Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
Resource
win7-20220812-en
General
-
Target
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
-
Size
4.6MB
-
MD5
0323ae23d7c56924912bc262bfac689b
-
SHA1
c58065b4cdf8871c1f59af94e8241af414ea478e
-
SHA256
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a
-
SHA512
5633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0
-
SSDEEP
98304:nLtkZmzpySsQdbyuvoBYU8XlpTmCoFyCMPYT+Hrj:nLygVK9ieYrX3mCoFl6Mkj
Malware Config
Signatures
-
Nirsoft 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1669394810252.exe Nirsoft C:\Users\Admin\AppData\Roaming\1669394810252.exe Nirsoft C:\Users\Admin\AppData\Roaming\1669394841737.exe Nirsoft C:\Users\Admin\AppData\Roaming\1669394841737.exe Nirsoft -
Executes dropped EXE 5 IoCs
Processes:
057976BDE27DC7F9.exe057976BDE27DC7F9.exe1669394810252.exe1669394841737.exeThunderFW.exepid process 540 057976BDE27DC7F9.exe 3208 057976BDE27DC7F9.exe 3888 1669394810252.exe 4652 1669394841737.exe 2088 ThunderFW.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid process 720 MsiExec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe057976BDE27DC7F9.exe057976BDE27DC7F9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 057976BDE27DC7F9.exe -
Drops Chrome extension 1 IoCs
Processes:
057976BDE27DC7F9.exedescription ioc process File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\emgplofaccbnimkckgcdecdnlecmkohl\1.0.0.0_0\manifest.json 057976BDE27DC7F9.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe057976BDE27DC7F9.exe057976BDE27DC7F9.exedescription ioc process File opened for modification \??\PhysicalDrive0 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe File opened for modification \??\PhysicalDrive0 057976BDE27DC7F9.exe File opened for modification \??\PhysicalDrive0 057976BDE27DC7F9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exepid process 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
057976BDE27DC7F9.exedescription pid process target process PID 540 set thread context of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 540 set thread context of 4884 540 057976BDE27DC7F9.exe firefox.exe -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
057976BDE27DC7F9.exe057976BDE27DC7F9.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 057976BDE27DC7F9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName 057976BDE27DC7F9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName 057976BDE27DC7F9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName 057976BDE27DC7F9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 057976BDE27DC7F9.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName 057976BDE27DC7F9.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 2388 taskkill.exe -
Processes:
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1844 PING.EXE 3460 PING.EXE 5048 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
1669394810252.exe1669394841737.exepid process 3888 1669394810252.exe 3888 1669394810252.exe 4652 1669394841737.exe 4652 1669394841737.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exetaskkill.exedescription pid process Token: SeShutdownPrivilege 4440 msiexec.exe Token: SeIncreaseQuotaPrivilege 4440 msiexec.exe Token: SeSecurityPrivilege 1512 msiexec.exe Token: SeCreateTokenPrivilege 4440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4440 msiexec.exe Token: SeLockMemoryPrivilege 4440 msiexec.exe Token: SeIncreaseQuotaPrivilege 4440 msiexec.exe Token: SeMachineAccountPrivilege 4440 msiexec.exe Token: SeTcbPrivilege 4440 msiexec.exe Token: SeSecurityPrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeLoadDriverPrivilege 4440 msiexec.exe Token: SeSystemProfilePrivilege 4440 msiexec.exe Token: SeSystemtimePrivilege 4440 msiexec.exe Token: SeProfSingleProcessPrivilege 4440 msiexec.exe Token: SeIncBasePriorityPrivilege 4440 msiexec.exe Token: SeCreatePagefilePrivilege 4440 msiexec.exe Token: SeCreatePermanentPrivilege 4440 msiexec.exe Token: SeBackupPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeShutdownPrivilege 4440 msiexec.exe Token: SeDebugPrivilege 4440 msiexec.exe Token: SeAuditPrivilege 4440 msiexec.exe Token: SeSystemEnvironmentPrivilege 4440 msiexec.exe Token: SeChangeNotifyPrivilege 4440 msiexec.exe Token: SeRemoteShutdownPrivilege 4440 msiexec.exe Token: SeUndockPrivilege 4440 msiexec.exe Token: SeSyncAgentPrivilege 4440 msiexec.exe Token: SeEnableDelegationPrivilege 4440 msiexec.exe Token: SeManageVolumePrivilege 4440 msiexec.exe Token: SeImpersonatePrivilege 4440 msiexec.exe Token: SeCreateGlobalPrivilege 4440 msiexec.exe Token: SeDebugPrivilege 2388 taskkill.exe Token: SeCreateTokenPrivilege 4440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4440 msiexec.exe Token: SeLockMemoryPrivilege 4440 msiexec.exe Token: SeIncreaseQuotaPrivilege 4440 msiexec.exe Token: SeMachineAccountPrivilege 4440 msiexec.exe Token: SeTcbPrivilege 4440 msiexec.exe Token: SeSecurityPrivilege 4440 msiexec.exe Token: SeTakeOwnershipPrivilege 4440 msiexec.exe Token: SeLoadDriverPrivilege 4440 msiexec.exe Token: SeSystemProfilePrivilege 4440 msiexec.exe Token: SeSystemtimePrivilege 4440 msiexec.exe Token: SeProfSingleProcessPrivilege 4440 msiexec.exe Token: SeIncBasePriorityPrivilege 4440 msiexec.exe Token: SeCreatePagefilePrivilege 4440 msiexec.exe Token: SeCreatePermanentPrivilege 4440 msiexec.exe Token: SeBackupPrivilege 4440 msiexec.exe Token: SeRestorePrivilege 4440 msiexec.exe Token: SeShutdownPrivilege 4440 msiexec.exe Token: SeDebugPrivilege 4440 msiexec.exe Token: SeAuditPrivilege 4440 msiexec.exe Token: SeSystemEnvironmentPrivilege 4440 msiexec.exe Token: SeChangeNotifyPrivilege 4440 msiexec.exe Token: SeRemoteShutdownPrivilege 4440 msiexec.exe Token: SeUndockPrivilege 4440 msiexec.exe Token: SeSyncAgentPrivilege 4440 msiexec.exe Token: SeEnableDelegationPrivilege 4440 msiexec.exe Token: SeManageVolumePrivilege 4440 msiexec.exe Token: SeImpersonatePrivilege 4440 msiexec.exe Token: SeCreateGlobalPrivilege 4440 msiexec.exe Token: SeCreateTokenPrivilege 4440 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4440 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 4440 msiexec.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.execmd.exe057976BDE27DC7F9.exe057976BDE27DC7F9.execmd.exemsiexec.execmd.execmd.exedescription pid process target process PID 4624 wrote to memory of 4440 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe msiexec.exe PID 4624 wrote to memory of 4440 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe msiexec.exe PID 4624 wrote to memory of 4440 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe msiexec.exe PID 4624 wrote to memory of 540 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe 057976BDE27DC7F9.exe PID 4624 wrote to memory of 540 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe 057976BDE27DC7F9.exe PID 4624 wrote to memory of 540 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe 057976BDE27DC7F9.exe PID 4624 wrote to memory of 3208 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe 057976BDE27DC7F9.exe PID 4624 wrote to memory of 3208 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe 057976BDE27DC7F9.exe PID 4624 wrote to memory of 3208 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe 057976BDE27DC7F9.exe PID 4624 wrote to memory of 4276 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe cmd.exe PID 4624 wrote to memory of 4276 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe cmd.exe PID 4624 wrote to memory of 4276 4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe cmd.exe PID 4276 wrote to memory of 5048 4276 cmd.exe PING.EXE PID 4276 wrote to memory of 5048 4276 cmd.exe PING.EXE PID 4276 wrote to memory of 5048 4276 cmd.exe PING.EXE PID 3208 wrote to memory of 2008 3208 057976BDE27DC7F9.exe cmd.exe PID 3208 wrote to memory of 2008 3208 057976BDE27DC7F9.exe cmd.exe PID 3208 wrote to memory of 2008 3208 057976BDE27DC7F9.exe cmd.exe PID 540 wrote to memory of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4088 540 057976BDE27DC7F9.exe firefox.exe PID 2008 wrote to memory of 2388 2008 cmd.exe taskkill.exe PID 2008 wrote to memory of 2388 2008 cmd.exe taskkill.exe PID 2008 wrote to memory of 2388 2008 cmd.exe taskkill.exe PID 540 wrote to memory of 3888 540 057976BDE27DC7F9.exe 1669394810252.exe PID 540 wrote to memory of 3888 540 057976BDE27DC7F9.exe 1669394810252.exe PID 540 wrote to memory of 3888 540 057976BDE27DC7F9.exe 1669394810252.exe PID 1512 wrote to memory of 720 1512 msiexec.exe MsiExec.exe PID 1512 wrote to memory of 720 1512 msiexec.exe MsiExec.exe PID 1512 wrote to memory of 720 1512 msiexec.exe MsiExec.exe PID 3208 wrote to memory of 3668 3208 057976BDE27DC7F9.exe cmd.exe PID 3208 wrote to memory of 3668 3208 057976BDE27DC7F9.exe cmd.exe PID 3208 wrote to memory of 3668 3208 057976BDE27DC7F9.exe cmd.exe PID 3668 wrote to memory of 1844 3668 cmd.exe PING.EXE PID 3668 wrote to memory of 1844 3668 cmd.exe PING.EXE PID 3668 wrote to memory of 1844 3668 cmd.exe PING.EXE PID 540 wrote to memory of 4884 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4884 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4884 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4884 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4884 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4884 540 057976BDE27DC7F9.exe firefox.exe PID 540 wrote to memory of 4652 540 057976BDE27DC7F9.exe 1669394841737.exe PID 540 wrote to memory of 4652 540 057976BDE27DC7F9.exe 1669394841737.exe PID 540 wrote to memory of 4652 540 057976BDE27DC7F9.exe 1669394841737.exe PID 540 wrote to memory of 2088 540 057976BDE27DC7F9.exe ThunderFW.exe PID 540 wrote to memory of 2088 540 057976BDE27DC7F9.exe ThunderFW.exe PID 540 wrote to memory of 2088 540 057976BDE27DC7F9.exe ThunderFW.exe PID 540 wrote to memory of 1480 540 057976BDE27DC7F9.exe cmd.exe PID 540 wrote to memory of 1480 540 057976BDE27DC7F9.exe cmd.exe PID 540 wrote to memory of 1480 540 057976BDE27DC7F9.exe cmd.exe PID 1480 wrote to memory of 3460 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 3460 1480 cmd.exe PING.EXE PID 1480 wrote to memory of 3460 1480 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe"C:\Users\Admin\AppData\Local\Temp\7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe"1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exeC:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 0011 user052⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵PID:4088
-
C:\Users\Admin\AppData\Roaming\1669394810252.exe"C:\Users\Admin\AppData\Roaming\1669394810252.exe" /sjson "C:\Users\Admin\AppData\Roaming\1669394810252.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3888 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵PID:4884
-
C:\Users\Admin\AppData\Roaming\1669394841737.exe"C:\Users\Admin\AppData\Roaming\1669394841737.exe" /sjson "C:\Users\Admin\AppData\Roaming\1669394841737.txt"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4652 -
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"3⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exeC:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 200 user052⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- Runs ping.exe
PID:1844 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:5048
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8A8D16EB30685FFACEFA466392F332E8 C2⤵
- Loads dropped DLL
PID:720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exeFilesize
4.6MB
MD50323ae23d7c56924912bc262bfac689b
SHA1c58065b4cdf8871c1f59af94e8241af414ea478e
SHA2567bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a
SHA5125633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0
-
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exeFilesize
4.6MB
MD50323ae23d7c56924912bc262bfac689b
SHA1c58065b4cdf8871c1f59af94e8241af414ea478e
SHA2567bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a
SHA5125633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0
-
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exeFilesize
4.6MB
MD50323ae23d7c56924912bc262bfac689b
SHA1c58065b4cdf8871c1f59af94e8241af414ea478e
SHA2567bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a
SHA5125633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0
-
C:\Users\Admin\AppData\Local\Temp\MSI20B7.tmpFilesize
6KB
MD584878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\MSI20B7.tmpFilesize
6KB
MD584878b1a26f8544bda4e069320ad8e7d
SHA151c6ee244f5f2fa35b563bffb91e37da848a759c
SHA256809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444
SHA5124742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeFilesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeFilesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
C:\Users\Admin\AppData\Local\Temp\gdiview.msiFilesize
231KB
MD57cc103f6fd70c6f3a2d2b9fca0438182
SHA1699bd8924a27516b405ea9a686604b53b4e23372
SHA256dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1
SHA51292ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128
-
C:\Users\Admin\AppData\Roaming\1669394810252.exeFilesize
101KB
MD5ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1669394810252.exeFilesize
101KB
MD5ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1669394810252.txtFilesize
6KB
MD58e86b0667ff6922dcf0cbdaba5e84c57
SHA1179d987540db7950f6ca1967f0c1f76643307b5a
SHA256238c6eebb5359eaae52a068e28b130f5021a37625089e9de367710703acfc9e7
SHA512343321270ca0c5e786ad5bf77ed756bca510b7798d5c36740ca97a3e478e47fa10dceeda3a2173346e5769fc37a9bff1fde34a45034baa80a02386c6d28a24f8
-
C:\Users\Admin\AppData\Roaming\1669394841737.exeFilesize
101KB
MD5ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1669394841737.exeFilesize
101KB
MD5ef6f72358cb02551caebe720fbc55f95
SHA1b5ee276e8d479c270eceb497606bd44ee09ff4b8
SHA2566562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5
SHA512ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90
-
C:\Users\Admin\AppData\Roaming\1669394841737.txtFilesize
6KB
MD58e86b0667ff6922dcf0cbdaba5e84c57
SHA1179d987540db7950f6ca1967f0c1f76643307b5a
SHA256238c6eebb5359eaae52a068e28b130f5021a37625089e9de367710703acfc9e7
SHA512343321270ca0c5e786ad5bf77ed756bca510b7798d5c36740ca97a3e478e47fa10dceeda3a2173346e5769fc37a9bff1fde34a45034baa80a02386c6d28a24f8
-
memory/540-139-0x0000000000000000-mapping.dmp
-
memory/540-156-0x0000000002EF0000-0x000000000339F000-memory.dmpFilesize
4.7MB
-
memory/720-168-0x0000000000000000-mapping.dmp
-
memory/1480-181-0x0000000000000000-mapping.dmp
-
memory/1844-172-0x0000000000000000-mapping.dmp
-
memory/2008-163-0x0000000000000000-mapping.dmp
-
memory/2088-178-0x0000000000000000-mapping.dmp
-
memory/2388-164-0x0000000000000000-mapping.dmp
-
memory/3208-144-0x0000000000400000-0x0000000000570000-memory.dmpFilesize
1.4MB
-
memory/3208-155-0x0000000002ED0000-0x000000000337F000-memory.dmpFilesize
4.7MB
-
memory/3208-141-0x0000000000000000-mapping.dmp
-
memory/3460-182-0x0000000000000000-mapping.dmp
-
memory/3668-171-0x0000000000000000-mapping.dmp
-
memory/3888-165-0x0000000000000000-mapping.dmp
-
memory/4276-145-0x0000000000000000-mapping.dmp
-
memory/4440-137-0x0000000000000000-mapping.dmp
-
memory/4624-133-0x0000000010000000-0x000000001033C000-memory.dmpFilesize
3.2MB
-
memory/4624-132-0x0000000000400000-0x0000000000570000-memory.dmpFilesize
1.4MB
-
memory/4652-174-0x0000000000000000-mapping.dmp
-
memory/5048-147-0x0000000000000000-mapping.dmp