2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a

Analysis

max time kernel
40s
max time network
70s
platform
windows10_x64
resource
win10v20201028
submitted
29-01-2021 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
Size

4.8MB
MD5

f7d7c89f3f5cbc925480b46b7b934157
SHA1

73e389b70cf3d8975ccbaf7d04f4c45cc80be860
SHA256

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a
SHA512

9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb

Score

9^/10

bootkit evasion macro persistence spyware trojan xlm

Malware Config

Signatures

Nirsoft 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1611941213509.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1611941213509.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1611941215337.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1611941215337.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

6272167835D47591.exe6272167835D47591.exe1611941213509.exe1611941215337.exeThunderFW.exe

pid process

2764 6272167835D47591.exe
2456 6272167835D47591.exe
2172 1611941213509.exe
2364 1611941215337.exe
3632 ThunderFW.exe

pid	process
2764	6272167835D47591.exe
2456	6272167835D47591.exe
2172	1611941213509.exe
2364	1611941215337.exe
3632	ThunderFW.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	office_xlm_macros

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

1192 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1192	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe6272167835D47591.exe6272167835D47591.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	6272167835D47591.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

JavaScript code in executable 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\gdiview.msi	js

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe6272167835D47591.exe6272167835D47591.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
File opened for modification	\??\PhysicalDrive0	6272167835D47591.exe
File opened for modification	\??\PhysicalDrive0	6272167835D47591.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe

pid process

832 2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe

pid	process
832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

6272167835D47591.exe

description	pid	process	target process
PID 2764 set thread context of 2348	2764	6272167835D47591.exe	firefox.exe
PID 2764 set thread context of 1368	2764	6272167835D47591.exe	firefox.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6272167835D47591.exe6272167835D47591.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	6272167835D47591.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	6272167835D47591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	6272167835D47591.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4040 taskkill.exe

pid	process
4040	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

880 PING.EXE
3064 PING.EXE
3968 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1611941213509.exe1611941215337.exe

pid process

2172 1611941213509.exe
2172 1611941213509.exe
2364 1611941215337.exe
2364 1611941215337.exe

pid	process
880	PING.EXE
3064	PING.EXE
3968	PING.EXE

pid	process
2172	1611941213509.exe
2172	1611941213509.exe
2364	1611941215337.exe
2364	1611941215337.exe

Suspicious use of AdjustPrivilegeToken 91 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4076	msiexec.exe
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: SeCreateTokenPrivilege	4076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4076	msiexec.exe
Token: SeLockMemoryPrivilege	4076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4076	msiexec.exe
Token: SeMachineAccountPrivilege	4076	msiexec.exe
Token: SeTcbPrivilege	4076	msiexec.exe
Token: SeSecurityPrivilege	4076	msiexec.exe
Token: SeTakeOwnershipPrivilege	4076	msiexec.exe
Token: SeLoadDriverPrivilege	4076	msiexec.exe
Token: SeSystemProfilePrivilege	4076	msiexec.exe
Token: SeSystemtimePrivilege	4076	msiexec.exe
Token: SeProfSingleProcessPrivilege	4076	msiexec.exe
Token: SeIncBasePriorityPrivilege	4076	msiexec.exe
Token: SeCreatePagefilePrivilege	4076	msiexec.exe
Token: SeCreatePermanentPrivilege	4076	msiexec.exe
Token: SeBackupPrivilege	4076	msiexec.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeShutdownPrivilege	4076	msiexec.exe
Token: SeDebugPrivilege	4076	msiexec.exe
Token: SeAuditPrivilege	4076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4076	msiexec.exe
Token: SeChangeNotifyPrivilege	4076	msiexec.exe
Token: SeRemoteShutdownPrivilege	4076	msiexec.exe
Token: SeUndockPrivilege	4076	msiexec.exe
Token: SeSyncAgentPrivilege	4076	msiexec.exe
Token: SeEnableDelegationPrivilege	4076	msiexec.exe
Token: SeManageVolumePrivilege	4076	msiexec.exe
Token: SeImpersonatePrivilege	4076	msiexec.exe
Token: SeCreateGlobalPrivilege	4076	msiexec.exe
Token: SeCreateTokenPrivilege	4076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4076	msiexec.exe
Token: SeLockMemoryPrivilege	4076	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4076	msiexec.exe
Token: SeMachineAccountPrivilege	4076	msiexec.exe
Token: SeTcbPrivilege	4076	msiexec.exe
Token: SeSecurityPrivilege	4076	msiexec.exe
Token: SeTakeOwnershipPrivilege	4076	msiexec.exe
Token: SeLoadDriverPrivilege	4076	msiexec.exe
Token: SeSystemProfilePrivilege	4076	msiexec.exe
Token: SeSystemtimePrivilege	4076	msiexec.exe
Token: SeProfSingleProcessPrivilege	4076	msiexec.exe
Token: SeIncBasePriorityPrivilege	4076	msiexec.exe
Token: SeCreatePagefilePrivilege	4076	msiexec.exe
Token: SeCreatePermanentPrivilege	4076	msiexec.exe
Token: SeBackupPrivilege	4076	msiexec.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeShutdownPrivilege	4076	msiexec.exe
Token: SeDebugPrivilege	4076	msiexec.exe
Token: SeAuditPrivilege	4076	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4076	msiexec.exe
Token: SeChangeNotifyPrivilege	4076	msiexec.exe
Token: SeRemoteShutdownPrivilege	4076	msiexec.exe
Token: SeUndockPrivilege	4076	msiexec.exe
Token: SeSyncAgentPrivilege	4076	msiexec.exe
Token: SeEnableDelegationPrivilege	4076	msiexec.exe
Token: SeManageVolumePrivilege	4076	msiexec.exe
Token: SeImpersonatePrivilege	4076	msiexec.exe
Token: SeCreateGlobalPrivilege	4076	msiexec.exe
Token: SeCreateTokenPrivilege	4076	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4076	msiexec.exe
Token: SeLockMemoryPrivilege	4076	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4076 msiexec.exe

pid	process
4076	msiexec.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.execmd.exemsiexec.exe6272167835D47591.exe6272167835D47591.execmd.execmd.execmd.exe

description	pid	process	target process
PID 832 wrote to memory of 4076	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	msiexec.exe
PID 832 wrote to memory of 4076	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	msiexec.exe
PID 832 wrote to memory of 4076	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	msiexec.exe
PID 832 wrote to memory of 2764	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	6272167835D47591.exe
PID 832 wrote to memory of 2764	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	6272167835D47591.exe
PID 832 wrote to memory of 2764	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	6272167835D47591.exe
PID 832 wrote to memory of 2456	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	6272167835D47591.exe
PID 832 wrote to memory of 2456	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	6272167835D47591.exe
PID 832 wrote to memory of 2456	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	6272167835D47591.exe
PID 832 wrote to memory of 196	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	cmd.exe
PID 832 wrote to memory of 196	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	cmd.exe
PID 832 wrote to memory of 196	832	2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe	cmd.exe
PID 196 wrote to memory of 3064	196	cmd.exe	PING.EXE
PID 196 wrote to memory of 3064	196	cmd.exe	PING.EXE
PID 196 wrote to memory of 3064	196	cmd.exe	PING.EXE
PID 2352 wrote to memory of 1192	2352	msiexec.exe	MsiExec.exe
PID 2352 wrote to memory of 1192	2352	msiexec.exe	MsiExec.exe
PID 2352 wrote to memory of 1192	2352	msiexec.exe	MsiExec.exe
PID 2456 wrote to memory of 384	2456	6272167835D47591.exe	cmd.exe
PID 2456 wrote to memory of 384	2456	6272167835D47591.exe	cmd.exe
PID 2456 wrote to memory of 384	2456	6272167835D47591.exe	cmd.exe
PID 2764 wrote to memory of 2348	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 2348	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 2348	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 2348	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 2348	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 2348	2764	6272167835D47591.exe	firefox.exe
PID 384 wrote to memory of 4040	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 4040	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 4040	384	cmd.exe	taskkill.exe
PID 2764 wrote to memory of 2172	2764	6272167835D47591.exe	1611941213509.exe
PID 2764 wrote to memory of 2172	2764	6272167835D47591.exe	1611941213509.exe
PID 2764 wrote to memory of 2172	2764	6272167835D47591.exe	1611941213509.exe
PID 2456 wrote to memory of 2788	2456	6272167835D47591.exe	cmd.exe
PID 2456 wrote to memory of 2788	2456	6272167835D47591.exe	cmd.exe
PID 2456 wrote to memory of 2788	2456	6272167835D47591.exe	cmd.exe
PID 2788 wrote to memory of 3968	2788	cmd.exe	PING.EXE
PID 2788 wrote to memory of 3968	2788	cmd.exe	PING.EXE
PID 2788 wrote to memory of 3968	2788	cmd.exe	PING.EXE
PID 2764 wrote to memory of 1368	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 1368	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 1368	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 1368	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 1368	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 1368	2764	6272167835D47591.exe	firefox.exe
PID 2764 wrote to memory of 2364	2764	6272167835D47591.exe	1611941215337.exe
PID 2764 wrote to memory of 2364	2764	6272167835D47591.exe	1611941215337.exe
PID 2764 wrote to memory of 2364	2764	6272167835D47591.exe	1611941215337.exe
PID 2764 wrote to memory of 3632	2764	6272167835D47591.exe	ThunderFW.exe
PID 2764 wrote to memory of 3632	2764	6272167835D47591.exe	ThunderFW.exe
PID 2764 wrote to memory of 3632	2764	6272167835D47591.exe	ThunderFW.exe
PID 2764 wrote to memory of 764	2764	6272167835D47591.exe	cmd.exe
PID 2764 wrote to memory of 764	2764	6272167835D47591.exe	cmd.exe
PID 2764 wrote to memory of 764	2764	6272167835D47591.exe	cmd.exe
PID 764 wrote to memory of 880	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 880	764	cmd.exe	PING.EXE
PID 764 wrote to memory of 880	764	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe
"C:\Users\Admin\AppData\Local\Temp\2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe"
1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4076

C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe 0011 user01
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:2348

C:\Users\Admin\AppData\Roaming\1611941213509.exe
"C:\Users\Admin\AppData\Roaming\1611941213509.exe" /sjson "C:\Users\Admin\AppData\Roaming\1611941213509.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:1368

C:\Users\Admin\AppData\Roaming\1611941215337.exe
"C:\Users\Admin\AppData\Roaming\1611941215337.exe" /sjson "C:\Users\Admin\AppData\Roaming\1611941215337.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2364

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
PID:3632

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:880

C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe 200 user01
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:4040

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:3968

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:3064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5E0226864AB29A2AF6A8A58D0E3436CC C
2⤵
- Loads dropped DLL
PID:1192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
MD5
f7d7c89f3f5cbc925480b46b7b934157

SHA1
73e389b70cf3d8975ccbaf7d04f4c45cc80be860

SHA256
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a

SHA512
9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
MD5
f7d7c89f3f5cbc925480b46b7b934157

SHA1
73e389b70cf3d8975ccbaf7d04f4c45cc80be860

SHA256
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a

SHA512
9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6272167835D47591.exe
MD5
f7d7c89f3f5cbc925480b46b7b934157

SHA1
73e389b70cf3d8975ccbaf7d04f4c45cc80be860

SHA256
2870f899f2e9ec540da321f603cfb1a735dcd06df016718e663dc78fefdf5e0a

SHA512
9b972e2954c18f706a6f8012a6b76e1f4ce8e76466eae919b55a6225c4f8574586d9f11838d8d63bdd245b11cfd3e581248e9a578f72ff2dd8b6623bebc525eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA5EA.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\1611941213509.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1611941213509.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1611941213509.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
C:\Users\Admin\AppData\Roaming\1611941215337.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1611941215337.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1611941215337.txt
MD5
f3a55ae79aa1a18000ccac4d16761dcd

SHA1
7e2cf5c2a7147b4b172bd9347bbf45aca6beb0f3

SHA256
a77561badbf13eef0e2b0d278d81d7847bfa26c8f3765c2fb798ab4187675575

SHA512
5184cb5cc3278cccf387e7e576587fa33c87d62df1249d20542257443fb36ca67a71f63775c241dcb982542abfcb0918d29edc333addb234b0a46db29fd5c168

Download Submit
\Users\Admin\AppData\Local\Temp\MSIA5EA.tmp
MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
memory/196-10-0x0000000000000000-mapping.dmp

Download
memory/384-19-0x0000000000000000-mapping.dmp

Download
memory/764-40-0x0000000000000000-mapping.dmp

Download
memory/832-2-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download
memory/880-41-0x0000000000000000-mapping.dmp

Download
memory/1192-14-0x0000000000000000-mapping.dmp

Download
memory/1368-35-0x000002474B270000-0x000002474B271000-memory.dmp

Filesize
4KB

Download
memory/1368-30-0x00007FF7F13D8270-mapping.dmp

Download
memory/2172-24-0x0000000000000000-mapping.dmp

Download
memory/2348-20-0x00007FF7F13D8270-mapping.dmp

Download
memory/2348-22-0x0000000010000000-0x0000000010057000-memory.dmp

Filesize
348KB

Download
memory/2348-23-0x00000169166E0000-0x00000169166E1000-memory.dmp

Filesize
4KB

Download
memory/2364-31-0x0000000000000000-mapping.dmp

Download
memory/2456-6-0x0000000000000000-mapping.dmp

Download
memory/2456-17-0x0000000003800000-0x0000000003CAF000-memory.dmp

Filesize
4.7MB

Download
memory/2764-12-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download
memory/2764-18-0x0000000003740000-0x0000000003BEF000-memory.dmp

Filesize
4.7MB

Download
memory/2764-5-0x0000000000000000-mapping.dmp

Download
memory/2788-27-0x0000000000000000-mapping.dmp

Download
memory/3064-11-0x0000000000000000-mapping.dmp

Download
memory/3632-37-0x0000000000000000-mapping.dmp

Download
memory/3968-28-0x0000000000000000-mapping.dmp

Download
memory/4040-21-0x0000000000000000-mapping.dmp

Download
memory/4076-3-0x0000000000000000-mapping.dmp

Download