b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1

Analysis

max time kernel
199s
max time network
163s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe
Size

4.6MB
MD5

482583be2d17b24c0c065c361d6d454c
SHA1

958c9021cbc65261127393179ded8ba1eed5c414
SHA256

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1
SHA512

32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3
SSDEEP

98304:eLtkZmzpySeQlbyuvoBYU8XlpTmCoFyCMPYT+HrB:eLygV8NieYrX3mCoFl6MkB

Score

8^/10

bootkit persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

057976BDE27DC7F9.exe057976BDE27DC7F9.exeThunderFW.exe

pid process

1068 057976BDE27DC7F9.exe
540 057976BDE27DC7F9.exe
520 ThunderFW.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1860 cmd.exe

pid	process
1068	057976BDE27DC7F9.exe
540	057976BDE27DC7F9.exe
520	ThunderFW.exe

pid	process
1860	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exeMsiExec.exe057976BDE27DC7F9.exe

pid	process
520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe
520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe
996	MsiExec.exe
1068	057976BDE27DC7F9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops Chrome extension 1 IoCs

Processes:

057976BDE27DC7F9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\apailppaffmbfbcnkjpikhblkhnknhbg\1.0.0.0_0\manifest.json	057976BDE27DC7F9.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

057976BDE27DC7F9.exeb3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe057976BDE27DC7F9.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	057976BDE27DC7F9.exe
File opened for modification	\??\PhysicalDrive0	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe
File opened for modification	\??\PhysicalDrive0	057976BDE27DC7F9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe

pid process

520 b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

057976BDE27DC7F9.exe

description	pid	process	target process
PID 1068 set thread context of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 set thread context of 576	1068	057976BDE27DC7F9.exe	firefox.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2040 taskkill.exe

pid	process
2040	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1556 PING.EXE
1908 PING.EXE
1956 PING.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msiexec.exe

pid process

592 msiexec.exe

pid	process
1556	PING.EXE
1908	PING.EXE
1956	PING.EXE

pid	process
592	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	1508	msiexec.exe
Token: SeTakeOwnershipPrivilege	1508	msiexec.exe
Token: SeSecurityPrivilege	1508	msiexec.exe
Token: SeCreateTokenPrivilege	592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	592	msiexec.exe
Token: SeLockMemoryPrivilege	592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	592	msiexec.exe
Token: SeMachineAccountPrivilege	592	msiexec.exe
Token: SeTcbPrivilege	592	msiexec.exe
Token: SeSecurityPrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeLoadDriverPrivilege	592	msiexec.exe
Token: SeSystemProfilePrivilege	592	msiexec.exe
Token: SeSystemtimePrivilege	592	msiexec.exe
Token: SeProfSingleProcessPrivilege	592	msiexec.exe
Token: SeIncBasePriorityPrivilege	592	msiexec.exe
Token: SeCreatePagefilePrivilege	592	msiexec.exe
Token: SeCreatePermanentPrivilege	592	msiexec.exe
Token: SeBackupPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeShutdownPrivilege	592	msiexec.exe
Token: SeDebugPrivilege	592	msiexec.exe
Token: SeAuditPrivilege	592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	592	msiexec.exe
Token: SeChangeNotifyPrivilege	592	msiexec.exe
Token: SeRemoteShutdownPrivilege	592	msiexec.exe
Token: SeUndockPrivilege	592	msiexec.exe
Token: SeSyncAgentPrivilege	592	msiexec.exe
Token: SeEnableDelegationPrivilege	592	msiexec.exe
Token: SeManageVolumePrivilege	592	msiexec.exe
Token: SeImpersonatePrivilege	592	msiexec.exe
Token: SeCreateGlobalPrivilege	592	msiexec.exe
Token: SeCreateTokenPrivilege	592	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	592	msiexec.exe
Token: SeLockMemoryPrivilege	592	msiexec.exe
Token: SeIncreaseQuotaPrivilege	592	msiexec.exe
Token: SeMachineAccountPrivilege	592	msiexec.exe
Token: SeTcbPrivilege	592	msiexec.exe
Token: SeSecurityPrivilege	592	msiexec.exe
Token: SeTakeOwnershipPrivilege	592	msiexec.exe
Token: SeLoadDriverPrivilege	592	msiexec.exe
Token: SeSystemProfilePrivilege	592	msiexec.exe
Token: SeSystemtimePrivilege	592	msiexec.exe
Token: SeProfSingleProcessPrivilege	592	msiexec.exe
Token: SeIncBasePriorityPrivilege	592	msiexec.exe
Token: SeCreatePagefilePrivilege	592	msiexec.exe
Token: SeCreatePermanentPrivilege	592	msiexec.exe
Token: SeBackupPrivilege	592	msiexec.exe
Token: SeRestorePrivilege	592	msiexec.exe
Token: SeShutdownPrivilege	592	msiexec.exe
Token: SeDebugPrivilege	592	msiexec.exe
Token: SeAuditPrivilege	592	msiexec.exe
Token: SeSystemEnvironmentPrivilege	592	msiexec.exe
Token: SeChangeNotifyPrivilege	592	msiexec.exe
Token: SeRemoteShutdownPrivilege	592	msiexec.exe
Token: SeUndockPrivilege	592	msiexec.exe
Token: SeSyncAgentPrivilege	592	msiexec.exe
Token: SeEnableDelegationPrivilege	592	msiexec.exe
Token: SeManageVolumePrivilege	592	msiexec.exe
Token: SeImpersonatePrivilege	592	msiexec.exe
Token: SeCreateGlobalPrivilege	592	msiexec.exe
Token: SeCreateTokenPrivilege	592	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

592 msiexec.exe

pid	process
592	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.execmd.exemsiexec.exe057976BDE27DC7F9.exe057976BDE27DC7F9.execmd.execmd.exe

description	pid	process	target process
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 592	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	msiexec.exe
PID 520 wrote to memory of 1068	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 1068	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 1068	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 1068	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 540	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 540	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 540	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 540	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	057976BDE27DC7F9.exe
PID 520 wrote to memory of 1860	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	cmd.exe
PID 520 wrote to memory of 1860	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	cmd.exe
PID 520 wrote to memory of 1860	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	cmd.exe
PID 520 wrote to memory of 1860	520	b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe	cmd.exe
PID 1860 wrote to memory of 1556	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 1556	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 1556	1860	cmd.exe	PING.EXE
PID 1860 wrote to memory of 1556	1860	cmd.exe	PING.EXE
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 1508 wrote to memory of 996	1508	msiexec.exe	MsiExec.exe
PID 540 wrote to memory of 1472	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1472	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1472	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1472	540	057976BDE27DC7F9.exe	cmd.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 1416	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1472 wrote to memory of 2040	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 2040	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 2040	1472	cmd.exe	taskkill.exe
PID 1472 wrote to memory of 2040	1472	cmd.exe	taskkill.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 1068 wrote to memory of 576	1068	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 1804	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1804	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1804	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1804	540	057976BDE27DC7F9.exe	cmd.exe
PID 1804 wrote to memory of 1908	1804	cmd.exe	PING.EXE
PID 1804 wrote to memory of 1908	1804	cmd.exe	PING.EXE
PID 1804 wrote to memory of 1908	1804	cmd.exe	PING.EXE
PID 1804 wrote to memory of 1908	1804	cmd.exe	PING.EXE
PID 1068 wrote to memory of 520	1068	057976BDE27DC7F9.exe	ThunderFW.exe
PID 1068 wrote to memory of 520	1068	057976BDE27DC7F9.exe	ThunderFW.exe

C:\Users\Admin\AppData\Local\Temp\b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe
"C:\Users\Admin\AppData\Local\Temp\b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:592

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 0011 user01
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:1416

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:576

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
PID:520

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"
3⤵
PID:1596

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1956

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 200 user01
2⤵
- Executes dropped EXE
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
PID:2040

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1908

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:1556

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24D986A605FC1C1BBEA8A538917157BB C
2⤵
- Loads dropped DLL
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
482583be2d17b24c0c065c361d6d454c

SHA1
958c9021cbc65261127393179ded8ba1eed5c414

SHA256
b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1

SHA512
32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
482583be2d17b24c0c065c361d6d454c

SHA1
958c9021cbc65261127393179ded8ba1eed5c414

SHA256
b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1

SHA512
32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
482583be2d17b24c0c065c361d6d454c

SHA1
958c9021cbc65261127393179ded8ba1eed5c414

SHA256
b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1

SHA512
32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0B6.tmp
Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
482583be2d17b24c0c065c361d6d454c

SHA1
958c9021cbc65261127393179ded8ba1eed5c414

SHA256
b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1

SHA512
32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3

Download Submit
\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
482583be2d17b24c0c065c361d6d454c

SHA1
958c9021cbc65261127393179ded8ba1eed5c414

SHA256
b3d47cda8a8e0dbbb4db970f75d6c29a34d03037bcba7c07622ef84e7eca3bf1

SHA512
32347411e73589d29d957c2f2b36c8baa0f1b53c168cba34e7b17ffe2826b4307d145fcf1dec61e16b41023fe3ee4dd4e5007aec729b2b673f204ff6cc1f73c3

Download Submit
\Users\Admin\AppData\Local\Temp\MSIF0B6.tmp
Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
memory/520-73-0x0000000003170000-0x00000000032E0000-memory.dmp

Filesize
1.4MB

Download
memory/520-71-0x0000000003170000-0x00000000032E0000-memory.dmp

Filesize
1.4MB

Download
memory/520-103-0x0000000000000000-mapping.dmp

Download
memory/520-56-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download
memory/520-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/520-55-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/540-68-0x0000000000000000-mapping.dmp

Download
memory/540-90-0x00000000034B0000-0x000000000395F000-memory.dmp

Filesize
4.7MB

Download
memory/592-60-0x0000000000000000-mapping.dmp

Download
memory/996-86-0x0000000000000000-mapping.dmp

Download
memory/1068-64-0x0000000000000000-mapping.dmp

Download
memory/1068-91-0x00000000035D0000-0x0000000003A7F000-memory.dmp

Filesize
4.7MB

Download
memory/1068-72-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/1472-98-0x0000000000000000-mapping.dmp

Download
memory/1508-85-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/1556-84-0x0000000000000000-mapping.dmp

Download
memory/1596-105-0x0000000000000000-mapping.dmp

Download
memory/1804-100-0x0000000000000000-mapping.dmp

Download
memory/1860-83-0x0000000000000000-mapping.dmp

Download
memory/1908-101-0x0000000000000000-mapping.dmp

Download
memory/1956-106-0x0000000000000000-mapping.dmp

Download
memory/2040-99-0x0000000000000000-mapping.dmp

Download