817d9a8b5805b7a06b488db7f43d42529b9814936ced55a66b15687b1c58e94e

General

Target

c7053bdef48425f6bd01b2a33aa63cab.exe
Size

38KB
MD5

c7053bdef48425f6bd01b2a33aa63cab
SHA1

c5b73cdd845cbc94c127c67bb8d6eda75ece2d9c
SHA256

817d9a8b5805b7a06b488db7f43d42529b9814936ced55a66b15687b1c58e94e
SHA512

22bca871fb8ef4976152fab30ec9e79f607a02ec3ed251749ee7a792b6906e860c503f522bd56b40458e31efc3ee9f002a63d745e79eb6da67357da832e4c7dd
SSDEEP

768:cvCsiQNghYML057aeoaMxNTjQsVuZLmFL5FYNwGfowjuWKGz1:cvCQ4057hoaMxNHXVaLmLGAqjLp

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c7053bdef48425f6bd01b2a33aa63cab.exe

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe	c7053bdef48425f6bd01b2a33aa63cab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thunder5.exe\Debugger = "svchost.exe"	c7053bdef48425f6bd01b2a33aa63cab.exe

Enumerates connected drives 3 TTPs 20 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\V:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\W:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\G:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\J:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\N:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\P:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\R:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\U:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\E:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\M:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\X:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\L:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\Q:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\K:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\O:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\S:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\Y:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\H:	c7053bdef48425f6bd01b2a33aa63cab.exe
File opened (read-only)	\??\I:	c7053bdef48425f6bd01b2a33aa63cab.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\1	c7053bdef48425f6bd01b2a33aa63cab.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe
2792	c7053bdef48425f6bd01b2a33aa63cab.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
480	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	c7053bdef48425f6bd01b2a33aa63cab.exe

C:\Users\Admin\AppData\Local\Temp\c7053bdef48425f6bd01b2a33aa63cab.exe
"C:\Users\Admin\AppData\Local\Temp\c7053bdef48425f6bd01b2a33aa63cab.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Sets file execution options in registry
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2792-3-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2792-12-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads