 6272167835D47591.exe cmd.exe PID 2456 wrote to memory of 384 2456 6272167835D47591.exe cmd.exe PID 2764 wrote to memory of 2348 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 2348 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 2348 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 2348 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 2348 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 2348 2764 6272167835D47591.exe firefox.exe PID 384 wrote to memory of 4040 384 cmd.exe taskkill.exe PID 384 wrote to memory of 4040 384 cmd.exe taskkill.exe PID 384 wrote to memory of 4040 384 cmd.exe taskkill.exe PID 2764 wrote to memory of 2172 2764 6272167835D47591.exe 1611941213509.exe PID 2764 wrote to memory of 2172 2764 6272167835D47591.exe 1611941213509.exe PID 2764 wrote to memory of 2172 2764 6272167835D47591.exe 1611941213509.exe PID 2456 wrote to memory of 2788 2456 6272167835D47591.exe cmd.exe PID 2456 wrote to memory of 2788 2456 6272167835D47591.exe cmd.exe PID 2456 wrote to memory of 2788 2456 6272167835D47591.exe cmd.exe PID 2788 wrote to memory of 3968 2788 cmd.exe PING.EXE PID 2788 wrote to memory of 3968 2788 cmd.exe PING.EXE PID 2788 wrote to memory of 3968 2788 cmd.exe PING.EXE PID 2764 wrote to memory of 1368 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 1368 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 1368 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 1368 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 1368 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 1368 2764 6272167835D47591.exe firefox.exe PID 2764 wrote to memory of 2364 2764 6272167835D47591.exe 1611941215337.exe PID 2764 wrote to memory of 2364 2764 6272167835D47591.exe 1611941215337.exe PID 2764 wrote to memory of 2364 2764 6272167835D47591.exe 1611941215337.exe PID 2764 wrote to memory of 3632 2764 6272167835D47591.exe ThunderFW.exe PID 2764 wrote to memory of 3632 2764 6272167835D47591.exe ThunderFW.exe PID 2764 wrote to memory of 3632 2764 6272167835D47591.exe ThunderFW.exe PID 2764 wrote to memory of 764 2764 6272167835D47591.exe cmd.exe PID 2764 wrote to memory of 764 2764 6272167835D47591.exe cmd.exe PID 2764 wrote to memory of 764 2764 6272167835D47591.exe cmd.exe PID 764 wrote to memory of 880 764 cmd.exe PING.EXE PID 764 wrote to memory of 880 764 cmd.exe PING.EXE PID 764 wrote to memory of 880 764 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe"C:\Users\Admin\AppData\Local\Temp\2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe"1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exeC:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe 0011 user012⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\1611941213509.exe"C:\Users\Admin\AppData\Roaming\1611941213509.exe" /sjson "C:\Users\Admin\AppData\Roaming\1611941213509.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
-
C:\Users\Admin\AppData\Roaming\1611941215337.exe"C:\Users\Admin\AppData\Roaming\1611941215337.exe" /sjson "C:\Users\Admin\AppData\Roaming\1611941215337.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exeC:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe 200 user012⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5E0226864AB29A2AF6A8A58D0E3436CC C2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exeMD5
f7d7c89f3f5cbc925480b46b7b934157
SHA173e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA2562870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
SHA5129b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb
-
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exeMD5
f7d7c89f3f5cbc925480b46b7b934157
SHA173e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA2562870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
SHA5129b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb
-
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exeMD5
f7d7c89f3f5cbc925480b46b7b934157
SHA173e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA2562870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
SHA5129b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb
-
C:\Users\Admin\AppData\Local\Temp\MSIA5EA.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\gdiview.msiMD5
7cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
C:\Users\Admin\AppData\Roaming\1611941213509.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1611941213509.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1611941213509.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
C:\Users\Admin\AppData\Roaming\1611941215337.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1611941215337.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1611941215337.txtMD5
f3a55ae79aa1a18000ccac4d16761dcd
SHA17e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3
SHA256a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575
SHA5125184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168
-
\Users\Admin\AppData\Local\Temp\MSIA5EA.tmpMD5
84878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
memory/196-10-0x0000000000000000-mapping.dmp
-
memory/384-19-0x0000000000000000-mapping.dmp
-
memory/764-40-0x0000000000000000-mapping.dmp
-
memory/832-2-0x0000000010000000-0x000000001033C000-memory.dmpFilesize
3.2MB
-
memory/880-41-0x0000000000000000-mapping.dmp
-
memory/1192-14-0x0000000000000000-mapping.dmp
-
memory/1368-35-0x000002474B270000-0x000002474B271000-memory.dmpFilesize
4KB
-
memory/1368-30-0x00007FF7F13D8270-mapping.dmp
-
memory/2172-24-0x0000000000000000-mapping.dmp
-
memory/2348-20-0x00007FF7F13D8270-mapping.dmp
-
memory/2348-22-0x0000000010000000-0x0000000010057000-memory.dmpFilesize
348KB
-
memory/2348-23-0x00000169166E0000-0x00000169166E1000-memory.dmpFilesize
4KB
-
memory/2364-31-0x0000000000000000-mapping.dmp
-
memory/2456-6-0x0000000000000000-mapping.dmp
-
memory/2456-17-0x0000000003800000-0x0000000003CAF000-memory.dmpFilesize
4.7MB
-
memory/2764-12-0x0000000010000000-0x000000001033C000-memory.dmpFilesize
3.2MB
-
memory/2764-18-0x0000000003740000-0x0000000003BEF000-memory.dmpFilesize
4.7MB
-
memory/2764-5-0x0000000000000000-mapping.dmp
-
memory/2788-27-0x0000000000000000-mapping.dmp
-
memory/3064-11-0x0000000000000000-mapping.dmp
-
memory/3632-37-0x0000000000000000-mapping.dmp
-
memory/3968-28-0x0000000000000000-mapping.dmp
-
memory/4040-21-0x0000000000000000-mapping.dmp
-
memory/4076-3-0x0000000000000000-mapping.dmp