1553da4a72f6b317c8b534406aa9e6b22c853ebfe90666a756499e6e7a69d8be

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 20:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

06df8ef67df87ad435d74b7588da0b51.exe
Size

3.0MB
MD5

06df8ef67df87ad435d74b7588da0b51
SHA1

36b3e6595f73f94351597416846dc8079a259524
SHA256

1553da4a72f6b317c8b534406aa9e6b22c853ebfe90666a756499e6e7a69d8be
SHA512

c8644e6f36b6e408ec3e359dc37a2bc766a499ab01978900d3deb923aa42f3b9c07952d12dc6ef63942e6d1d04b29aff698968782dd8e9e65f8b24925510cb49
SSDEEP

49152:9LMz6noAioeblxJkDuPnD5J53kuavUsxy3TteDEc3MXTpGE09tqtGPg8UMe:y/X5lPD5JlDgyTAEbD0/qII8UMe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4944	7z.exe
3804	MiniThunderPlatform.exe

Loads dropped DLL 12 IoCs

pid	Process
4944	7z.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe
3804	MiniThunderPlatform.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4460-138-0x0000000000400000-0x0000000000620000-memory.dmp	autoit_exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\7z.exe	06df8ef67df87ad435d74b7588da0b51.exe
File created	C:\Windows\7z.dll	06df8ef67df87ad435d74b7588da0b51.exe
File opened for modification	C:\Windows\7z.dll	06df8ef67df87ad435d74b7588da0b51.exe
File created	C:\Windows\7z.exe	06df8ef67df87ad435d74b7588da0b51.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4460	06df8ef67df87ad435d74b7588da0b51.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4460	06df8ef67df87ad435d74b7588da0b51.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4460	06df8ef67df87ad435d74b7588da0b51.exe
4460	06df8ef67df87ad435d74b7588da0b51.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 4944	4460	06df8ef67df87ad435d74b7588da0b51.exe	84
PID 4460 wrote to memory of 4944	4460	06df8ef67df87ad435d74b7588da0b51.exe	84
PID 4460 wrote to memory of 4944	4460	06df8ef67df87ad435d74b7588da0b51.exe	84
PID 4460 wrote to memory of 3804	4460	06df8ef67df87ad435d74b7588da0b51.exe	93
PID 4460 wrote to memory of 3804	4460	06df8ef67df87ad435d74b7588da0b51.exe	93
PID 4460 wrote to memory of 3804	4460	06df8ef67df87ad435d74b7588da0b51.exe	93

C:\Users\Admin\AppData\Local\Temp\06df8ef67df87ad435d74b7588da0b51.exe
"C:\Users\Admin\AppData\Local\Temp\06df8ef67df87ad435d74b7588da0b51.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\7z.exe
  C:\Windows\7z.exe x "C:\Users\Admin\AppData\Local\Temp\06df8ef67df87ad435d74b7588da0b51.exe" -o"C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp" -r -y-p142857
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4944
- C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\MiniThunderPlatform.exe
  "C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\MiniThunderPlatform.exe" -StartTP
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:3804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\MiniThunderPlatform.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\XLBugHandler.dll

Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\atl71.dll

Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\download_engine.dll

Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\download_engine.dll

Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\msvcp71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\Download\zlib1.dll

Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\ATL71.DLL

Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\MSVCP71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\MSVCR71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\MiniThunderPlatform.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\XLBugHandler.dll

Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\XLBugReport.exe

Filesize
242KB

MD5
67c767470d0893c4a2e46be84c9afcbb

SHA1
00291089b13a93f82ee49a11156521f13ea605cd

SHA256
64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

SHA512
d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\download_engine.dll

Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\id.dat

Filesize
40B

MD5
9975dc00355417396ea066d73d6998f1

SHA1
c7d6ab162d4f84e74fdef263bd56a733af311b89

SHA256
bb8acfb92ca5be89f50f15bfc7e1938cfb995a7b8928a15bc3419d223d13f3f4

SHA512
a40903545d03515ff8ba820d1edae2bcd3abc892ca8cae5a4fb85a93d1470e90ee82879a30b1ef6bb6793f2ce0539cbb84cb14b063f63180a347c3b271835387

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\download\zlib1.dll

Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\xldl.dll

Filesize
282KB

MD5
69fa23f05b7200185eba28f8ee5c5d89

SHA1
247bc859c90175d94d397f96af896168516af861

SHA256
62a7dacc4f1614995c2121e308de94418768571b80b8cdf1f80a2b0050df2567

SHA512
a5b6c8852c0a06d84bde38e4b460df3a8df6c59ad00f0e5926af511af15e12b72e8c2de2695de32b630203ded7ae503c60ae5f567780f58d77dc8e0c16e2ec04

Download Submit
C:\Users\Admin\AppData\Local\Temp\~xpesydt.tmp\xldl.dll

Filesize
282KB

MD5
69fa23f05b7200185eba28f8ee5c5d89

SHA1
247bc859c90175d94d397f96af896168516af861

SHA256
62a7dacc4f1614995c2121e308de94418768571b80b8cdf1f80a2b0050df2567

SHA512
a5b6c8852c0a06d84bde38e4b460df3a8df6c59ad00f0e5926af511af15e12b72e8c2de2695de32b630203ded7ae503c60ae5f567780f58d77dc8e0c16e2ec04

Download Submit
C:\Windows\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Windows\7z.dll

Filesize
893KB

MD5
04ad4b80880b32c94be8d0886482c774

SHA1
344faf61c3eb76f4a2fb6452e83ed16c9cce73e0

SHA256
a1e1d1f0fff4fcccfbdfa313f3bdfea4d3dfe2c2d9174a615bbc39a0a6929338

SHA512
3e3aaf01b769471b18126e443a721c9e9a0269e9f5e48d0a10251bc1ee309855bd71ede266caa6828b007359b21ba562c2a5a3469078760f564fb7bd43acabfb

Download Submit
C:\Windows\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
C:\Windows\7z.exe

Filesize
160KB

MD5
a51d90f2f9394f5ea0a3acae3bd2b219

SHA1
20fea1314dbed552d5fedee096e2050369172ee1

SHA256
ac9674feb8f2fad20c1e046de67f899419276ae79a60e8cc021a4bf472ae044f

SHA512
c11f981136db7d9bde01046b1953fd924ff29447d41257da09dd762451e27390cea9b69e43206a8fff825ebcd4ddec5a6247bb502aefbd6e8285622caa985bf6

Download Submit
memory/3804-159-0x00000000026E0000-0x0000000002A3C000-memory.dmp

Filesize
3.4MB

Download
memory/3804-158-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3804-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/3804-167-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4460-138-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download
memory/4460-132-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download