General
Target

tmp.exe

Filesize

4MB

Completed

21-05-2022 14:28

Task

behavioral1

Score
8/10
MD5

dff5313b59c0e94087e4bc9240cfc6f9

SHA1

c838c95ed8f85f3169800b7f3bd3bb50d0541f86

SHA256

f8e35ada103eae2edb782f046feb0557b6c2c0ea0d36459f549916e0ba12b708

SHA256

a2a922e341b50c7a019f5f5758e8644f013933a5ffc17acfbbbe33b02cd06e07d94b57b4cd9b0e248e5300f4baea99a0108b87d731c311ead87d63947300eacc

Malware Config
Signatures 9

Filter: none

Persistence
  • Executes dropped EXE
    7za.exeMiniThunderPlatform.exe

    Reported IOCs

    pidprocess
    13647za.exe
    1700MiniThunderPlatform.exe
  • Loads dropped DLL
    tmp.exeMiniThunderPlatform.exe

    Reported IOCs

    pidprocess
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
    1700MiniThunderPlatform.exe
  • Writes to the Master Boot Record (MBR)
    tmp.exeMiniThunderPlatform.exe

    Description

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    TTPs

    Bootkit

    Reported IOCs

    descriptioniocprocess
    File opened for modification\??\PhysicalDrive0tmp.exe
    File opened for modification\??\PhysicalDrive0MiniThunderPlatform.exe
  • Suspicious behavior: EnumeratesProcesses
    tmp.exe

    Reported IOCs

    pidprocess
    1096tmp.exe
  • Suspicious use of AdjustPrivilegeToken
    7za.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege13647za.exe
    Token: 3513647za.exe
    Token: SeSecurityPrivilege13647za.exe
    Token: SeSecurityPrivilege13647za.exe
  • Suspicious use of FindShellTrayWindow
    tmp.exe

    Reported IOCs

    pidprocess
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
  • Suspicious use of SendNotifyMessage
    tmp.exe

    Reported IOCs

    pidprocess
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
    1096tmp.exe
  • Suspicious use of SetWindowsHookEx
    tmp.exe

    Reported IOCs

    pidprocess
    1096tmp.exe
    1096tmp.exe
  • Suspicious use of WriteProcessMemory
    tmp.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1096 wrote to memory of 13641096tmp.exe7za.exe
    PID 1096 wrote to memory of 13641096tmp.exe7za.exe
    PID 1096 wrote to memory of 13641096tmp.exe7za.exe
    PID 1096 wrote to memory of 13641096tmp.exe7za.exe
    PID 1096 wrote to memory of 17001096tmp.exeMiniThunderPlatform.exe
    PID 1096 wrote to memory of 17001096tmp.exeMiniThunderPlatform.exe
    PID 1096 wrote to memory of 17001096tmp.exeMiniThunderPlatform.exe
    PID 1096 wrote to memory of 17001096tmp.exeMiniThunderPlatform.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    Loads dropped DLL
    Writes to the Master Boot Record (MBR)
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\7za.exe
      "C:\Users\Admin\AppData\Local\Temp\\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\downloader.7z" -o"C:\Users\Admin\AppData\Local\Temp\" -aoa
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1364
    • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe
      "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe" -StartTP
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      PID:1700
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\Users\Admin\AppData\Local\Temp\7za.exe

                          MD5

                          ea1ee87d7eb2d36ba9fdcf24263cd528

                          SHA1

                          ff22c6ac17187c0af8155000d1937cd6f5a5b34d

                          SHA256

                          9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9

                          SHA512

                          2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

                        • C:\Users\Admin\AppData\Local\Temp\DlMgr.dll

                          MD5

                          1341d73573697c6af12d21911f913511

                          SHA1

                          d48fedeea2cc8c60c3518af8741c7c9b0bad4f32

                          SHA256

                          295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03

                          SHA512

                          d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

                        • C:\Users\Admin\AppData\Local\Temp\download\ATL71.DLL

                          MD5

                          79cb6457c81ada9eb7f2087ce799aaa7

                          SHA1

                          322ddde439d9254182f5945be8d97e9d897561ae

                          SHA256

                          a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

                          SHA512

                          eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

                        • C:\Users\Admin\AppData\Local\Temp\download\MSVCP71.dll

                          MD5

                          a94dc60a90efd7a35c36d971e3ee7470

                          SHA1

                          f936f612bc779e4ba067f77514b68c329180a380

                          SHA256

                          6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

                          SHA512

                          ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

                        • C:\Users\Admin\AppData\Local\Temp\download\MSVCR71.dll

                          MD5

                          ca2f560921b7b8be1cf555a5a18d54c3

                          SHA1

                          432dbcf54b6f1142058b413a9d52668a2bde011d

                          SHA256

                          c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

                          SHA512

                          23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

                        • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • C:\Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll

                          MD5

                          92154e720998acb6fa0f7bad63309470

                          SHA1

                          385817793b9f894ca3dd3bac20b269652df6cbc6

                          SHA256

                          1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

                          SHA512

                          37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

                        • C:\Users\Admin\AppData\Local\Temp\download\XLBugReport.exe

                          MD5

                          67c767470d0893c4a2e46be84c9afcbb

                          SHA1

                          00291089b13a93f82ee49a11156521f13ea605cd

                          SHA256

                          64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

                          SHA512

                          d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

                        • C:\Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

                          MD5

                          dba9a19752b52943a0850a7e19ac600a

                          SHA1

                          3485ac30cd7340eccb0457bca37cf4a6dfda583d

                          SHA256

                          69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

                          SHA512

                          a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

                        • C:\Users\Admin\AppData\Local\Temp\download\download_engine.dll

                          MD5

                          3c2b7b3ff7de18fe47a77b712ff00a00

                          SHA1

                          6d1768acfdee1efb942ef3c28934e127659125ef

                          SHA256

                          4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06

                          SHA512

                          6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

                        • C:\Users\Admin\AppData\Local\Temp\download\id.dat

                          MD5

                          86092aebe0515cc017bc94d41ec484d7

                          SHA1

                          faf2ae219e716bb657a9efe7e110a505a669acc9

                          SHA256

                          f777dbd890ca94566d95d21d0398bff7c52f2d8c8825218322910d7b913687ce

                          SHA512

                          bce95deabef04d2c3ebf85fa8ea9b2a2739bbac89d803316273cfb56dc08b5090d91b20296363b0ccfd427bc7448a717393490f3b11b50420c03c7cf918b0323

                        • C:\Users\Admin\AppData\Local\Temp\download\zlib1.dll

                          MD5

                          89f6488524eaa3e5a66c5f34f3b92405

                          SHA1

                          330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

                          SHA256

                          bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

                          SHA512

                          cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

                        • C:\Users\Admin\AppData\Local\Temp\downloader.7z

                          MD5

                          50a4726d12aed1ccea812c928f625cc6

                          SHA1

                          7adc625d70adbc685d7363cafcd9781ea7fbbc11

                          SHA256

                          f8efe43c4635d278041d4c41f098827ab79189c16df93203a5f13c31d5019527

                          SHA512

                          f2140c1cd49b56a170aef22267f2621c8d790b3cd95f4d53c5448bf5b029d6b673bbb3ff4477699a59c2405019e63741d16724a655f0c1284c852a0bd0909e61

                        • C:\Users\Admin\AppData\Local\Temp\xldl.dll

                          MD5

                          e914a9df187d217c0a1715eaba4eec2a

                          SHA1

                          db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63

                          SHA256

                          95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660

                          SHA512

                          996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

                        • \Users\Admin\AppData\Local\Temp\7za.exe

                          MD5

                          ea1ee87d7eb2d36ba9fdcf24263cd528

                          SHA1

                          ff22c6ac17187c0af8155000d1937cd6f5a5b34d

                          SHA256

                          9706c2ddd91e24317de3ba2f0c3deddf5424384e32b2cfd39ffd3a74c05f5ff9

                          SHA512

                          2f31f9c47fbaa97a994e1dcb149921d515ad2408ee0fa0a016e5e173569b96ef27e2cfd5af4e86e622276e509dea3fdff8469284d60a69ee270c35100b7422cc

                        • \Users\Admin\AppData\Local\Temp\DlMgr.dll

                          MD5

                          1341d73573697c6af12d21911f913511

                          SHA1

                          d48fedeea2cc8c60c3518af8741c7c9b0bad4f32

                          SHA256

                          295dcdb341098c8f1e402845b02d158cfe8543acfe651c06ce5e1845bead7b03

                          SHA512

                          d937cfbbfc2b3252b7c078d7a0ae91a06fe4495dd9ebb116c5c68302f8819d71a3f8d0a017e31ef4447d7aa758f450873ddd3c36237bd3aea470aba68652c0bf

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe

                          MD5

                          a83ef2375ccc10030e64508e1a802ad4

                          SHA1

                          58f46307be974f0e2ed2e9115bc1243ba6538e3c

                          SHA256

                          e3bf11413cefdcd810f047061e70f06a422e22fb36ee66007336c3b28cb073b3

                          SHA512

                          c6995312041e14b81a63690e2accb7c9e209ecaae092ab8f381d3cfef9be815b0cd07f19a1279ee18b0da96e0fa9ae6efd24ae053215e96d34c4fcd7d8d62f67

                        • \Users\Admin\AppData\Local\Temp\download\XLBugHandler.dll

                          MD5

                          92154e720998acb6fa0f7bad63309470

                          SHA1

                          385817793b9f894ca3dd3bac20b269652df6cbc6

                          SHA256

                          1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

                          SHA512

                          37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

                        • \Users\Admin\AppData\Local\Temp\download\atl71.dll

                          MD5

                          79cb6457c81ada9eb7f2087ce799aaa7

                          SHA1

                          322ddde439d9254182f5945be8d97e9d897561ae

                          SHA256

                          a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

                          SHA512

                          eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

                        • \Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

                          MD5

                          dba9a19752b52943a0850a7e19ac600a

                          SHA1

                          3485ac30cd7340eccb0457bca37cf4a6dfda583d

                          SHA256

                          69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

                          SHA512

                          a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

                        • \Users\Admin\AppData\Local\Temp\download\dl_peer_id.dll

                          MD5

                          dba9a19752b52943a0850a7e19ac600a

                          SHA1

                          3485ac30cd7340eccb0457bca37cf4a6dfda583d

                          SHA256

                          69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

                          SHA512

                          a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

                        • \Users\Admin\AppData\Local\Temp\download\download_engine.dll

                          MD5

                          3c2b7b3ff7de18fe47a77b712ff00a00

                          SHA1

                          6d1768acfdee1efb942ef3c28934e127659125ef

                          SHA256

                          4360f3b0dc6ae9aa5b7fb6a6e170e09505bf01df3e42846f2e5270d186f9fa06

                          SHA512

                          6a795af49d14bcd8fb37a2d36788e226f0f4a040a46c7bbb683fc2b8f4eb18d60b992ea414a89f4ed8020c6b2235c1e490e2924b935e24649a81f890ae78cfce

                        • \Users\Admin\AppData\Local\Temp\download\msvcp71.dll

                          MD5

                          a94dc60a90efd7a35c36d971e3ee7470

                          SHA1

                          f936f612bc779e4ba067f77514b68c329180a380

                          SHA256

                          6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

                          SHA512

                          ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

                        • \Users\Admin\AppData\Local\Temp\download\msvcr71.dll

                          MD5

                          ca2f560921b7b8be1cf555a5a18d54c3

                          SHA1

                          432dbcf54b6f1142058b413a9d52668a2bde011d

                          SHA256

                          c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

                          SHA512

                          23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

                        • \Users\Admin\AppData\Local\Temp\download\zlib1.dll

                          MD5

                          89f6488524eaa3e5a66c5f34f3b92405

                          SHA1

                          330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

                          SHA256

                          bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

                          SHA512

                          cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

                        • \Users\Admin\AppData\Local\Temp\xldl.dll

                          MD5

                          e914a9df187d217c0a1715eaba4eec2a

                          SHA1

                          db662eab8b2da3bf56821ec23b0c2ed1dc8d9b63

                          SHA256

                          95934dae479fc68db1e6cc4517ca0bbd5a72b4fc299062cf4033b87f7fe03660

                          SHA512

                          996e1de053b588b3a8b9e6fb1c8cd3d2fad9c7f26b4a13c486ec95f4fa00aadbba42af2781678aaddbef872fdbb9e7c3d6c02c72b3d8c3833be3e4b007b73818

                        • memory/1096-54-0x0000000076191000-0x0000000076193000-memory.dmp

                        • memory/1364-56-0x0000000000000000-mapping.dmp

                        • memory/1700-68-0x0000000000000000-mapping.dmp

                        • memory/1700-80-0x000000006FFF0000-0x0000000070000000-memory.dmp

                        • memory/1700-83-0x0000000002500000-0x000000000283E000-memory.dmp