5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887

General

Target

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Size

5.9MB
MD5

0379c89e245918e7b2119e293d507952
SHA1

513493004e3d6dd83aa0515fb299364199889b90
SHA256

5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887
SHA512

22b65b4cdd8a89a3b940acb3b66a57b6f4e48c2bba0a76ef9a5e0046ede826b86a46a58c89252ec00c0cd14321656ee884b8e12616d47b962b89025ccd883dd1
SSDEEP

98304:YGJgK6UDmEz70Dc/uneO5AIcPNC0LFQnQ5H9AD5MGmpxfjI/NEApXSb1xjQjdY1:4UDmEOneOHcPzRQnQ5H98a+VEqCB9wY1

Score

9^/10

Malware Config

Signatures

Nirsoft 2 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022df0-141.dat	Nirsoft
behavioral2/files/0x0005000000022df0-142.dat	Nirsoft

Executes dropped EXE 2 IoCs

pid	Process
3852	1671062498286.exe
32	ThunderFW.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2752	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3852	1671062498286.exe
3852	1671062498286.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 3852	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	84
PID 1920 wrote to memory of 3852	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	84
PID 1920 wrote to memory of 3852	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	84
PID 1920 wrote to memory of 32	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	85
PID 1920 wrote to memory of 32	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	85
PID 1920 wrote to memory of 32	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	85
PID 1920 wrote to memory of 1812	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	89
PID 1920 wrote to memory of 1812	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	89
PID 1920 wrote to memory of 1812	1920	5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe	89
PID 1812 wrote to memory of 2752	1812	cmd.exe	91
PID 1812 wrote to memory of 2752	1812	cmd.exe	91
PID 1812 wrote to memory of 2752	1812	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe
"C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Users\Admin\AppData\Roaming\1671062498286.exe
  "C:\Users\Admin\AppData\Roaming\1671062498286.exe" /sjson "C:\Users\Admin\AppData\Roaming\1671062498286.txt"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
  C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\5630ac19f4074c8781a1cdd1e6c44ccf37e9634e45290e1e9ffa9a0e457cc887.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 3
    3⤵
    - Runs ping.exe
    PID:2752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
C:\Users\Admin\AppData\Roaming\1671062498286.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1671062498286.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1671062498286.txt

Filesize
6KB

MD5
dc8f1a9558686ad8b859f728b5ffe347

SHA1
2ed094c27d0ac38fb9d9374b8d1d9fa7a7210cb0

SHA256
9477a5a9a534691e6b73ca76b3f68f61bc3ee4a1d29d754dd8844d9a73ee6e8d

SHA512
ae6227f05a707f7119120f3fa2a984bc6865a736e9dd186a0b6f96f007749b99b72aef2cb666a58da55bfe5916d9378fd34b4a3ad66c14e076e9960a5fb6fa29

Download Submit
memory/1920-135-0x0000000000400000-0x00000000005FF000-memory.dmp

Filesize
2.0MB

Download
memory/1920-136-0x0000000010000000-0x00000000103E9000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing