5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887

General

Target

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Size

5.9MB
MD5

0379c89e245918e7b2119e293d507952
SHA1

513493004e3d6dd83aa0515fb299364199889b90
SHA256

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887
SHA512

22b65b4cdd8a89a3b940acb3b66a57b6f4e48c2bba0a76ef9a5e0046ede826b86a46a58c89252ec00c0cd14321656ee884b8e12616d47b962b89025ccd883dd1
SSDEEP

98304:YGJgK6UDmEz70Dc/uneO5AIcPNC0LFQnQ5H9AD5MGmpxfjI/NEApXSb1xjQjdY1:4UDmEOneOHcPzRQnQ5H98a+VEqCB9wY1

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ThunderFW.exe

pid process

1640 ThunderFW.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1560 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

pid process

1408 5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1640	ThunderFW.exe

pid	process
1560	cmd.exe

pid	process
1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1752 PING.EXE

pid	process
1752	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.execmd.exe

description	pid	process	target process
PID 1408 wrote to memory of 1640	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	ThunderFW.exe
PID 1408 wrote to memory of 1640	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	ThunderFW.exe
PID 1408 wrote to memory of 1640	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	ThunderFW.exe
PID 1408 wrote to memory of 1640	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	ThunderFW.exe
PID 1408 wrote to memory of 1560	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	cmd.exe
PID 1408 wrote to memory of 1560	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	cmd.exe
PID 1408 wrote to memory of 1560	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	cmd.exe
PID 1408 wrote to memory of 1560	1408	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	cmd.exe
PID 1560 wrote to memory of 1752	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1752	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1752	1560	cmd.exe	PING.EXE
PID 1560 wrote to memory of 1752	1560	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
"C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
  C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:1752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
memory/1408-54-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1408-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1408-56-0x0000000010000000-0x00000000103E9000-memory.dmp

Filesize
3.9MB

Download
memory/1560-63-0x0000000000000000-mapping.dmp

Download
memory/1640-61-0x0000000000000000-mapping.dmp

Download
memory/1752-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing