bdca2298fb4790b0f4495f187f9e40c8ea09d6e5f7ec8268939dbb5f050003a9

Analysis

max time kernel
164s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 00:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66705e2f337c1cbfc92b0082bc1d1c0d.exe
Size

84KB
MD5

66705e2f337c1cbfc92b0082bc1d1c0d
SHA1

221f47b853868e0b35694b7650c7220f99e410c2
SHA256

bdca2298fb4790b0f4495f187f9e40c8ea09d6e5f7ec8268939dbb5f050003a9
SHA512

35adf6138984470d8ffdb8a81371d162178e720dd8bccc7058697ff2acfdcd191887f7d376e91aa6d13be215b847f39b2b53b235d5600ab81e67f422cefeaace
SSDEEP

1536:xQQHwnG7UCYnKZcCvMHRAqlhOx+V3fbcyd1:xFQnG7UCMQcCvMlOx+V33d1

Score

8^/10

evasion

Malware Config

Signatures

Sets file to hidden 1 TTPs 32 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1520	attrib.exe
4880	attrib.exe
4216	attrib.exe
4988	attrib.exe
1608	attrib.exe
2040	attrib.exe
4436	attrib.exe
2060	attrib.exe
2404	attrib.exe
1128	attrib.exe
668	attrib.exe
2540	attrib.exe
2808	attrib.exe
2144	attrib.exe
2500	attrib.exe
60	attrib.exe
3608	attrib.exe
3728	attrib.exe
3764	attrib.exe
2512	attrib.exe
452	attrib.exe
1828	attrib.exe
3488	attrib.exe
2844	attrib.exe
3284	attrib.exe
5104	attrib.exe
4024	attrib.exe
3544	attrib.exe
2540	attrib.exe
4872	attrib.exe
2760	attrib.exe
752	attrib.exe

Executes dropped EXE 32 IoCs

pid	Process
3068	MYThunder.exe
4896	MYThunder.exe
2156	MYThunder.exe
4344	MYThunder.exe
1636	MYThunder.exe
1320	MYThunder.exe
544	MYThunder.exe
2628	MYThunder.exe
1172	MYThunder.exe
2224	MYThunder.exe
4616	MYThunder.exe
4604	MYThunder.exe
4876	MYThunder.exe
2392	MYThunder.exe
4528	MYThunder.exe
4264	MYThunder.exe
4084	MYThunder.exe
4856	MYThunder.exe
1568	MYThunder.exe
1536	MYThunder.exe
2136	MYThunder.exe
4876	MYThunder.exe
2392	MYThunder.exe
3156	MYThunder.exe
544	MYThunder.exe
4356	MYThunder.exe
236	MYThunder.exe
3368	MYThunder.exe
3036	MYThunder.exe
2184	MYThunder.exe
1432	MYThunder.exe
4136	MYThunder.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\210.0489.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\104.4733.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\241.0547.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\954.0826.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\111.1719.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\280.8496.bat	66705e2f337c1cbfc92b0082bc1d1c0d.exe
File created	C:\Windows\SysWOW64\223.2325.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\995.3424.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\782.3145.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\90.80141.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File created	C:\Windows\SysWOW64\763.0273.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\373.4247.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	66705e2f337c1cbfc92b0082bc1d1c0d.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\301.7389.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	cmd.exe
File created	C:\Windows\SysWOW64\420.9864.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\163.5553.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\793.7891.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\227.0319.bat	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MYThunder.dll	MYThunder.exe
File created	C:\Windows\SysWOW64\919.2773.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\322.1094.bat	MYThunder.exe
File created	C:\Windows\SysWOW64\23.41861.bat	MYThunder.exe

Runs ping.exe 1 TTPs 33 IoCs

Remote System Discovery

T1018

pid	Process
3712	PING.EXE
2364	PING.EXE
1392	PING.EXE
456	PING.EXE
2688	PING.EXE
3284	PING.EXE
1640	PING.EXE
4268	PING.EXE
784	PING.EXE
2408	PING.EXE
848	PING.EXE
552	PING.EXE
4204	PING.EXE
4052	PING.EXE
4484	PING.EXE
4812	PING.EXE
3464	PING.EXE
2092	PING.EXE
4132	PING.EXE
4956	PING.EXE
816	PING.EXE
4584	PING.EXE
1460	PING.EXE
2184	PING.EXE
4932	PING.EXE
4964	PING.EXE
4856	PING.EXE
4664	PING.EXE
2184	PING.EXE
488	PING.EXE
4776	PING.EXE
1452	PING.EXE
584	PING.EXE

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
4068	66705e2f337c1cbfc92b0082bc1d1c0d.exe
3068	MYThunder.exe
4896	MYThunder.exe
2156	MYThunder.exe
4344	MYThunder.exe
1636	MYThunder.exe
1320	MYThunder.exe
544	MYThunder.exe
2628	MYThunder.exe
1172	MYThunder.exe
2224	MYThunder.exe
4616	MYThunder.exe
4604	MYThunder.exe
4876	MYThunder.exe
2392	MYThunder.exe
4528	MYThunder.exe
4264	MYThunder.exe
4084	MYThunder.exe
4856	MYThunder.exe
1568	MYThunder.exe
1536	MYThunder.exe
2136	MYThunder.exe
4876	MYThunder.exe
2392	MYThunder.exe
3156	MYThunder.exe
544	MYThunder.exe
4356	MYThunder.exe
236	MYThunder.exe
3368	MYThunder.exe
3036	MYThunder.exe
2184	MYThunder.exe
1432	MYThunder.exe
4136	MYThunder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 4640	4068	66705e2f337c1cbfc92b0082bc1d1c0d.exe	89
PID 4068 wrote to memory of 4640	4068	66705e2f337c1cbfc92b0082bc1d1c0d.exe	89
PID 4068 wrote to memory of 4640	4068	66705e2f337c1cbfc92b0082bc1d1c0d.exe	89
PID 4640 wrote to memory of 2184	4640	cmd.exe	91
PID 4640 wrote to memory of 2184	4640	cmd.exe	91
PID 4640 wrote to memory of 2184	4640	cmd.exe	91
PID 4640 wrote to memory of 4988	4640	cmd.exe	92
PID 4640 wrote to memory of 4988	4640	cmd.exe	92
PID 4640 wrote to memory of 4988	4640	cmd.exe	92
PID 4640 wrote to memory of 3068	4640	cmd.exe	93
PID 4640 wrote to memory of 3068	4640	cmd.exe	93
PID 4640 wrote to memory of 3068	4640	cmd.exe	93
PID 3068 wrote to memory of 3944	3068	MYThunder.exe	94
PID 3068 wrote to memory of 3944	3068	MYThunder.exe	94
PID 3068 wrote to memory of 3944	3068	MYThunder.exe	94
PID 3944 wrote to memory of 4484	3944	cmd.exe	96
PID 3944 wrote to memory of 4484	3944	cmd.exe	96
PID 3944 wrote to memory of 4484	3944	cmd.exe	96
PID 3944 wrote to memory of 1828	3944	cmd.exe	97
PID 3944 wrote to memory of 1828	3944	cmd.exe	97
PID 3944 wrote to memory of 1828	3944	cmd.exe	97
PID 3944 wrote to memory of 4896	3944	cmd.exe	98
PID 3944 wrote to memory of 4896	3944	cmd.exe	98
PID 3944 wrote to memory of 4896	3944	cmd.exe	98
PID 4896 wrote to memory of 1376	4896	MYThunder.exe	99
PID 4896 wrote to memory of 1376	4896	MYThunder.exe	99
PID 4896 wrote to memory of 1376	4896	MYThunder.exe	99
PID 1376 wrote to memory of 4812	1376	cmd.exe	101
PID 1376 wrote to memory of 4812	1376	cmd.exe	101
PID 1376 wrote to memory of 4812	1376	cmd.exe	101
PID 1376 wrote to memory of 60	1376	cmd.exe	102
PID 1376 wrote to memory of 60	1376	cmd.exe	102
PID 1376 wrote to memory of 60	1376	cmd.exe	102
PID 1376 wrote to memory of 2156	1376	cmd.exe	103
PID 1376 wrote to memory of 2156	1376	cmd.exe	103
PID 1376 wrote to memory of 2156	1376	cmd.exe	103
PID 2156 wrote to memory of 3876	2156	MYThunder.exe	104
PID 2156 wrote to memory of 3876	2156	MYThunder.exe	104
PID 2156 wrote to memory of 3876	2156	MYThunder.exe	104
PID 3876 wrote to memory of 3464	3876	cmd.exe	106
PID 3876 wrote to memory of 3464	3876	cmd.exe	106
PID 3876 wrote to memory of 3464	3876	cmd.exe	106
PID 3876 wrote to memory of 3544	3876	cmd.exe	107
PID 3876 wrote to memory of 3544	3876	cmd.exe	107
PID 3876 wrote to memory of 3544	3876	cmd.exe	107
PID 3876 wrote to memory of 4344	3876	cmd.exe	108
PID 3876 wrote to memory of 4344	3876	cmd.exe	108
PID 3876 wrote to memory of 4344	3876	cmd.exe	108
PID 4344 wrote to memory of 1732	4344	MYThunder.exe	109
PID 4344 wrote to memory of 1732	4344	MYThunder.exe	109
PID 4344 wrote to memory of 1732	4344	MYThunder.exe	109
PID 1732 wrote to memory of 2092	1732	cmd.exe	111
PID 1732 wrote to memory of 2092	1732	cmd.exe	111
PID 1732 wrote to memory of 2092	1732	cmd.exe	111
PID 1732 wrote to memory of 2540	1732	cmd.exe	112
PID 1732 wrote to memory of 2540	1732	cmd.exe	112
PID 1732 wrote to memory of 2540	1732	cmd.exe	112
PID 1732 wrote to memory of 1636	1732	cmd.exe	113
PID 1732 wrote to memory of 1636	1732	cmd.exe	113
PID 1732 wrote to memory of 1636	1732	cmd.exe	113
PID 1636 wrote to memory of 1508	1636	MYThunder.exe	114
PID 1636 wrote to memory of 1508	1636	MYThunder.exe	114
PID 1636 wrote to memory of 1508	1636	MYThunder.exe	114
PID 1508 wrote to memory of 784	1508	cmd.exe	116

Views/modifies file attributes 1 TTPs 32 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1128	attrib.exe
5104	attrib.exe
4216	attrib.exe
4988	attrib.exe
3608	attrib.exe
752	attrib.exe
3488	attrib.exe
2060	attrib.exe
4880	attrib.exe
2540	attrib.exe
3728	attrib.exe
2500	attrib.exe
668	attrib.exe
60	attrib.exe
2540	attrib.exe
3284	attrib.exe
2512	attrib.exe
4872	attrib.exe
452	attrib.exe
3764	attrib.exe
2404	attrib.exe
1828	attrib.exe
3544	attrib.exe
2040	attrib.exe
1608	attrib.exe
4024	attrib.exe
2844	attrib.exe
2144	attrib.exe
1520	attrib.exe
4436	attrib.exe
2808	attrib.exe
2760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\66705e2f337c1cbfc92b0082bc1d1c0d.exe
"C:\Users\Admin\AppData\Local\Temp\66705e2f337c1cbfc92b0082bc1d1c0d.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\system32\280.8496.bat
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4640
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.1
    3⤵
    - Runs ping.exe
    PID:2184
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\MYThunder.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4988
- - C:\Windows\SysWOW64\MYThunder.exe
    "C:\Windows\system32\MYThunder.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Windows\system32\373.4247.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        5⤵
        Runs ping.exe
        
        PID:4484
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1828
    - - C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\185.9247.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        7⤵
        Runs ping.exe
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        7⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:60
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\617.077.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        9⤵
        Runs ping.exe
        
        PID:3464
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3544
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\420.9864.bat
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        11⤵
        Runs ping.exe
        
        PID:2092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2540
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\210.0489.bat
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        13⤵
        Runs ping.exe
        
        PID:784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        13⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1608
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\793.7891.bat
        14⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        15⤵
        Runs ping.exe
        
        PID:4956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        15⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2040
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\318.9356.bat
        16⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        17⤵
        Runs ping.exe
        
        PID:2408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3284
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\299.8926.bat
        18⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        19⤵
        Runs ping.exe
        
        PID:848
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        19⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4436
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\590.4199.bat
        20⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        21⤵
        Runs ping.exe
        
        PID:2688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        21⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2060
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\379.4825.bat
        22⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        23⤵
        Runs ping.exe
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        23⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2512
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\919.2773.bat
        24⤵
        
        PID:456
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        25⤵
        Runs ping.exe
        
        PID:552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        25⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3608
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\643.6426.bat
        26⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        27⤵
        Runs ping.exe
        
        PID:816
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        27⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2808
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\683.4375.bat
        28⤵
        
        PID:372
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        29⤵
        Runs ping.exe
        
        PID:3712
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        29⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2540
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\223.2325.bat
        30⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        31⤵
        Runs ping.exe
        
        PID:4204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        31⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4872
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\763.0273.bat
        32⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        33⤵
        Runs ping.exe
        
        PID:1392
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        33⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2760
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\241.0547.bat
        34⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        35⤵
        Runs ping.exe
        
        PID:3284
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        35⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2144
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\782.3145.bat
        36⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        37⤵
        Runs ping.exe
        
        PID:2364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        37⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:752
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\322.1094.bat
        38⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        39⤵
        Runs ping.exe
        
        PID:4932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        39⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3728
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\111.1719.bat
        40⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        41⤵
        Runs ping.exe
        
        PID:4132
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        41⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1128
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\477.8711.bat
        42⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        43⤵
        Runs ping.exe
        
        PID:488
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        43⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3488
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\717.9987.bat
        44⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        45⤵
        Runs ping.exe
        
        PID:1640
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        45⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1520
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\301.7389.bat
        46⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        47⤵
        Runs ping.exe
        
        PID:4584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        47⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:452
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\90.80141.bat
        48⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        49⤵
        Runs ping.exe
        
        PID:4776
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        49⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2844
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\23.41861.bat
        50⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        51⤵
        Runs ping.exe
        
        PID:4268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        51⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4880
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\64.67837.bat
        52⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        53⤵
        Runs ping.exe
        
        PID:1452
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        53⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5104
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\104.4733.bat
        54⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        55⤵
        Runs ping.exe
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        55⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4216
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\395.0006.bat
        56⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        57⤵
        Runs ping.exe
        
        PID:584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        57⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3764
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\873.028.bat
        58⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        59⤵
        Runs ping.exe
        
        PID:4856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        59⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2404
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\163.5553.bat
        60⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        61⤵
        Runs ping.exe
        
        PID:4964
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        61⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2500
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\954.0826.bat
        62⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        63⤵
        Runs ping.exe
        
        PID:1460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        63⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:668
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\995.3424.bat
        64⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        65⤵
        Runs ping.exe
        
        PID:4664
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Windows\system32\MYThunder.exe"
        65⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4024
        
        C:\Windows\SysWOW64\MYThunder.exe
        
        "C:\Windows\system32\MYThunder.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\227.0319.bat
        66⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        67⤵
        Runs ping.exe
        
        PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\280.8496.bat

Filesize
311B

MD5
1c9048fc7805ab67f69dcfa18bfe912b

SHA1
54c0237af024fc2fbf0b6105a78ab31e3c31244b

SHA256
908add401d7a561fd3ba1c7560631ca084d1206692ae8145dfc0bcc752929368

SHA512
4162300c95b000651d4b3692a0f9f98347e7295304871757b31fa189707a068d9b64c7a2d2f7ac1cf9b0b45d80fdc267078363b727a756c3fa57a73e71bf965d

Download Submit
C:\Windows\SysWOW64\373.4247.bat

Filesize
237B

MD5
c0ea8e4f6bff2b368876aae30e5b9133

SHA1
60752e2339f9595484a633921f6a41ca96851614

SHA256
78a469841695afd4cef2c5656bafe2bc328dbf9c181a31a676daad391e8d2a8d

SHA512
5aaf2b9913f95a5e371c70731e33ee09cb2d874ea2afbba92112481e39b3e58f84017234b3ac4df09d2532a22da8c7eef53045d6c1b24168ef906c1c5edb10fc

Download Submit
C:\Windows\SysWOW64\MYThunder.dll

Filesize
40KB

MD5
d7e2d8bb3274c718d168b871a34c3915

SHA1
46b0119255f6eb229efda2e5509f6e8437bace61

SHA256
7128af1d5903e332900a2ecbe8bc6fa9194968dfc7150d38d7adb7b8bf8a1a34

SHA512
0cc1eca7af98fc9cfd1a73fdd6fd786a595193b647dc6235d86660d5d3088f68eb6cc31a4f0ddb8388525aab3fe167b8bfa25a499aedf145264cdc9730e747cd

Download Submit
C:\Windows\SysWOW64\MYThunder.exe

Filesize
84KB

MD5
66705e2f337c1cbfc92b0082bc1d1c0d

SHA1
221f47b853868e0b35694b7650c7220f99e410c2

SHA256
bdca2298fb4790b0f4495f187f9e40c8ea09d6e5f7ec8268939dbb5f050003a9

SHA512
35adf6138984470d8ffdb8a81371d162178e720dd8bccc7058697ff2acfdcd191887f7d376e91aa6d13be215b847f39b2b53b235d5600ab81e67f422cefeaace

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads