a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829

General

Target

a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Size

63KB
MD5

a94ee8fae54514eda3b0276453a6fb52
SHA1

bd676c5336f18f94e928868a6824b70d2111193d
SHA256

a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829
SHA512

c84f130384b227157f1c36be304dda3cc64c8d8bd41d81a2fef77540ff9ffbf74af15b50b1b6dfd437510993ddf6f973771413e3ae68fd0c33a81ea724bc6d4d
SSDEEP

1536:f3CKsatliGykj2OycDM1GRWFwKJ1OzybJcb/nv06Sh5IM3:/LrlTj2O7gQWKKJ1AyCX0NCc

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\AAADesktopTips = "{80C71061-F0DD-41E9-9759-0E1582134979}"	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe

Deletes itself 1 IoCs

pid	Process
1932	calc.exe

Loads dropped DLL 4 IoCs

pid	Process
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe
1356	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1376 set thread context of 1932	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	27

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80C71061-F0DD-41E9-9759-0E1582134979}	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80C71061-F0DD-41E9-9759-0E1582134979}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\Thunder Network\\kankan\\xappext.dll"	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80C71061-F0DD-41E9-9759-0E1582134979}\InprocServer32\ThreadingModel = "Apartment"	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80C71061-F0DD-41E9-9759-0E1582134979}\InprocServer32	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
1356	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1356	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	26
PID 1376 wrote to memory of 1932	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	27
PID 1376 wrote to memory of 1932	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	27
PID 1376 wrote to memory of 1932	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	27
PID 1376 wrote to memory of 1932	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	27
PID 1376 wrote to memory of 1932	1376	a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe	27

C:\Users\Admin\AppData\Local\Temp\a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe
"C:\Users\Admin\AppData\Local\Temp\a82ac7439d8b81cea17c1ddc09f99e606f9baebaca70821acc35bc84b6653829.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll",DllPreTranslateMessage
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1356
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\system32\calc.exe"
  2⤵
  - Deletes itself
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll

Filesize
59KB

MD5
983141138d37ba3a17315ef357cd05ac

SHA1
758af8c325b54813f545efa884cf6410348cb1fa

SHA256
2f24f7d01e76e5f5dadcdd7aedc04ef74804a5324c70668e4b4e02a4008f375f

SHA512
d401bb59aca454ec6c6137d06469b4687424e37d5d84f457d10286c051242b551e86398373ff8b508fec2ec96dc825f8990fc01d2f4fe5d94166e387e3870dfd

Download Submit
\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll

Filesize
59KB

MD5
983141138d37ba3a17315ef357cd05ac

SHA1
758af8c325b54813f545efa884cf6410348cb1fa

SHA256
2f24f7d01e76e5f5dadcdd7aedc04ef74804a5324c70668e4b4e02a4008f375f

SHA512
d401bb59aca454ec6c6137d06469b4687424e37d5d84f457d10286c051242b551e86398373ff8b508fec2ec96dc825f8990fc01d2f4fe5d94166e387e3870dfd

Download Submit
\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll

Filesize
59KB

MD5
983141138d37ba3a17315ef357cd05ac

SHA1
758af8c325b54813f545efa884cf6410348cb1fa

SHA256
2f24f7d01e76e5f5dadcdd7aedc04ef74804a5324c70668e4b4e02a4008f375f

SHA512
d401bb59aca454ec6c6137d06469b4687424e37d5d84f457d10286c051242b551e86398373ff8b508fec2ec96dc825f8990fc01d2f4fe5d94166e387e3870dfd

Download Submit
\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll

Filesize
59KB

MD5
983141138d37ba3a17315ef357cd05ac

SHA1
758af8c325b54813f545efa884cf6410348cb1fa

SHA256
2f24f7d01e76e5f5dadcdd7aedc04ef74804a5324c70668e4b4e02a4008f375f

SHA512
d401bb59aca454ec6c6137d06469b4687424e37d5d84f457d10286c051242b551e86398373ff8b508fec2ec96dc825f8990fc01d2f4fe5d94166e387e3870dfd

Download Submit
\Program Files (x86)\Common Files\Thunder Network\kankan\xappext.dll

Filesize
59KB

MD5
983141138d37ba3a17315ef357cd05ac

SHA1
758af8c325b54813f545efa884cf6410348cb1fa

SHA256
2f24f7d01e76e5f5dadcdd7aedc04ef74804a5324c70668e4b4e02a4008f375f

SHA512
d401bb59aca454ec6c6137d06469b4687424e37d5d84f457d10286c051242b551e86398373ff8b508fec2ec96dc825f8990fc01d2f4fe5d94166e387e3870dfd

Download Submit
memory/1356-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1356-66-0x0000000000250000-0x0000000000265000-memory.dmp

Filesize
84KB

Download
memory/1376-65-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1376-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1932-56-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing