7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2022 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
Size

4.6MB
MD5

0323ae23d7c56924912bc262bfac689b
SHA1

c58065b4cdf8871c1f59af94e8241af414ea478e
SHA256

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a
SHA512

5633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0
SSDEEP

98304:nLtkZmzpySsQdbyuvoBYU8XlpTmCoFyCMPYT+Hrj:nLygVK9ieYrX3mCoFl6Mkj

Score

9^/10

bootkit evasion persistence spyware stealer trojan

Malware Config

Signatures

Nirsoft 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\1669394810252.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1669394810252.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1669394841737.exe	Nirsoft
C:\Users\Admin\AppData\Roaming\1669394841737.exe	Nirsoft

Executes dropped EXE 5 IoCs

Processes:

057976BDE27DC7F9.exe057976BDE27DC7F9.exe1669394810252.exe1669394841737.exeThunderFW.exe

pid process

540 057976BDE27DC7F9.exe
3208 057976BDE27DC7F9.exe
3888 1669394810252.exe
4652 1669394841737.exe
2088 ThunderFW.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

720 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
540	057976BDE27DC7F9.exe
3208	057976BDE27DC7F9.exe
3888	1669394810252.exe
4652	1669394841737.exe
2088	ThunderFW.exe

pid	process
720	MsiExec.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe057976BDE27DC7F9.exe057976BDE27DC7F9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	057976BDE27DC7F9.exe

Drops Chrome extension 1 IoCs

Processes:

057976BDE27DC7F9.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\emgplofaccbnimkckgcdecdnlecmkohl\1.0.0.0_0\manifest.json	057976BDE27DC7F9.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

Processes:

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe057976BDE27DC7F9.exe057976BDE27DC7F9.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
File opened for modification	\??\PhysicalDrive0	057976BDE27DC7F9.exe
File opened for modification	\??\PhysicalDrive0	057976BDE27DC7F9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe

pid process

4624 7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe

pid	process
4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

057976BDE27DC7F9.exe

description	pid	process	target process
PID 540 set thread context of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 set thread context of 4884	540	057976BDE27DC7F9.exe	firefox.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

057976BDE27DC7F9.exe057976BDE27DC7F9.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	057976BDE27DC7F9.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2388 taskkill.exe

pid	process
2388	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1844 PING.EXE
3460 PING.EXE
5048 PING.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1669394810252.exe1669394841737.exe

pid process

3888 1669394810252.exe
3888 1669394810252.exe
4652 1669394841737.exe
4652 1669394841737.exe

pid	process
1844	PING.EXE
3460	PING.EXE
5048	PING.EXE

pid	process
3888	1669394810252.exe
3888	1669394810252.exe
4652	1669394841737.exe
4652	1669394841737.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	4440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4440	msiexec.exe
Token: SeSecurityPrivilege	1512	msiexec.exe
Token: SeCreateTokenPrivilege	4440	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4440	msiexec.exe
Token: SeLockMemoryPrivilege	4440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4440	msiexec.exe
Token: SeMachineAccountPrivilege	4440	msiexec.exe
Token: SeTcbPrivilege	4440	msiexec.exe
Token: SeSecurityPrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeLoadDriverPrivilege	4440	msiexec.exe
Token: SeSystemProfilePrivilege	4440	msiexec.exe
Token: SeSystemtimePrivilege	4440	msiexec.exe
Token: SeProfSingleProcessPrivilege	4440	msiexec.exe
Token: SeIncBasePriorityPrivilege	4440	msiexec.exe
Token: SeCreatePagefilePrivilege	4440	msiexec.exe
Token: SeCreatePermanentPrivilege	4440	msiexec.exe
Token: SeBackupPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeShutdownPrivilege	4440	msiexec.exe
Token: SeDebugPrivilege	4440	msiexec.exe
Token: SeAuditPrivilege	4440	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4440	msiexec.exe
Token: SeChangeNotifyPrivilege	4440	msiexec.exe
Token: SeRemoteShutdownPrivilege	4440	msiexec.exe
Token: SeUndockPrivilege	4440	msiexec.exe
Token: SeSyncAgentPrivilege	4440	msiexec.exe
Token: SeEnableDelegationPrivilege	4440	msiexec.exe
Token: SeManageVolumePrivilege	4440	msiexec.exe
Token: SeImpersonatePrivilege	4440	msiexec.exe
Token: SeCreateGlobalPrivilege	4440	msiexec.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeCreateTokenPrivilege	4440	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4440	msiexec.exe
Token: SeLockMemoryPrivilege	4440	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4440	msiexec.exe
Token: SeMachineAccountPrivilege	4440	msiexec.exe
Token: SeTcbPrivilege	4440	msiexec.exe
Token: SeSecurityPrivilege	4440	msiexec.exe
Token: SeTakeOwnershipPrivilege	4440	msiexec.exe
Token: SeLoadDriverPrivilege	4440	msiexec.exe
Token: SeSystemProfilePrivilege	4440	msiexec.exe
Token: SeSystemtimePrivilege	4440	msiexec.exe
Token: SeProfSingleProcessPrivilege	4440	msiexec.exe
Token: SeIncBasePriorityPrivilege	4440	msiexec.exe
Token: SeCreatePagefilePrivilege	4440	msiexec.exe
Token: SeCreatePermanentPrivilege	4440	msiexec.exe
Token: SeBackupPrivilege	4440	msiexec.exe
Token: SeRestorePrivilege	4440	msiexec.exe
Token: SeShutdownPrivilege	4440	msiexec.exe
Token: SeDebugPrivilege	4440	msiexec.exe
Token: SeAuditPrivilege	4440	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4440	msiexec.exe
Token: SeChangeNotifyPrivilege	4440	msiexec.exe
Token: SeRemoteShutdownPrivilege	4440	msiexec.exe
Token: SeUndockPrivilege	4440	msiexec.exe
Token: SeSyncAgentPrivilege	4440	msiexec.exe
Token: SeEnableDelegationPrivilege	4440	msiexec.exe
Token: SeManageVolumePrivilege	4440	msiexec.exe
Token: SeImpersonatePrivilege	4440	msiexec.exe
Token: SeCreateGlobalPrivilege	4440	msiexec.exe
Token: SeCreateTokenPrivilege	4440	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4440	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4440 msiexec.exe

pid	process
4440	msiexec.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.execmd.exe057976BDE27DC7F9.exe057976BDE27DC7F9.execmd.exemsiexec.execmd.execmd.exe

description	pid	process	target process
PID 4624 wrote to memory of 4440	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	msiexec.exe
PID 4624 wrote to memory of 4440	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	msiexec.exe
PID 4624 wrote to memory of 4440	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	msiexec.exe
PID 4624 wrote to memory of 540	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	057976BDE27DC7F9.exe
PID 4624 wrote to memory of 540	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	057976BDE27DC7F9.exe
PID 4624 wrote to memory of 540	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	057976BDE27DC7F9.exe
PID 4624 wrote to memory of 3208	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	057976BDE27DC7F9.exe
PID 4624 wrote to memory of 3208	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	057976BDE27DC7F9.exe
PID 4624 wrote to memory of 3208	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	057976BDE27DC7F9.exe
PID 4624 wrote to memory of 4276	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	cmd.exe
PID 4624 wrote to memory of 4276	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	cmd.exe
PID 4624 wrote to memory of 4276	4624	7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe	cmd.exe
PID 4276 wrote to memory of 5048	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 5048	4276	cmd.exe	PING.EXE
PID 4276 wrote to memory of 5048	4276	cmd.exe	PING.EXE
PID 3208 wrote to memory of 2008	3208	057976BDE27DC7F9.exe	cmd.exe
PID 3208 wrote to memory of 2008	3208	057976BDE27DC7F9.exe	cmd.exe
PID 3208 wrote to memory of 2008	3208	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4088	540	057976BDE27DC7F9.exe	firefox.exe
PID 2008 wrote to memory of 2388	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2388	2008	cmd.exe	taskkill.exe
PID 2008 wrote to memory of 2388	2008	cmd.exe	taskkill.exe
PID 540 wrote to memory of 3888	540	057976BDE27DC7F9.exe	1669394810252.exe
PID 540 wrote to memory of 3888	540	057976BDE27DC7F9.exe	1669394810252.exe
PID 540 wrote to memory of 3888	540	057976BDE27DC7F9.exe	1669394810252.exe
PID 1512 wrote to memory of 720	1512	msiexec.exe	MsiExec.exe
PID 1512 wrote to memory of 720	1512	msiexec.exe	MsiExec.exe
PID 1512 wrote to memory of 720	1512	msiexec.exe	MsiExec.exe
PID 3208 wrote to memory of 3668	3208	057976BDE27DC7F9.exe	cmd.exe
PID 3208 wrote to memory of 3668	3208	057976BDE27DC7F9.exe	cmd.exe
PID 3208 wrote to memory of 3668	3208	057976BDE27DC7F9.exe	cmd.exe
PID 3668 wrote to memory of 1844	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 1844	3668	cmd.exe	PING.EXE
PID 3668 wrote to memory of 1844	3668	cmd.exe	PING.EXE
PID 540 wrote to memory of 4884	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4884	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4884	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4884	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4884	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4884	540	057976BDE27DC7F9.exe	firefox.exe
PID 540 wrote to memory of 4652	540	057976BDE27DC7F9.exe	1669394841737.exe
PID 540 wrote to memory of 4652	540	057976BDE27DC7F9.exe	1669394841737.exe
PID 540 wrote to memory of 4652	540	057976BDE27DC7F9.exe	1669394841737.exe
PID 540 wrote to memory of 2088	540	057976BDE27DC7F9.exe	ThunderFW.exe
PID 540 wrote to memory of 2088	540	057976BDE27DC7F9.exe	ThunderFW.exe
PID 540 wrote to memory of 2088	540	057976BDE27DC7F9.exe	ThunderFW.exe
PID 540 wrote to memory of 1480	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1480	540	057976BDE27DC7F9.exe	cmd.exe
PID 540 wrote to memory of 1480	540	057976BDE27DC7F9.exe	cmd.exe
PID 1480 wrote to memory of 3460	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3460	1480	cmd.exe	PING.EXE
PID 1480 wrote to memory of 3460	1480	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe
"C:\Users\Admin\AppData\Local\Temp\7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe"
1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4440

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 0011 user05
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:540

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:4088

C:\Users\Admin\AppData\Roaming\1669394810252.exe
"C:\Users\Admin\AppData\Roaming\1669394810252.exe" /sjson "C:\Users\Admin\AppData\Roaming\1669394810252.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3888

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
3⤵
PID:4884

C:\Users\Admin\AppData\Roaming\1669394841737.exe
"C:\Users\Admin\AppData\Roaming\1669394841737.exe" /sjson "C:\Users\Admin\AppData\Roaming\1669394841737.txt"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4652

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
3⤵
- Executes dropped EXE
PID:2088

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:3460

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 200 user05
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops Chrome extension
- Writes to the Master Boot Record (MBR)
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:3208

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:1844

C:\Windows\SysWOW64\cmd.exe
cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
3⤵
- Runs ping.exe
PID:5048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8A8D16EB30685FFACEFA466392F332E8 C
2⤵
- Loads dropped DLL
PID:720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
0323ae23d7c56924912bc262bfac689b

SHA1
c58065b4cdf8871c1f59af94e8241af414ea478e

SHA256
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a

SHA512
5633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
0323ae23d7c56924912bc262bfac689b

SHA1
c58065b4cdf8871c1f59af94e8241af414ea478e

SHA256
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a

SHA512
5633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
Filesize
4.6MB

MD5
0323ae23d7c56924912bc262bfac689b

SHA1
c58065b4cdf8871c1f59af94e8241af414ea478e

SHA256
7bdd03378063066b09faaf995de8a0548381afdba5ed742599b7616192c6ca2a

SHA512
5633f4075ca82147c641e1db29835a73f4d0312b07ec69e9f58217c873afc57dae006f3c6b726f768cd45d1b0f4d2ca06384a85bcb4d2026e68b428e4ee072d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI20B7.tmp
Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI20B7.tmp
Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi
Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\1669394810252.exe
Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669394810252.exe
Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669394810252.txt
Filesize
6KB

MD5
8e86b0667ff6922dcf0cbdaba5e84c57

SHA1
179d987540db7950f6ca1967f0c1f76643307b5a

SHA256
238c6eebb5359eaae52a068e28b130f5021a37625089e9de367710703acfc9e7

SHA512
343321270ca0c5e786ad5bf77ed756bca510b7798d5c36740ca97a3e478e47fa10dceeda3a2173346e5769fc37a9bff1fde34a45034baa80a02386c6d28a24f8

Download Submit
C:\Users\Admin\AppData\Roaming\1669394841737.exe
Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669394841737.exe
Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669394841737.txt
Filesize
6KB

MD5
8e86b0667ff6922dcf0cbdaba5e84c57

SHA1
179d987540db7950f6ca1967f0c1f76643307b5a

SHA256
238c6eebb5359eaae52a068e28b130f5021a37625089e9de367710703acfc9e7

SHA512
343321270ca0c5e786ad5bf77ed756bca510b7798d5c36740ca97a3e478e47fa10dceeda3a2173346e5769fc37a9bff1fde34a45034baa80a02386c6d28a24f8

Download Submit
memory/540-139-0x0000000000000000-mapping.dmp

Download
memory/540-156-0x0000000002EF0000-0x000000000339F000-memory.dmp

Filesize
4.7MB

Download
memory/720-168-0x0000000000000000-mapping.dmp

Download
memory/1480-181-0x0000000000000000-mapping.dmp

Download
memory/1844-172-0x0000000000000000-mapping.dmp

Download
memory/2008-163-0x0000000000000000-mapping.dmp

Download
memory/2088-178-0x0000000000000000-mapping.dmp

Download
memory/2388-164-0x0000000000000000-mapping.dmp

Download
memory/3208-144-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/3208-155-0x0000000002ED0000-0x000000000337F000-memory.dmp

Filesize
4.7MB

Download
memory/3208-141-0x0000000000000000-mapping.dmp

Download
memory/3460-182-0x0000000000000000-mapping.dmp

Download
memory/3668-171-0x0000000000000000-mapping.dmp

Download
memory/3888-165-0x0000000000000000-mapping.dmp

Download
memory/4276-145-0x0000000000000000-mapping.dmp

Download
memory/4440-137-0x0000000000000000-mapping.dmp

Download
memory/4624-133-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download
memory/4624-132-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4652-174-0x0000000000000000-mapping.dmp

Download
memory/5048-147-0x0000000000000000-mapping.dmp

Download