5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5

General

Target

5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Size

4.8MB
MD5

013eba0050ebe18e39978e89a56c0fab
SHA1

85ef7c03d70e2cc7095550ce15f140e78d05f3ad
SHA256

5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
SHA512

159a723e036b86996f715c460756a047436396dc20afd1a62715c734be5ab0fdc6c213fe492201142f695bf33396a49ee34010b3a9c52751b527270a2cd6af05

Score

9^/10

spyware

Malware Config

Signatures

Nirsoft 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1612029758989.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1612029758989.exe	Nirsoft

Executes dropped EXE 2 IoCs

Processes:

1612029758989.exeThunderFW.exe

pid process

2008 1612029758989.exe
2624 ThunderFW.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2008	1612029758989.exe
2624	ThunderFW.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4000 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1612029758989.exe

pid process

2008 1612029758989.exe
2008 1612029758989.exe

pid	process
4000	PING.EXE

pid	process
2008	1612029758989.exe
2008	1612029758989.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.execmd.exe

description	pid	process	target process
PID 640 wrote to memory of 2008	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	1612029758989.exe
PID 640 wrote to memory of 2008	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	1612029758989.exe
PID 640 wrote to memory of 2008	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	1612029758989.exe
PID 640 wrote to memory of 2624	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	ThunderFW.exe
PID 640 wrote to memory of 2624	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	ThunderFW.exe
PID 640 wrote to memory of 2624	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	ThunderFW.exe
PID 640 wrote to memory of 2124	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	cmd.exe
PID 640 wrote to memory of 2124	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	cmd.exe
PID 640 wrote to memory of 2124	640	5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe	cmd.exe
PID 2124 wrote to memory of 4000	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 4000	2124	cmd.exe	PING.EXE
PID 2124 wrote to memory of 4000	2124	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
"C:\Users\Admin\AppData\Local\Temp\5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Roaming\1612029758989.exe
"C:\Users\Admin\AppData\Roaming\1612029758989.exe" /sjson "C:\Users\Admin\AppData\Roaming\1612029758989.txt"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
2⤵
- Executes dropped EXE
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:4000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Roaming\1612029758989.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1612029758989.exe
MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
memory/640-2-0x0000000010000000-0x00000000103E9000-memory.dmp

Filesize
3.9MB

Download
memory/2008-3-0x0000000000000000-mapping.dmp

Download
memory/2124-9-0x0000000000000000-mapping.dmp

Download
memory/2624-6-0x0000000000000000-mapping.dmp

Download
memory/4000-10-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads