e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e

Analysis

max time kernel
39s
max time network
124s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
18/03/2023, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe
Size

5.2MB
MD5

4895fcba3d5327ef60c74358aa8f8ee2
SHA1

18d4981345c20487e9d7187b096f054e2e115c59
SHA256

e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e
SHA512

d1996dbbbc842adfed4d346d18f5e06a24cc1ce3bbfffce311438d55afa1865ffed67fab685e7cfb8d8abfd55b7d76aec031f1a11456a42258d0530fafbf92e0
SSDEEP

98304:8XWL95fDN2hWVYc0wR5rhRNb0cE+SA8tNmef9ycNBg8RCkR5:8XWLNuWac0sHRWcfbQAIxf9IK

Score

8^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1588	netsh.exe

Loads dropped DLL 1 IoCs

pid	Process
1992	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1588	1992	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe	28
PID 1992 wrote to memory of 1588	1992	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe	28
PID 1992 wrote to memory of 1588	1992	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe	28
PID 1992 wrote to memory of 1588	1992	e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe	28

C:\Users\Admin\AppData\Local\Temp\e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe
"C:\Users\Admin\AppData\Local\Temp\e1b75ed8f7a7ea7b6516014a823947fae337c902e9913f96ab849d79b994583e.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\SDK\DownloadSDKServer.exe enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

Filesize
121B

MD5
320dcb888093cc265a4bffb5655ed6b5

SHA1
6b6cb25b925908ac5e8eab9b1ec84f255a6ce81c

SHA256
8961e3ee46e3fe673a8c171d91966799e1ce2d8d82b13c0ca63689452fd1c77d

SHA512
b9171d602a4682c01141385d70f1d07defbece1aaf216c960da3266f32dac7813acfc9bb982be5f3880446c865ee2e0ff9be7b6d70eee10e5028a444fe0b52e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
2KB

MD5
f350f4bb9cea348bc42eafdfd7f52182

SHA1
02a8fea0deac529d362a31969f7c8fc27bfcce3d

SHA256
3885706db8c031d804e7eeb87ec8a3826dbb407a103ce15b347bf33ae41f5c52

SHA512
708c23c67e00afe4387200efd1a313988546de0b13fd7d757b1d13bd1680ba29e585cdda159c705239e8520a57ecb4bbf35727c9be9e123aad81c76c4299ca70

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
2KB

MD5
c5e7f2e6b187e5b4e5e4ad304e5f140e

SHA1
3f3fb5c143af1812e1e169ef4f4f88c95522c76c

SHA256
4ec810b1c88a36e61b16e9b24853a6c843935ca0d46fc68cbadd79719bf3bf76

SHA512
2cc0b0aba250342a2aa048c4b39273618af6145316cd40131415d89cc0ab2ba91a974d5a1ac9f6888bb84cf92b5340ece1c859c4f625eddafdab3b1c39806820

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\install_bkg.png

Filesize
45KB

MD5
68a017c094dc1dcd136e6f2677e41848

SHA1
3ebba5af4ddeeaea06942bf1ed5e11014ec3994c

SHA256
6132f8b3d88cc71932332d18778c4bea460f7d0d7a08cd9f25b033300efbc595

SHA512
99030b787c9c18ed01a24772633bbcf431171a831cb4e281ac1dfd20845c496922e55877634e7eca7ad303adf8989c571fe8ee2220504dd10074cacd67f0726f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
2KB

MD5
8df00ad52e2964cf24843502b66d15c2

SHA1
06249b51a09df4e2bdaf6bfe27a8474dde105d2a

SHA256
0880a80a3a8e89092dcc65bff5bf63a044c3a8763f543adea5bf3f027a125716

SHA512
e09a539e232ba37de09ecfb7e6558354b6d233d790074f291136f7c168d5f58bb77bf6c065a63f87d3732ce3dc1eb526a8e54bd546872c0c0e6a17645e3e5be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
37KB

MD5
cb8dc16b59722999e762558ac0afce45

SHA1
17673bbecb6a999073dffab34b73009c13cece24

SHA256
a92b1cac68378fcaef9d46be0f8e1f4b6d5ca3de30b4ec26bdc30eff3f6b3051

SHA512
381df44b51001f1bc213a9c224e1fe3fbe270b80a332a9655e2aafbef3229227c0672a541f405a66c68796f4c8380053b02daf35694115226b178b4641054d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
514B

MD5
83e7f0808802d4aefaba3ecbb87460b2

SHA1
f669f175562aae608f2a307d8c4b8a327b56de2a

SHA256
8d528e66094e298c9542215823363b66516a33a6bf8490b2122e74151b567dab

SHA512
c552181fdf3899336a5d5a2a5541c7c666e3ab0276563007c56a8e878386c6178024d30f7fe8b0bf75ece6ad371c553666e2bd09f935891db5741d23d3fba253

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
e242c73869a1c02d57a46dcd0ac50cbc

SHA1
b332bf954f7e90291416ff30085cb84c3bc3c603

SHA256
a2fe60fe06ce387f0ae59dff7ddf310818f8c2d58336501987064bbe3afa9893

SHA512
4434b63314d1afe911e38632c730ce5d5b618816dded7986e1b61ecafcdad359868586a43284a1cb7f6f58f15219488680b1a69215d21dc98b171d2d4017adc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\resource\[email protected]

Filesize
1020B

MD5
043b6f91f1716b40fa718ef0f53d1223

SHA1
6ca9eef90f4734484faea2612f8466312e3fc77c

SHA256
06c8277deafecf8193727acb23636013e6d6dc7cc2e9b3e6ea02ca4f140b01be

SHA512
be8c849374c199462e107c46c213759604b8edd14ecab437acb7387eed3ebc6d44469368f3a77081917fcf4a34d8662ac7e827ec21d9d5aecb5dab1d1ae58503

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.3.2054\OnlineResource\InstallEntry.dll

Filesize
1.0MB

MD5
3e6418f54fceaa7a268a971a4a08ba37

SHA1
67f6a4845c240016d2314ab300adb0dae11d2f56

SHA256
bdf15bcc32ed4522a1fe0dcb4c79882daf5bddbccf053545b4b9560f09cffadc

SHA512
2b0ed54d5e182d2accd67d9f484986e297afc9a0df8807ec4feb274198f924036a9d1e3dc567107bb437279262be8b7611b29dbedeea06530a87edddc2c1768f

Download Submit
memory/1992-108-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download