Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 14:19
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220414-en
General
-
Target
tmp.exe
-
Size
4.4MB
-
MD5
5c32a7b913fdf22a2f3d81f7b5234bf6
-
SHA1
de8c6c01fb843dd56f5d57f8537fa26ecb8f281a
-
SHA256
d804e36628f5760ecbf0b3559a540d0d65e482094595b6917b51b8c93a1034f6
-
SHA512
2f350548a3ffcc9c20d008467aaf8f424e198ede49e0f556ec676175f437f2d764b0799686ce4bfe966906b2036bb0efd37e583531022ad0889a1128401abefe
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
7za.exeMiniThunderPlatform.exepid process 2028 7za.exe 1584 MiniThunderPlatform.exe -
Loads dropped DLL 15 IoCs
Processes:
tmp.exeMiniThunderPlatform.exepid process 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe 1584 MiniThunderPlatform.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
tmp.exeMiniThunderPlatform.exedescription ioc process File opened for modification \??\PhysicalDrive0 tmp.exe File opened for modification \??\PhysicalDrive0 MiniThunderPlatform.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmp.exepid process 1276 tmp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7za.exedescription pid process Token: SeRestorePrivilege 2028 7za.exe Token: 35 2028 7za.exe Token: SeSecurityPrivilege 2028 7za.exe Token: SeSecurityPrivilege 2028 7za.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
tmp.exepid process 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
tmp.exepid process 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe 1276 tmp.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
tmp.exepid process 1276 tmp.exe 1276 tmp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
tmp.exedescription pid process target process PID 1276 wrote to memory of 2028 1276 tmp.exe 7za.exe PID 1276 wrote to memory of 2028 1276 tmp.exe 7za.exe PID 1276 wrote to memory of 2028 1276 tmp.exe 7za.exe PID 1276 wrote to memory of 2028 1276 tmp.exe 7za.exe PID 1276 wrote to memory of 1584 1276 tmp.exe MiniThunderPlatform.exe PID 1276 wrote to memory of 1584 1276 tmp.exe MiniThunderPlatform.exe PID 1276 wrote to memory of 1584 1276 tmp.exe MiniThunderPlatform.exe PID 1276 wrote to memory of 1584 1276 tmp.exe MiniThunderPlatform.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\downloader.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -aoa2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7za.exeFilesize
736KB
MD5ea1ee87d7eb2d36ba9fdcf24263cd528
SHA1ff22c6ac17187c0af8155000d1937cd6f5a5b34d
SHA2569706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9
SHA5122f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc
-
C:\Users\Admin\AppData\Local\Temp\DlMgr.dllFilesize
181KB
MD51341d73573697c6af12d21911f913511
SHA1d48fedeea2cc8c60c3518af8741c7c9b0bad4f32
SHA256295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03
SHA512d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf
-
C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLLFilesize
87KB
MD579cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dllFilesize
492KB
MD5a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dllFilesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
258KB
MD5a83ef2375ccc10030e64508e1a802ad4
SHA158f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67
-
C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
258KB
MD5a83ef2375ccc10030e64508e1a802ad4
SHA158f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67
-
C:\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dllFilesize
98KB
MD592154e720998acb6fa0f7bad63309470
SHA1385817793b9f894ca3dd3bac20b269652df6cbc6
SHA2561845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096
SHA51237ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff
-
C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exeFilesize
242KB
MD567c767470d0893c4a2e46be84c9afcbb
SHA100291089b13a93f82ee49a11156521f13ea605cd
SHA25664f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0
SHA512d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35
-
C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllFilesize
89KB
MD5dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
C:\Users\Admin\AppData\Local\Temp\download\download_engine.dllFilesize
3.2MB
MD53c2b7b3ff7de18fe47a77b712ff00a00
SHA16d1768acfdee1efb942ef3c28934e127659125ef
SHA2564360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06
SHA5126a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce
-
C:\Users\Admin\AppData\Local\Temp\download\id.datFilesize
44B
MD586092aebe0515cc017bc94d41ec484d7
SHA1faf2ae219e716bb657a9efe7e110a505a669acc9
SHA256f777dbd890ca94566d95d21d0398bff7c52f2d8c8825218322910d7b913687ce
SHA512bce95deabef04d2c3ebf85fa8ea9b2a2739bbac89d803316273cfb56dc08b5090d91b20296363b0ccfd427bc7448a717393490f3b11b50420c03c7cf918b0323
-
C:\Users\Admin\AppData\Local\Temp\download\zlib1.dllFilesize
58KB
MD589f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
C:\Users\Admin\AppData\Local\Temp\downloader.7zFilesize
1.5MB
MD550a4726d12aed1ccea812c928f625cc6
SHA17adc625d70adbc685d7363cafcd9781ea7fbbc11
SHA256f8efe43c4635d278041d4c41f098827ab79189c16df93203a5f13c31d5019527
SHA512f2140c1cd49b56a170aef22267f2621c8d790b3cd95f4d53c5448bf5b029d6b673bbb3ff4477699a59c2405019e63741d16724a655f0c1284c852a0bd0909e61
-
C:\Users\Admin\AppData\Local\Temp\xldl.dllFilesize
242KB
MD5e914a9df187d217c0a1715eaba4eec2a
SHA1db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63
SHA25695934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660
SHA512996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818
-
\Users\Admin\AppData\Local\Temp\7za.exeFilesize
736KB
MD5ea1ee87d7eb2d36ba9fdcf24263cd528
SHA1ff22c6ac17187c0af8155000d1937cd6f5a5b34d
SHA2569706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9
SHA5122f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc
-
\Users\Admin\AppData\Local\Temp\DlMgr.dllFilesize
181KB
MD51341d73573697c6af12d21911f913511
SHA1d48fedeea2cc8c60c3518af8741c7c9b0bad4f32
SHA256295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03
SHA512d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf
-
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
258KB
MD5a83ef2375ccc10030e64508e1a802ad4
SHA158f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67
-
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
258KB
MD5a83ef2375ccc10030e64508e1a802ad4
SHA158f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67
-
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
258KB
MD5a83ef2375ccc10030e64508e1a802ad4
SHA158f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67
-
\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exeFilesize
258KB
MD5a83ef2375ccc10030e64508e1a802ad4
SHA158f46307be974f0e2ed2e9115bc1243ba6538e3c
SHA256e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3
SHA512c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67
-
\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dllFilesize
98KB
MD592154e720998acb6fa0f7bad63309470
SHA1385817793b9f894ca3dd3bac20b269652df6cbc6
SHA2561845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096
SHA51237ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff
-
\Users\Admin\AppData\Local\Temp\download\atl71.dllFilesize
87KB
MD579cb6457c81ada9eb7f2087ce799aaa7
SHA1322ddde439d9254182f5945be8d97e9d897561ae
SHA256a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a
SHA512eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8
-
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllFilesize
89KB
MD5dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dllFilesize
89KB
MD5dba9a19752b52943a0850a7e19ac600a
SHA13485ac30cd7340eccb0457bca37cf4a6dfda583d
SHA25669a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26
SHA512a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3
-
\Users\Admin\AppData\Local\Temp\download\download_engine.dllFilesize
3.2MB
MD53c2b7b3ff7de18fe47a77b712ff00a00
SHA16d1768acfdee1efb942ef3c28934e127659125ef
SHA2564360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06
SHA5126a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce
-
\Users\Admin\AppData\Local\Temp\download\msvcp71.dllFilesize
492KB
MD5a94dc60a90efd7a35c36d971e3ee7470
SHA1f936f612bc779e4ba067f77514b68c329180a380
SHA2566c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9
SHA512ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab
-
\Users\Admin\AppData\Local\Temp\download\msvcr71.dllFilesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e
-
\Users\Admin\AppData\Local\Temp\download\zlib1.dllFilesize
58KB
MD589f6488524eaa3e5a66c5f34f3b92405
SHA1330f9f6da03ae96dfa77dd92aae9a294ead9c7f7
SHA256bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56
SHA512cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e
-
\Users\Admin\AppData\Local\Temp\xldl.dllFilesize
242KB
MD5e914a9df187d217c0a1715eaba4eec2a
SHA1db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63
SHA25695934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660
SHA512996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818
-
memory/1276-54-0x0000000076C01000-0x0000000076C03000-memory.dmpFilesize
8KB
-
memory/1584-80-0x000000006FFF0000-0x0000000070000000-memory.dmpFilesize
64KB
-
memory/1584-68-0x0000000000000000-mapping.dmp
-
memory/1584-83-0x0000000002530000-0x000000000286E000-memory.dmpFilesize
3.2MB
-
memory/2028-56-0x0000000000000000-mapping.dmp