e29f0e8faa91b0bfd62b1819aeb4ae09980e9880daeed0459d019b4c232d7a07

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

迅雷.exe
Size

6.6MB
MD5

4c1c7a1bd28d01d04f9cfb5b81484c08
SHA1

8eeb5a933ece7bd62e9cdc44b7e225ee4f568ada
SHA256

e29f0e8faa91b0bfd62b1819aeb4ae09980e9880daeed0459d019b4c232d7a07
SHA512

04860f54098940499ffa3469cd31cb9ebb5c21cbbcf91e0530d9296f54bf81fff0e191a5ee48f1b68da88b2e5545320d3c6d01a281f338e9ed87e29178a2fb35
SSDEEP

196608:0dRsVpks/aTD4i5x251EGNBHRWcfbQAIxf9IKP:0ipksST82OPN1RR0AIx9I+

Score

6^/10

bootkit evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2068	netsh.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	迅雷.exe

Loads dropped DLL 1 IoCs

pid	Process
2912	迅雷.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2068	2912	迅雷.exe	28
PID 2912 wrote to memory of 2068	2912	迅雷.exe	28
PID 2912 wrote to memory of 2068	2912	迅雷.exe	28
PID 2912 wrote to memory of 2068	2912	迅雷.exe	28

C:\Users\Admin\AppData\Local\Temp\迅雷.exe
"C:\Users\Admin\AppData\Local\Temp\迅雷.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\SDK\DownloadSDKServer.exe enable=yes
  2⤵
  - Modifies Windows Firewall
  PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

Filesize
121B

MD5
90c512ae2fb8b6a8d59f363f9903c547

SHA1
5c5ff1913058b585436a7b53e6a3965255d22930

SHA256
298cd239d92c0e59590ed11fefb9018beee94a3596031c66fd82e18839364cd3

SHA512
b058bb63180ce1908fbffe12da8f5a701129bb35fee5f9d822959103665c7ee716287d77ed26a9e62d48e5fbb75a77da3a9305c9d1e6d61eb025a8145929b4a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
7fb51054d1cd663bbf8ffa55021b9249

SHA1
1a2fcef00117e64c3e5de0f523f5cb5aa2e241bf

SHA256
771391eaeea31ab1debc547ce1fa14c52302073794a06bacc548bed427ec568e

SHA512
f715fa781457224bbe8497940c7b14ec2b18ce776f93029a13a9a2a984bb74fd1be543b32c8d9bec4c9d7bf70c739700e10898653a3a96ed581a13dece6f0bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
bcd9693086ebdc4b37dd532820133334

SHA1
11c4ce269648a1e4095f570218dcba74730bf8a1

SHA256
f94a832248565569da61bfe475617278b6ae428c2e09b4ae26348ac8ad87df2f

SHA512
240c7398fce2e42ba45c88bbdec8f2c487534f14e1863a05bcc9972e75cf36d499cd160b6ddd99eb27c423ec8801e75f89a70d0ffe0fd9fac7921850dcc01938

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\install_bkg.png

Filesize
712KB

MD5
7fee676f9eaf162dca4298cf40a971db

SHA1
5e916d76d41a19967a7da5f06e4b5520961eede0

SHA256
7f49606de40353b0133028433c82995653a6d4d47f5deb0355320a37adf14d74

SHA512
5a8224799b9b9772ad2bafd0fba72f7dafb156ad220855dd2185dde94dd6f57122d4d4c9402a95cf8d18935fe48898e6527e1458dd258664b9cd3128aacafe8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
3KB

MD5
0ccd101a1adfe7ca02da3efc092c1268

SHA1
780eb8cfe0fe81458f3b5fe8406979c7ad906206

SHA256
7a5a05255450f34bffd39d76bc7d41b45cba7744cc562becbeb7572b32bc11a1

SHA512
683ff65f5c659d65631d3488cb562de18e5d74eb338622a88a412b72e504473bb85b7f211a13d972754f4e604442c7d6bff4137a05475311197860b0fcfee211

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
57KB

MD5
5e1569f6cd728ed8b180e97de3bc2c28

SHA1
5bbb3b028cdbb5998359fac87521ca494f025576

SHA256
d6be90ee217ce5e04acccbe8d9f3d2d84885614b9a06f7e018961d6a1e876b9e

SHA512
b19c85ebffdf4d1e01dd770a445526d14d643226b86902f6315bc502d91f4aa78ccebe87ba830ddbb82b20643f8bff7fb60bae3f5364716e4d67376881988f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
401B

MD5
e09ed94afcf7c13b7cc4c46dc8a338f7

SHA1
523ccbe8a343e61849421cbc1454c0e4bbf01dee

SHA256
225be85473e09b7d08f8a58ccbe32bd39eb81547bdd703ca371115f9bfbe9c2c

SHA512
c36f5bb553e36699d6817a0a19cc9ab998982b5cbc643918091a5c344d9e3407534fc3e1529c9ec5fd74fdc41d152e5a9d0741ce5877020fbd95c86bf34ae47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
4a3714d2ab6132ec38427c5c979453f9

SHA1
7ea9b918e94025d9582669036158bb10365deecb

SHA256
37cce4c15fcfd9b396db672e6f4f3e76ec38b0475193520b7a0873d9a79a8552

SHA512
4f614c61ff515294bfaa41d0f19f47c94e09b193c8aa01d162ec672d28877e73f93a5c3fc8719f51e340c8e3f8cf406401ecae2e6c91061ff871f95799c60501

Download Submit
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\resource\[email protected]

Filesize
1KB

MD5
4198fed68f06450799116ae88c2f4f70

SHA1
6132c3b3ee035c228b250da49f4a735dfbab07e1

SHA256
ced1e2b2d1c750d4a50517228f3b5701e8ead8baa7d7b85f218b4c9f7d37c400

SHA512
4ba22b18ceabd369750c45c0584bd9d3857824ffb2fceab8ba6ba3ea83245ddc04f990363fddc781448bfad1c209f5b16c1fbead778732958433970a44fef144

Download Submit
\Users\Admin\AppData\Local\Temp\OnlineInstall\12.0.8.2392\OnlineResource\InstallEntry.dll

Filesize
1.0MB

MD5
22d11575da122967f51f14371b399a60

SHA1
97d73b3a206f3a19d906b7b65fc62418c47cdf7a

SHA256
90a403fb6c7b6afa5531f10875f8a9d50e7d59b5799bcdf6d17a07f966df0bf2

SHA512
a187a469f8f10e1f7176ac6943c0cf1a190064032ee79313fc9f0fdae3a5c1b818390ce4ff0b673f7fb5060455edb6b0b11bb5058552a9321f4ab23905c37e67

Download Submit
memory/2912-50-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2912-156-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads