48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe
Size

169KB
MD5

aa250f3849e9648c1638692c2102c162
SHA1

b385df78db5e97d7eadfa15cd0bb43ea23bc0743
SHA256

48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2
SHA512

980633a4041d29b6cb679d94d125a1fb8a77209ad782b59cdba7fc81ca5ead3954a75fd68304b7a99a97764a4bd9f5c80c0ba22bb0bbab4c9920125f4b3c9e24
SSDEEP

3072:AYiTpXEq7ndNiDDdwcwqKSncs4lzBAJ2BM5s4P:AYsrnLiDDKTs4lmJ2BM1

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Thunder Network\Thunder\run.vbs	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\run.vbs	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe
File created	C:\Program Files (x86)\Thunder Network\Thunder\卸载.bat	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe
File opened for modification	C:\Program Files (x86)\Thunder Network\Thunder\卸载.bat	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2688	2876	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe	28
PID 2876 wrote to memory of 2688	2876	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe	28
PID 2876 wrote to memory of 2688	2876	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe	28
PID 2876 wrote to memory of 2688	2876	48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe	28

C:\Users\Admin\AppData\Local\Temp\48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe
"C:\Users\Admin\AppData\Local\Temp\48ff270e95a70781d3713f575ad17f72531b267f7b78605e892a838274f680b2.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files (x86)\Thunder Network\Thunder\run.vbs"
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Thunder Network\Thunder\run.vbs

Filesize
160B

MD5
53d942f5744323de892bd5de39e99743

SHA1
8aa68e4e1fdf38ca3a64d13c0981628d1e3c9f12

SHA256
a40cdb9173ec67a90f7464dc1b306f9796fa8526577f65c7f7c12cb4a1cc94b0

SHA512
ae917cf0b1dbbd8c261cbb4ad14edac61260257cb385256e0773e22ebfae2357162ccbdda5ef54e60d7de9db62799d7450c1268b1aa27abdcd886b5b7773dd5a

Download Submit
memory/2876-1-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2876-9-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download