Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    15-12-2022 00:00

General

  • Target

    5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

  • Size

    5.9MB

  • MD5

    0379c89e245918e7b2119e293d507952

  • SHA1

    513493004e3d6dd83aa0515fb299364199889b90

  • SHA256

    5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887

  • SHA512

    22b65b4cdd8a89a3b940acb3b66a57b6f4e48c2bba0a76ef9a5e0046ede826b86a46a58c89252ec00c0cd14321656ee884b8e12616d47b962b89025ccd883dd1

  • SSDEEP

    98304:YGJgK6UDmEz70Dc/uneO5AIcPNC0LFQnQ5H9AD5MGmpxfjI/NEApXSb1xjQjdY1:4UDmEOneOHcPzRQnQ5H98a+VEqCB9wY1

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
    "C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:1408
    • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
      C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
      2⤵
      • Executes dropped EXE
      PID:1640
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • Runs ping.exe
        PID:1752

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

    Filesize

    71KB

    MD5

    f0372ff8a6148498b19e04203dbb9e69

    SHA1

    27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

    SHA256

    298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

    SHA512

    65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

  • \Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

    Filesize

    71KB

    MD5

    f0372ff8a6148498b19e04203dbb9e69

    SHA1

    27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

    SHA256

    298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

    SHA512

    65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

  • memory/1408-54-0x0000000000400000-0x00000000005FF000-memory.dmp

    Filesize

    2.0MB

  • memory/1408-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

    Filesize

    8KB

  • memory/1408-56-0x0000000010000000-0x00000000103E9000-memory.dmp

    Filesize

    3.9MB