81864cbd415a37f260aae2ecefc1f919aae37aa0d2d906fc5ab5f63bbef788f1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc821610eefe4ef341e645ee232b99d1.exe
Size

44KB
MD5

fc821610eefe4ef341e645ee232b99d1
SHA1

6807226c73f80eaecfe3af69ea946c58a6e168de
SHA256

81864cbd415a37f260aae2ecefc1f919aae37aa0d2d906fc5ab5f63bbef788f1
SHA512

374670c76464f62cba3d6a312e34310a29f0d4bc10a295fba0b4c267a15a0297a17419844b610f6a292d9dd91c91c818b44fef22a89386d29db349a4b2859503
SSDEEP

768:1vopAPmXWUeXkN3Zg3OXKnHSG69Enlne0C2udLUeJs3Q:dJsTDdWnrrz3Q

Score

10^/10

adware persistence stealer

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ThunderAdvise = "{97421D0D-E07F-40DF-8F07-99597B9585AD}"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\259393642ErrorControl\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dump_wmimmc.sys"	fc821610eefe4ef341e645ee232b99d1.exe

Deletes itself 1 IoCs

pid	Process
1132	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ = "ThunderAdvise"	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\ThunderAdvise.dll	fc821610eefe4ef341e645ee232b99d1.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ProgID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\VersionIndependentProgID\ = "ThunderAdvise.ThunderHlpObj"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\TypeLib\ = "{6D4C7E08-E021-414C-A42D-AB15A2302196}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0\win32\ = "C:\\Windows\\Downloaded Program Files\\ThunderAdvise.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\HELPDIR	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\HELPDIR\ = "C:\\Windows\\Downloaded Program Files"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ = "ThunderHlpObj Class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ = "IThunderHlpObj"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\ = "{6D4C7E08-E021-414C-A42D-AB15A2302196}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32\ = "C:\\Windows\\Downloaded Program Files\\ThunderAdvise.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\TypeLib	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\ProgID\ = "ThunderAdvise.ThunderHlpObj.1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\VersionIndependentProgID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\Programmable	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\FLAGS\ = "0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CurVer\ = "ThunderAdvise.ThunderHlpObj.1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\ = "ThunderAdvise 1.0 Type Library"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\0\win32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\ = "{6D4C7E08-E021-414C-A42D-AB15A2302196}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ = "IThunderHlpObj"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\Version = "1.0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CLSID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CLSID\ = "{97421D0D-E07F-40DF-8F07-99597B9585AD}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib\Version = "1.0"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\CLSID	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\CLSID\ = "{97421D0D-E07F-40DF-8F07-99597B9585AD}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\ = "ThunderHlpObj Class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}\1.0\FLAGS	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\TypeLib	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj.1\ = "ThunderHlpObj Class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ThunderAdvise.ThunderHlpObj\CurVer	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97421D0D-E07F-40DF-8F07-99597B9585AD}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6D4C7E08-E021-414C-A42D-AB15A2302196}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DEEF6582-9927-4CBD-897C-6A1F9E8C47DE}\ProxyStubClsid32	rundll32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2888	fc821610eefe4ef341e645ee232b99d1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2888	fc821610eefe4ef341e645ee232b99d1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 2084	2888	fc821610eefe4ef341e645ee232b99d1.exe	28
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29
PID 2888 wrote to memory of 1132	2888	fc821610eefe4ef341e645ee232b99d1.exe	29

C:\Users\Admin\AppData\Local\Temp\fc821610eefe4ef341e645ee232b99d1.exe
"C:\Users\Admin\AppData\Local\Temp\fc821610eefe4ef341e645ee232b99d1.exe"
1⤵
- Sets service image path in registry
- Drops file in Windows directory
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 "C:\Windows\Downloaded Program Files\ThunderAdvise.dll",MainProc
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\\uninstall.bat"
  2⤵
  - Deletes itself
  PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\uninstall.bat

Filesize
231B

MD5
5bf5a4b1e8a6d7b9133d09f3fcd63de0

SHA1
90a9f90bec6193b140bfbb7612285ce0b875264e

SHA256
552794b8b5fe929f0ec94cc611fbd69f3b5c27163ec480b4465aba4d0ae82977

SHA512
1be7c58dc6350e46e97205c36f8905e1b6973f383f038fe8b301eab5b59d379845396814da1bab2aa9d16aa894bd60ec6fcb964f50cca14bf3d73f2b4e87a07c

Download Submit
\Windows\Downloaded Program Files\ThunderAdvise.dll

Filesize
44KB

MD5
03f78e67da84f5ca0f8f96003758e921

SHA1
14ad4beead2f87685ccfdc90856ed755bd0ae7cd

SHA256
5f3c9450385956583df4c4194601ad2bbc885325fb08508e629adf455899bf15

SHA512
58b626c6b2f6a921131770d5877a9d127ec39d960e08cae85ec8fa895874a5315ab7a018e2786d6b7a8af6aac67a46a3d938dc737445d99e4ce7a514cc7a561e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads