Analysis
-
max time kernel
30s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
15-12-2022 00:00
Static task
static1
Behavioral task
behavioral1
Sample
5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Resource
win7-20221111-en
General
-
Target
5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
-
Size
5.9MB
-
MD5
0379c89e245918e7b2119e293d507952
-
SHA1
513493004e3d6dd83aa0515fb299364199889b90
-
SHA256
5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887
-
SHA512
22b65b4cdd8a89a3b940acb3b66a57b6f4e48c2bba0a76ef9a5e0046ede826b86a46a58c89252ec00c0cd14321656ee884b8e12616d47b962b89025ccd883dd1
-
SSDEEP
98304:YGJgK6UDmEz70Dc/uneO5AIcPNC0LFQnQ5H9AD5MGmpxfjI/NEApXSb1xjQjdY1:4UDmEOneOHcPzRQnQ5H98a+VEqCB9wY1
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1640 ThunderFW.exe -
Deletes itself 1 IoCs
pid Process 1560 cmd.exe -
Loads dropped DLL 1 IoCs
pid Process 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1752 PING.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1408 wrote to memory of 1640 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 29 PID 1408 wrote to memory of 1640 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 29 PID 1408 wrote to memory of 1640 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 29 PID 1408 wrote to memory of 1640 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 29 PID 1408 wrote to memory of 1560 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 31 PID 1408 wrote to memory of 1560 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 31 PID 1408 wrote to memory of 1560 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 31 PID 1408 wrote to memory of 1560 1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe 31 PID 1560 wrote to memory of 1752 1560 cmd.exe 33 PID 1560 wrote to memory of 1752 1560 cmd.exe 33 PID 1560 wrote to memory of 1752 1560 cmd.exe 33 PID 1560 wrote to memory of 1752 1560 cmd.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exeC:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"2⤵
- Executes dropped EXE
PID:1640
-
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:1752
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865
-
Filesize
71KB
MD5f0372ff8a6148498b19e04203dbb9e69
SHA127fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8
SHA256298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf
SHA51265d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865