Analysis
-
max time kernel
24s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
30-01-2021 17:06
Static task
static1
Behavioral task
behavioral1
Sample
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
Resource
win10v20201028
General
-
Target
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe
-
Size
4.8MB
-
MD5
013eba0050ebe18e39978e89a56c0fab
-
SHA1
85ef7c03d70e2cc7095550ce15f140e78d05f3ad
-
SHA256
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5
-
SHA512
159a723e036b86996f715c460756a047436396dc20afd1a62715c734be5ab0fdc6c213fe492201142f695bf33396a49ee34010b3a9c52751b527270a2cd6af05
Malware Config
Signatures
-
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1612029758989.exe Nirsoft C:\Users\Admin\AppData\Roaming\1612029758989.exe Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
1612029758989.exeThunderFW.exepid process 2008 1612029758989.exe 2624 ThunderFW.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe -
Processes:
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1612029758989.exepid process 2008 1612029758989.exe 2008 1612029758989.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.execmd.exedescription pid process target process PID 640 wrote to memory of 2008 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe 1612029758989.exe PID 640 wrote to memory of 2008 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe 1612029758989.exe PID 640 wrote to memory of 2008 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe 1612029758989.exe PID 640 wrote to memory of 2624 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe ThunderFW.exe PID 640 wrote to memory of 2624 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe ThunderFW.exe PID 640 wrote to memory of 2624 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe ThunderFW.exe PID 640 wrote to memory of 2124 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe cmd.exe PID 640 wrote to memory of 2124 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe cmd.exe PID 640 wrote to memory of 2124 640 5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe cmd.exe PID 2124 wrote to memory of 4000 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 4000 2124 cmd.exe PING.EXE PID 2124 wrote to memory of 4000 2124 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe"C:\Users\Admin\AppData\Local\Temp\5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe"1⤵
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1612029758989.exe"C:\Users\Admin\AppData\Roaming\1612029758989.exe" /sjson "C:\Users\Admin\AppData\Roaming\1612029758989.txt"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5fa60303a0c4fd13ecd69e7c1a17788b72605473c2fb3f93eb758010326c76e5.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeMD5
f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Roaming\1612029758989.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1612029758989.exeMD5
ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
memory/640-2-0x0000000010000000-0x00000000103E9000-memory.dmpFilesize
3.9MB
-
memory/2008-3-0x0000000000000000-mapping.dmp
-
memory/2124-9-0x0000000000000000-mapping.dmp
-
memory/2624-6-0x0000000000000000-mapping.dmp
-
memory/4000-10-0x0000000000000000-mapping.dmp