caa4826420a5b8b1568a414be006d5cce7d233d02d3f3a5cf38dc71aa8dd107a | Triage

Analysis

max time kernel
350s
max time network
390s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 04:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Thunder.exe
Size

13KB
MD5

9e308c45146d3ea9daca4e559cc5ace6
SHA1

fdf0da64f485533b18a7a4bdcbc2a3b34433d16f
SHA256

7236d5f2583b592b07f2475df31638913277cb08b9a7ca799476f93c81cd4f01
SHA512

733c9b0c58cb24a6513a782cb3df0ecdb5f7e040847df1db425ada0244237dce78b7a058f16c87acaa6ff2589d5d17f8f8b0472363f361141b09996f072bbbdf
SSDEEP

192:8+T0PO0A4zMq/Upbqr3n8Ha/fEIa/R8fzWqWqWuObEbCd+KdG9nnS:8JPbMz0jauLLt7AdGg

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral4/memory/4068-132-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4272	4068	WerFault.exe	80

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4272	4068	Thunder.exe	85
PID 4068 wrote to memory of 4272	4068	Thunder.exe	85
PID 4068 wrote to memory of 4272	4068	Thunder.exe	85

C:\Users\Admin\AppData\Local\Temp\Thunder.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 228
  2⤵
  - Program crash
  PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4068 -ip 4068
1⤵
PID:4332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4068-132-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download