342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c

Analysis

max time kernel
93s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25/11/2022, 09:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe
Size

4.6MB
MD5

78c279426e28a8188c1fc88d43f74061
SHA1

7766849c6497f2d62f69758a2c7ea74c03c46d84
SHA256

342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c
SHA512

13ef7318605df54c129a8854113c740f59a9b11d0e6083834b9dc2f1aeace4f6bf21dd5d0561c8c74d7486a124f4a0a091cd557203d5da63a604c7b9e9d3792a
SSDEEP

98304:ILtkZmzpySsQdbyuvoBYU8XlpTmCoFyCMPYT+Hrj:ILygVK9ieYrX3mCoFl6Mkj

Score

9^/10

bootkit evasion persistence spyware stealer trojan

Malware Config

Signatures

Nirsoft 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022f8a-169.dat	Nirsoft
behavioral2/files/0x0006000000022f8a-170.dat	Nirsoft
behavioral2/files/0x0009000000022f8c-173.dat	Nirsoft
behavioral2/files/0x0009000000022f8c-174.dat	Nirsoft

Executes dropped EXE 5 IoCs

pid	Process
2752	057976BDE27DC7F9.exe
2616	057976BDE27DC7F9.exe
532	1669396000441.exe
3788	1669396005660.exe
2696	ThunderFW.exe

Loads dropped DLL 1 IoCs

pid	Process
756	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	057976BDE27DC7F9.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndpgmahdnempaefilioegiaddjoaogfl\1.0.0.0_0\manifest.json	057976BDE27DC7F9.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe
File opened for modification	\??\PhysicalDrive0	057976BDE27DC7F9.exe
File opened for modification	\??\PhysicalDrive0	057976BDE27DC7F9.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 4452	2752	057976BDE27DC7F9.exe	91
PID 2752 set thread context of 3156	2752	057976BDE27DC7F9.exe	98

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	057976BDE27DC7F9.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	057976BDE27DC7F9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	057976BDE27DC7F9.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3760	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4924	PING.EXE
1852	PING.EXE
4708	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
532	1669396000441.exe
532	1669396000441.exe
3788	1669396005660.exe
3788	1669396005660.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4132	msiexec.exe
Token: SeDebugPrivilege	3760	taskkill.exe
Token: SeSecurityPrivilege	3476	msiexec.exe
Token: SeCreateTokenPrivilege	4132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4132	msiexec.exe
Token: SeLockMemoryPrivilege	4132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4132	msiexec.exe
Token: SeMachineAccountPrivilege	4132	msiexec.exe
Token: SeTcbPrivilege	4132	msiexec.exe
Token: SeSecurityPrivilege	4132	msiexec.exe
Token: SeTakeOwnershipPrivilege	4132	msiexec.exe
Token: SeLoadDriverPrivilege	4132	msiexec.exe
Token: SeSystemProfilePrivilege	4132	msiexec.exe
Token: SeSystemtimePrivilege	4132	msiexec.exe
Token: SeProfSingleProcessPrivilege	4132	msiexec.exe
Token: SeIncBasePriorityPrivilege	4132	msiexec.exe
Token: SeCreatePagefilePrivilege	4132	msiexec.exe
Token: SeCreatePermanentPrivilege	4132	msiexec.exe
Token: SeBackupPrivilege	4132	msiexec.exe
Token: SeRestorePrivilege	4132	msiexec.exe
Token: SeShutdownPrivilege	4132	msiexec.exe
Token: SeDebugPrivilege	4132	msiexec.exe
Token: SeAuditPrivilege	4132	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4132	msiexec.exe
Token: SeChangeNotifyPrivilege	4132	msiexec.exe
Token: SeRemoteShutdownPrivilege	4132	msiexec.exe
Token: SeUndockPrivilege	4132	msiexec.exe
Token: SeSyncAgentPrivilege	4132	msiexec.exe
Token: SeEnableDelegationPrivilege	4132	msiexec.exe
Token: SeManageVolumePrivilege	4132	msiexec.exe
Token: SeImpersonatePrivilege	4132	msiexec.exe
Token: SeCreateGlobalPrivilege	4132	msiexec.exe
Token: SeCreateTokenPrivilege	4132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4132	msiexec.exe
Token: SeLockMemoryPrivilege	4132	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4132	msiexec.exe
Token: SeMachineAccountPrivilege	4132	msiexec.exe
Token: SeTcbPrivilege	4132	msiexec.exe
Token: SeSecurityPrivilege	4132	msiexec.exe
Token: SeTakeOwnershipPrivilege	4132	msiexec.exe
Token: SeLoadDriverPrivilege	4132	msiexec.exe
Token: SeSystemProfilePrivilege	4132	msiexec.exe
Token: SeSystemtimePrivilege	4132	msiexec.exe
Token: SeProfSingleProcessPrivilege	4132	msiexec.exe
Token: SeIncBasePriorityPrivilege	4132	msiexec.exe
Token: SeCreatePagefilePrivilege	4132	msiexec.exe
Token: SeCreatePermanentPrivilege	4132	msiexec.exe
Token: SeBackupPrivilege	4132	msiexec.exe
Token: SeRestorePrivilege	4132	msiexec.exe
Token: SeShutdownPrivilege	4132	msiexec.exe
Token: SeDebugPrivilege	4132	msiexec.exe
Token: SeAuditPrivilege	4132	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4132	msiexec.exe
Token: SeChangeNotifyPrivilege	4132	msiexec.exe
Token: SeRemoteShutdownPrivilege	4132	msiexec.exe
Token: SeUndockPrivilege	4132	msiexec.exe
Token: SeSyncAgentPrivilege	4132	msiexec.exe
Token: SeEnableDelegationPrivilege	4132	msiexec.exe
Token: SeManageVolumePrivilege	4132	msiexec.exe
Token: SeImpersonatePrivilege	4132	msiexec.exe
Token: SeCreateGlobalPrivilege	4132	msiexec.exe
Token: SeCreateTokenPrivilege	4132	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4132	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4132	msiexec.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 4132	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	80
PID 4800 wrote to memory of 4132	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	80
PID 4800 wrote to memory of 4132	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	80
PID 4800 wrote to memory of 2752	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	81
PID 4800 wrote to memory of 2752	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	81
PID 4800 wrote to memory of 2752	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	81
PID 4800 wrote to memory of 2616	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	82
PID 4800 wrote to memory of 2616	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	82
PID 4800 wrote to memory of 2616	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	82
PID 4800 wrote to memory of 1756	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	83
PID 4800 wrote to memory of 1756	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	83
PID 4800 wrote to memory of 1756	4800	342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe	83
PID 1756 wrote to memory of 4924	1756	cmd.exe	86
PID 1756 wrote to memory of 4924	1756	cmd.exe	86
PID 1756 wrote to memory of 4924	1756	cmd.exe	86
PID 2616 wrote to memory of 376	2616	057976BDE27DC7F9.exe	88
PID 2616 wrote to memory of 376	2616	057976BDE27DC7F9.exe	88
PID 2616 wrote to memory of 376	2616	057976BDE27DC7F9.exe	88
PID 376 wrote to memory of 3760	376	cmd.exe	90
PID 376 wrote to memory of 3760	376	cmd.exe	90
PID 376 wrote to memory of 3760	376	cmd.exe	90
PID 2752 wrote to memory of 4452	2752	057976BDE27DC7F9.exe	91
PID 2752 wrote to memory of 4452	2752	057976BDE27DC7F9.exe	91
PID 2752 wrote to memory of 4452	2752	057976BDE27DC7F9.exe	91
PID 2752 wrote to memory of 4452	2752	057976BDE27DC7F9.exe	91
PID 2752 wrote to memory of 4452	2752	057976BDE27DC7F9.exe	91
PID 2752 wrote to memory of 4452	2752	057976BDE27DC7F9.exe	91
PID 2616 wrote to memory of 4700	2616	057976BDE27DC7F9.exe	94
PID 2616 wrote to memory of 4700	2616	057976BDE27DC7F9.exe	94
PID 2616 wrote to memory of 4700	2616	057976BDE27DC7F9.exe	94
PID 4700 wrote to memory of 1852	4700	cmd.exe	95
PID 4700 wrote to memory of 1852	4700	cmd.exe	95
PID 4700 wrote to memory of 1852	4700	cmd.exe	95
PID 2752 wrote to memory of 532	2752	057976BDE27DC7F9.exe	96
PID 2752 wrote to memory of 532	2752	057976BDE27DC7F9.exe	96
PID 2752 wrote to memory of 532	2752	057976BDE27DC7F9.exe	96
PID 2752 wrote to memory of 3156	2752	057976BDE27DC7F9.exe	98
PID 2752 wrote to memory of 3156	2752	057976BDE27DC7F9.exe	98
PID 2752 wrote to memory of 3156	2752	057976BDE27DC7F9.exe	98
PID 2752 wrote to memory of 3156	2752	057976BDE27DC7F9.exe	98
PID 2752 wrote to memory of 3156	2752	057976BDE27DC7F9.exe	98
PID 2752 wrote to memory of 3156	2752	057976BDE27DC7F9.exe	98
PID 2752 wrote to memory of 3788	2752	057976BDE27DC7F9.exe	99
PID 2752 wrote to memory of 3788	2752	057976BDE27DC7F9.exe	99
PID 2752 wrote to memory of 3788	2752	057976BDE27DC7F9.exe	99
PID 3476 wrote to memory of 756	3476	msiexec.exe	100
PID 3476 wrote to memory of 756	3476	msiexec.exe	100
PID 3476 wrote to memory of 756	3476	msiexec.exe	100
PID 2752 wrote to memory of 2696	2752	057976BDE27DC7F9.exe	107
PID 2752 wrote to memory of 2696	2752	057976BDE27DC7F9.exe	107
PID 2752 wrote to memory of 2696	2752	057976BDE27DC7F9.exe	107
PID 2752 wrote to memory of 4348	2752	057976BDE27DC7F9.exe	108
PID 2752 wrote to memory of 4348	2752	057976BDE27DC7F9.exe	108
PID 2752 wrote to memory of 4348	2752	057976BDE27DC7F9.exe	108
PID 4348 wrote to memory of 4708	4348	cmd.exe	110
PID 4348 wrote to memory of 4708	4348	cmd.exe	110
PID 4348 wrote to memory of 4708	4348	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe
"C:\Users\Admin\AppData\Local\Temp\342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe"
1⤵
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
  C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 0011 user05
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Checks SCSI registry key(s)
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:4452
- - C:\Users\Admin\AppData\Roaming\1669396000441.exe
    "C:\Users\Admin\AppData\Roaming\1669396000441.exe" /sjson "C:\Users\Admin\AppData\Roaming\1669396000441.txt"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:3156
- - C:\Users\Admin\AppData\Roaming\1669396005660.exe
    "C:\Users\Admin\AppData\Roaming\1669396005660.exe" /sjson "C:\Users\Admin\AppData\Roaming\1669396005660.txt"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
    C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:4708
- C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe
  C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe 200 user05
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops Chrome extension
  - Writes to the Master Boot Record (MBR)
  - Checks SCSI registry key(s)
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:376
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:4924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F127A8751282CB0C5A5D6BE6F6D87098 C
  2⤵
  - Loads dropped DLL
  PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe

Filesize
4.6MB

MD5
78c279426e28a8188c1fc88d43f74061

SHA1
7766849c6497f2d62f69758a2c7ea74c03c46d84

SHA256
342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c

SHA512
13ef7318605df54c129a8854113c740f59a9b11d0e6083834b9dc2f1aeace4f6bf21dd5d0561c8c74d7486a124f4a0a091cd557203d5da63a604c7b9e9d3792a

Download Submit
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe

Filesize
4.6MB

MD5
78c279426e28a8188c1fc88d43f74061

SHA1
7766849c6497f2d62f69758a2c7ea74c03c46d84

SHA256
342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c

SHA512
13ef7318605df54c129a8854113c740f59a9b11d0e6083834b9dc2f1aeace4f6bf21dd5d0561c8c74d7486a124f4a0a091cd557203d5da63a604c7b9e9d3792a

Download Submit
C:\Users\Admin\AppData\Local\Temp\057976BDE27DC7F9.exe

Filesize
4.6MB

MD5
78c279426e28a8188c1fc88d43f74061

SHA1
7766849c6497f2d62f69758a2c7ea74c03c46d84

SHA256
342b887667d91099f3a2109bb8b2dbb08e4552ea8d6b3aad6dfa57a4eb0e079c

SHA512
13ef7318605df54c129a8854113c740f59a9b11d0e6083834b9dc2f1aeace4f6bf21dd5d0561c8c74d7486a124f4a0a091cd557203d5da63a604c7b9e9d3792a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BF4.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BF4.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Roaming\1669396000441.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669396000441.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669396000441.txt

Filesize
6KB

MD5
dca2a953965a343affb2fdbddec5b33d

SHA1
f9cd5a1ed8886532bd735037aa35d8c517f71041

SHA256
b80396e15e4072ae120843dd432dcebe313f21659d7dab4a34d3c2288373f0c1

SHA512
d4dd8bd90324fe423785557a906549a4d3ada2b5723bfb3cdc64a3dfb20ad84300ef603c4e7b2d10948a67e147383727589451192c036baf2f5ac363970786d1

Download Submit
C:\Users\Admin\AppData\Roaming\1669396005660.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669396005660.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1669396005660.txt

Filesize
6KB

MD5
dca2a953965a343affb2fdbddec5b33d

SHA1
f9cd5a1ed8886532bd735037aa35d8c517f71041

SHA256
b80396e15e4072ae120843dd432dcebe313f21659d7dab4a34d3c2288373f0c1

SHA512
d4dd8bd90324fe423785557a906549a4d3ada2b5723bfb3cdc64a3dfb20ad84300ef603c4e7b2d10948a67e147383727589451192c036baf2f5ac363970786d1

Download Submit
memory/2616-157-0x0000000002E90000-0x000000000333F000-memory.dmp

Filesize
4.7MB

Download
memory/2616-145-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2752-144-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/2752-156-0x0000000003720000-0x0000000003BCF000-memory.dmp

Filesize
4.7MB

Download
memory/4800-132-0x0000000000400000-0x0000000000570000-memory.dmp

Filesize
1.4MB

Download
memory/4800-133-0x0000000010000000-0x000000001033C000-memory.dmp

Filesize
3.2MB

Download