25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2022 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
Size

3.4MB
MD5

7c2f18c381ac16f493451ab9af91e090
SHA1

aa9af6617e53c5f2a5dd1064e957d8d7977edc6f
SHA256

25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca
SHA512

c1a9bbf1500f8bc49ca3a5081c2792b8e53c0563106d1ecc55cd19c38995a3322157cf848621e1298fea52168ecaf073ff6378e17c37591f7ff4030363fec05a
SSDEEP

98304:f3M+tVrpDfnwMn1scL84djB2o0bZx5264AbsZlO8mZ:kIVB31scY4v2DnHwKZ

Score

8^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4920	MiniThunderPlatform.exe

Loads dropped DLL 10 IoCs

pid	Process
496	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe
4920	MiniThunderPlatform.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\t:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\y:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\x:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\m:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\q:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\w:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\h:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\i:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\j:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\n:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\o:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\a:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\b:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\f:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\s:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\p:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\r:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\u:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\v:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\z:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\e:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\g:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
File opened (read-only)	\??\k:	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MiniThunderPlatform.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
496	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 496 wrote to memory of 4920	496	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe	79
PID 496 wrote to memory of 4920	496	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe	79
PID 496 wrote to memory of 4920	496	25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe	79

C:\Users\Admin\AppData\Local\Temp\25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe
"C:\Users\Admin\AppData\Local\Temp\25ff571dee6de94ac44e8b944288e5b2434a3aa2f60245bdfb092ab84536e6ca.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\MiniThunderPlatform.exe
  "C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\MiniThunderPlatform.exe" -StartTP
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  PID:4920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\ATL71.DLL

Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\MSVCP71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\MSVCR71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\MiniThunderPlatform.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\MiniThunderPlatform.exe

Filesize
262KB

MD5
9f1d3dfac55080c712c0281fb2eeeb47

SHA1
9109f9457f811d8d0e887469ffc9c2af793e8090

SHA256
a5622e2bf46cc2ec90c4dca70372f051bfb5bf55da3788b5dfca9429529d285b

SHA512
7e2df7f2aff2d95ca1dbe0dfb7c8c9388c7e8c023c8b9af9b6997140cefcca63fe5980a438b70da03ab6672c94033fb4e50d407c54530b5ce0b9169c39c50879

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\XLBugHandler.dll

Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\XLBugHandler.dll

Filesize
98KB

MD5
92154e720998acb6fa0f7bad63309470

SHA1
385817793b9f894ca3dd3bac20b269652df6cbc6

SHA256
1845df41da539bca264f59365bf7453b686b9098cc94cd0e2b9a20c74a561096

SHA512
37ba81f338af7de7ef2ac6bcf67b3aec96f9b748830ee3c0b152029871f7701e917b94a6b51acd7be6f8f02aea2b25f3b14ced1a218bf4868af04f5207bb5fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\XLBugReport.exe

Filesize
242KB

MD5
67c767470d0893c4a2e46be84c9afcbb

SHA1
00291089b13a93f82ee49a11156521f13ea605cd

SHA256
64f8d68cc1cfc5b9cc182df3becf704af93d0f1cc93ee59dbf682c75b6d4ffc0

SHA512
d5d3a96dec616b0ab0cd0586fa0cc5a10ba662e0d5e4de4d849ac62ca5d60ec133f54d109d1d130b5f99ae73e7abfb284ec7d5ba55dca1a4f354c6af73c00e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\atl71.dll

Filesize
87KB

MD5
79cb6457c81ada9eb7f2087ce799aaa7

SHA1
322ddde439d9254182f5945be8d97e9d897561ae

SHA256
a68e1297fae2bcf854b47ffa444f490353028de1fa2ca713b6cf6cc5aa22b88a

SHA512
eca4b91109d105b2ce8c40710b8e3309c4cc944194843b7930e06daf3d1df6ae85c1b7063036c7e5cd10276e5e5535b33e49930adbad88166228316283d011b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\dl_peer_id.dll

Filesize
89KB

MD5
dba9a19752b52943a0850a7e19ac600a

SHA1
3485ac30cd7340eccb0457bca37cf4a6dfda583d

SHA256
69a5e2a51094dc8f30788d63243b12a0eb2759a3f3c3a159b85fd422fc00ac26

SHA512
a42c1ec5594c6f6cae10524cdad1f9da2bdc407f46e685e56107de781b9bce8210a8cd1a53edacd61365d37a1c7ceba3b0891343cf2c31d258681e3bf85049d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\download_engine.dll

Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\download_engine.dll

Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\download_engine.dll

Filesize
3.3MB

MD5
e164d5cc3d566708caf1aa2c0e842347

SHA1
52346ebc204cedee1f1f45e36da46267fc081ac7

SHA256
3245995a4d7417a8dffff27f416f8c2f8ae15eb9d8a57a6cd371f366f2c9b808

SHA512
08a65b118b791f537ae0d445a484889e57a6ae955917de92de79feef3ba01c52147824b5cc3d298d3413cb2ff140535e51182a63c1e4bef97dde3c0025634e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\id.dat

Filesize
40B

MD5
9975dc00355417396ea066d73d6998f1

SHA1
c7d6ab162d4f84e74fdef263bd56a733af311b89

SHA256
bb8acfb92ca5be89f50f15bfc7e1938cfb995a7b8928a15bc3419d223d13f3f4

SHA512
a40903545d03515ff8ba820d1edae2bcd3abc892ca8cae5a4fb85a93d1470e90ee82879a30b1ef6bb6793f2ce0539cbb84cb14b063f63180a347c3b271835387

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\msvcp71.dll

Filesize
492KB

MD5
a94dc60a90efd7a35c36d971e3ee7470

SHA1
f936f612bc779e4ba067f77514b68c329180a380

SHA256
6c483cbe349863c7dcf6f8cb7334e7d28c299e7d5aa063297ea2f62352f6bdd9

SHA512
ff6c41d56337cac074582002d60cbc57263a31480c67ee8999bc02fc473b331eefed93ee938718d297877cf48471c7512741b4aebc0636afc78991cdf6eddfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\msvcr71.dll

Filesize
340KB

MD5
ca2f560921b7b8be1cf555a5a18d54c3

SHA1
432dbcf54b6f1142058b413a9d52668a2bde011d

SHA256
c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb

SHA512
23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\zlib1.dll

Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\download\zlib1.dll

Filesize
58KB

MD5
89f6488524eaa3e5a66c5f34f3b92405

SHA1
330f9f6da03ae96dfa77dd92aae9a294ead9c7f7

SHA256
bd29d2b1f930e4b660adf71606d1b9634188b7160a704a8d140cadafb46e1e56

SHA512
cfe72872c89c055d59d4de07a3a14cd84a7e0a12f166e018748b9674045b694793b6a08863e791be4f9095a34471fd6abe76828dc8c653be8c66923a5802b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf~WIN_8\xldl.dll

Filesize
282KB

MD5
69fa23f05b7200185eba28f8ee5c5d89

SHA1
247bc859c90175d94d397f96af896168516af861

SHA256
62a7dacc4f1614995c2121e308de94418768571b80b8cdf1f80a2b0050df2567

SHA512
a5b6c8852c0a06d84bde38e4b460df3a8df6c59ad00f0e5926af511af15e12b72e8c2de2695de32b630203ded7ae503c60ae5f567780f58d77dc8e0c16e2ec04

Download Submit
memory/4920-150-0x00000000026C0000-0x0000000002A1C000-memory.dmp

Filesize
3.4MB

Download
memory/4920-146-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4920-141-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4920-133-0x0000000000000000-mapping.dmp

Download
memory/4920-158-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download