Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 14:19

General

  • Target

    tmp.exe

  • Size

    4MB

  • Sample

    220521-rmz5xahfb9

  • MD5

    5c32a7b913fdf22a2f3d81f7b5234bf6

  • SHA1

    de8c6c01fb843dd56f5d57f8537fa26ecb8f281a

  • SHA256

    d804e36628f5760ecbf0b3559a540d0d65e482094595b6917b51b8c93a1034f6

  • SHA512

    2f350548a3ffcc9c20d008467aaf8f424e198ede49e0f556ec676175f437f2d764b0799686ce4bfe966906b2036bb0efd37e583531022ad0889a1128401abefe

Score
8/10

Malware Config

Signatures 9

  • Executes dropped EXE ⋅ 2 IoCs
  • Loads dropped DLL ⋅ 15 IoCs
  • Writes to the Master Boot Record (MBR) ⋅ 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious behavior: EnumeratesProcesses ⋅ 1 IoCs
  • Suspicious use of AdjustPrivilegeToken ⋅ 4 IoCs
  • Suspicious use of FindShellTrayWindow ⋅ 4 IoCs
  • Suspicious use of SendNotifyMessage ⋅ 4 IoCs
  • Suspicious use of SetWindowsHookEx ⋅ 2 IoCs
  • Suspicious use of WriteProcessMemory ⋅ 8 IoCs

Processes 3

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    Loads dropped DLL
    Writes to the Master Boot Record (MBR)
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Users\Admin\AppData\Local\Temp\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\downloader.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -aoa
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2028
    • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
      "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      PID:1584

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

          Discovery

            Execution

              Exfiltration

                Impact

                  Initial Access

                    Lateral Movement

                      Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\7za.exe
                          MD5

                          ea1ee87d7eb2d36ba9fdcf24263cd528

                          SHA1

                          ff22c6ac17187c0af8155000d1937cd6f5a5b34d

                          SHA256

                          9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9

                          SHA512

                          2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

                        • C:\Users\Admin\AppData\Local\Temp\DlMgr.dll
                          MD5

                          1341d73573697c6af12d21911f913511

                          SHA1

                          d48fedeea2cc8c60c3518af8741c7c9b0bad4f32

                          SHA256

                          295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03

                          SHA512

                          d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

                        • C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL
                          MD5

                          79cb6457c81ada9eb7f2087ce799aaa7

                          SHA1

                          322ddde439d9254182f5945be8d97e9d897561ae

                          SHA256

                          a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

                          SHA512

                          eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

                        • C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll
                          MD5

                          a94dc60a90efd7a35c36d971e3ee7470

                          SHA1

                          f936f612bc779e4ba067f77514b68c329180a380

                          SHA256

                          6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

                          SHA512

                          ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

                        • C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll
                          MD5

                          ca2f560921b7b8be1cf555a5a18d54c3

                          SHA1

                          432dbcf54b6f1142058b413a9d52668a2bde011d

                          SHA256

                          c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

                          SHA512

                          23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

                        • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • C:\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll
                          MD5

                          92154e720998acb6fa0f7bad63309470

                          SHA1

                          385817793b9f894ca3dd3bac20b269652df6cbc6

                          SHA256

                          1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

                          SHA512

                          37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

                        • C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exe
                          MD5

                          67c767470d0893c4a2e46be84c9afcbb

                          SHA1

                          00291089b13a93f82ee49a11156521f13ea605cd

                          SHA256

                          64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

                          SHA512

                          d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

                        • C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
                          MD5

                          dba9a19752b52943a0850a7e19ac600a

                          SHA1

                          3485ac30cd7340eccb0457bca37cf4a6dfda583d

                          SHA256

                          69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

                          SHA512

                          a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

                        • C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll
                          MD5

                          3c2b7b3ff7de18fe47a77b712ff00a00

                          SHA1

                          6d1768acfdee1efb942ef3c28934e127659125ef

                          SHA256

                          4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06

                          SHA512

                          6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

                        • C:\Users\Admin\AppData\Local\Temp\download\id.dat
                          MD5

                          86092aebe0515cc017bc94d41ec484d7

                          SHA1

                          faf2ae219e716bb657a9efe7e110a505a669acc9

                          SHA256

                          f777dbd890ca94566d95d21d0398bff7c52f2d8c8825218322910d7b913687ce

                          SHA512

                          bce95deabef04d2c3ebf85fa8ea9b2a2739bbac89d803316273cfb56dc08b5090d91b20296363b0ccfd427bc7448a717393490f3b11b50420c03c7cf918b0323

                        • C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll
                          MD5

                          89f6488524eaa3e5a66c5f34f3b92405

                          SHA1

                          330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

                          SHA256

                          bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

                          SHA512

                          cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

                        • C:\Users\Admin\AppData\Local\Temp\downloader.7z
                          MD5

                          50a4726d12aed1ccea812c928f625cc6

                          SHA1

                          7adc625d70adbc685d7363cafcd9781ea7fbbc11

                          SHA256

                          f8efe43c4635d278041d4c41f098827ab79189c16df93203a5f13c31d5019527

                          SHA512

                          f2140c1cd49b56a170aef22267f2621c8d790b3cd95f4d53c5448bf5b029d6b673bbb3ff4477699a59c2405019e63741d16724a655f0c1284c852a0bd0909e61

                        • C:\Users\Admin\AppData\Local\Temp\xldl.dll
                          MD5

                          e914a9df187d217c0a1715eaba4eec2a

                          SHA1

                          db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63

                          SHA256

                          95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660

                          SHA512

                          996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

                        • \Users\Admin\AppData\Local\Temp\7za.exe
                          MD5

                          ea1ee87d7eb2d36ba9fdcf24263cd528

                          SHA1

                          ff22c6ac17187c0af8155000d1937cd6f5a5b34d

                          SHA256

                          9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9

                          SHA512

                          2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

                        • \Users\Admin\AppData\Local\Temp\DlMgr.dll
                          MD5

                          1341d73573697c6af12d21911f913511

                          SHA1

                          d48fedeea2cc8c60c3518af8741c7c9b0bad4f32

                          SHA256

                          295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03

                          SHA512

                          d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll
                          MD5

                          92154e720998acb6fa0f7bad63309470

                          SHA1

                          385817793b9f894ca3dd3bac20b269652df6cbc6

                          SHA256

                          1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

                          SHA512

                          37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

                        • \Users\Admin\AppData\Local\Temp\download\atl71.dll
                          MD5

                          79cb6457c81ada9eb7f2087ce799aaa7

                          SHA1

                          322ddde439d9254182f5945be8d97e9d897561ae

                          SHA256

                          a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

                          SHA512

                          eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

                        • \Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
                          MD5

                          dba9a19752b52943a0850a7e19ac600a

                          SHA1

                          3485ac30cd7340eccb0457bca37cf4a6dfda583d

                          SHA256

                          69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

                          SHA512

                          a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

                        • \Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll
                          MD5

                          dba9a19752b52943a0850a7e19ac600a

                          SHA1

                          3485ac30cd7340eccb0457bca37cf4a6dfda583d

                          SHA256

                          69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

                          SHA512

                          a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

                        • \Users\Admin\AppData\Local\Temp\download\download_engine.dll
                          MD5

                          3c2b7b3ff7de18fe47a77b712ff00a00

                          SHA1

                          6d1768acfdee1efb942ef3c28934e127659125ef

                          SHA256

                          4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06

                          SHA512

                          6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

                        • \Users\Admin\AppData\Local\Temp\download\msvcp71.dll
                          MD5

                          a94dc60a90efd7a35c36d971e3ee7470

                          SHA1

                          f936f612bc779e4ba067f77514b68c329180a380

                          SHA256

                          6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

                          SHA512

                          ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

                        • \Users\Admin\AppData\Local\Temp\download\msvcr71.dll
                          MD5

                          ca2f560921b7b8be1cf555a5a18d54c3

                          SHA1

                          432dbcf54b6f1142058b413a9d52668a2bde011d

                          SHA256

                          c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

                          SHA512

                          23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

                        • \Users\Admin\AppData\Local\Temp\download\zlib1.dll
                          MD5

                          89f6488524eaa3e5a66c5f34f3b92405

                          SHA1

                          330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

                          SHA256

                          bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

                          SHA512

                          cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

                        • \Users\Admin\AppData\Local\Temp\xldl.dll
                          MD5

                          e914a9df187d217c0a1715eaba4eec2a

                          SHA1

                          db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63

                          SHA256

                          95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660

                          SHA512

                          996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

                        • memory/1276-54-0x0000000076C01000-0x0000000076C03000-memory.dmp
                        • memory/1584-80-0x000000006FFF0000-0x0000000070000000-memory.dmp
                        • memory/1584-68-0x0000000000000000-mapping.dmp
                        • memory/1584-83-0x0000000002530000-0x000000000286E000-memory.dmp
                        • memory/2028-56-0x0000000000000000-mapping.dmp