Analysis Overview
SHA256
654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa
Threat Level: Likely malicious
The file 654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa was found to be: Likely malicious.
Malicious Activity Summary
Modifies Windows Firewall
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 13:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 13:39
Reported
2024-06-12 13:42
Platform
win7-20240508-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1232 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1232 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1232 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 1232 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe
"C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\SDK\DownloadSDKServer.exe enable=yes
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | static-xl9-ssl.xunlei.com | udp |
| US | 8.8.8.8:53 | conf-m-ssl.xunlei.com | udp |
| US | 8.8.8.8:53 | stat.download.xunlei.com | udp |
| US | 8.8.8.8:53 | static-xl9-ssl.xunlei.com | udp |
| US | 8.8.8.8:53 | stat.download.xunlei.com | udp |
Files
\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\InstallEntry.dll
| MD5 | f1a0499d697fc29999887ded4d73674f |
| SHA1 | 53b5ce94b6abe984eaa890a8609eb2e44292fdd8 |
| SHA256 | 9445e6fee25cf21b06e9cbee5745dadc5242dab6632dc3ecf53f00f9e6665961 |
| SHA512 | 7201f9f2fd241ec956cff0fde79dfd12a3df2d4245298c38033e53110cc92359579ced43339974ecc3e331b29b9004e0edc7b32ea7ad926b7b0a2859c9317dfc |
memory/1232-54-0x0000000000190000-0x0000000000191000-memory.dmp
C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat
| MD5 | 8493bdd1a8eeb595733704db4cd89c4e |
| SHA1 | 39368e9b563351ccb587e6f13a120491aad62b30 |
| SHA256 | 46548b81fc896b62a0298ae65120a3a93013d97b0ee597247b361ec6f6a73099 |
| SHA512 | 4f7e126cd80f0023574a2f46616460f9283ce36f067a4b323c8ab1aa73ae65ec8a3b78743297e17c895488af58a639c7b02790dfc17e6b7b83b6717f76ebce87 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | cb8dc16b59722999e762558ac0afce45 |
| SHA1 | 17673bbecb6a999073dffab34b73009c13cece24 |
| SHA256 | a92b1cac68378fcaef9d46be0f8e1f4b6d5ca3de30b4ec26bdc30eff3f6b3051 |
| SHA512 | 381df44b51001f1bc213a9c224e1fe3fbe270b80a332a9655e2aafbef3229227c0672a541f405a66c68796f4c8380053b02daf35694115226b178b4641054d81 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | f350f4bb9cea348bc42eafdfd7f52182 |
| SHA1 | 02a8fea0deac529d362a31969f7c8fc27bfcce3d |
| SHA256 | 3885706db8c031d804e7eeb87ec8a3826dbb407a103ce15b347bf33ae41f5c52 |
| SHA512 | 708c23c67e00afe4387200efd1a313988546de0b13fd7d757b1d13bd1680ba29e585cdda159c705239e8520a57ecb4bbf35727c9be9e123aad81c76c4299ca70 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | 83e7f0808802d4aefaba3ecbb87460b2 |
| SHA1 | f669f175562aae608f2a307d8c4b8a327b56de2a |
| SHA256 | 8d528e66094e298c9542215823363b66516a33a6bf8490b2122e74151b567dab |
| SHA512 | c552181fdf3899336a5d5a2a5541c7c666e3ab0276563007c56a8e878386c6178024d30f7fe8b0bf75ece6ad371c553666e2bd09f935891db5741d23d3fba253 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\install_bkg.png
| MD5 | 68a017c094dc1dcd136e6f2677e41848 |
| SHA1 | 3ebba5af4ddeeaea06942bf1ed5e11014ec3994c |
| SHA256 | 6132f8b3d88cc71932332d18778c4bea460f7d0d7a08cd9f25b033300efbc595 |
| SHA512 | 99030b787c9c18ed01a24772633bbcf431171a831cb4e281ac1dfd20845c496922e55877634e7eca7ad303adf8989c571fe8ee2220504dd10074cacd67f0726f |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | 8df00ad52e2964cf24843502b66d15c2 |
| SHA1 | 06249b51a09df4e2bdaf6bfe27a8474dde105d2a |
| SHA256 | 0880a80a3a8e89092dcc65bff5bf63a044c3a8763f543adea5bf3f027a125716 |
| SHA512 | e09a539e232ba37de09ecfb7e6558354b6d233d790074f291136f7c168d5f58bb77bf6c065a63f87d3732ce3dc1eb526a8e54bd546872c0c0e6a17645e3e5be4 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | 043b6f91f1716b40fa718ef0f53d1223 |
| SHA1 | 6ca9eef90f4734484faea2612f8466312e3fc77c |
| SHA256 | 06c8277deafecf8193727acb23636013e6d6dc7cc2e9b3e6ea02ca4f140b01be |
| SHA512 | be8c849374c199462e107c46c213759604b8edd14ecab437acb7387eed3ebc6d44469368f3a77081917fcf4a34d8662ac7e827ec21d9d5aecb5dab1d1ae58503 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | e242c73869a1c02d57a46dcd0ac50cbc |
| SHA1 | b332bf954f7e90291416ff30085cb84c3bc3c603 |
| SHA256 | a2fe60fe06ce387f0ae59dff7ddf310818f8c2d58336501987064bbe3afa9893 |
| SHA512 | 4434b63314d1afe911e38632c730ce5d5b618816dded7986e1b61ecafcdad359868586a43284a1cb7f6f58f15219488680b1a69215d21dc98b171d2d4017adc6 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | c5e7f2e6b187e5b4e5e4ad304e5f140e |
| SHA1 | 3f3fb5c143af1812e1e169ef4f4f88c95522c76c |
| SHA256 | 4ec810b1c88a36e61b16e9b24853a6c843935ca0d46fc68cbadd79719bf3bf76 |
| SHA512 | 2cc0b0aba250342a2aa048c4b39273618af6145316cd40131415d89cc0ab2ba91a974d5a1ac9f6888bb84cf92b5340ece1c859c4f625eddafdab3b1c39806820 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 13:39
Reported
2024-06-12 13:42
Platform
win10v2004-20240611-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4664 wrote to memory of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 4664 wrote to memory of 780 | N/A | C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe | C:\Windows\SysWOW64\netsh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe
"C:\Users\Admin\AppData\Local\Temp\654ec1b0f069965200d518da38e327d7512d4622448860231d61524f18a824fa.exe"
C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="DownloadSDKServer" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\SDK\DownloadSDKServer.exe enable=yes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | static-xl9-ssl.xunlei.com | udp |
| US | 8.8.8.8:53 | stat.download.xunlei.com | udp |
| US | 8.8.8.8:53 | conf-m-ssl.xunlei.com | udp |
| CN | 47.103.194.216:443 | conf-m-ssl.xunlei.com | tcp |
| CN | 47.101.179.215:8099 | stat.download.xunlei.com | tcp |
| CN | 111.6.201.218:80 | static-xl9-ssl.xunlei.com | tcp |
| CN | 111.6.201.218:80 | static-xl9-ssl.xunlei.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.235:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.83.221.88.in-addr.arpa | udp |
| CN | 47.101.179.215:8099 | stat.download.xunlei.com | tcp |
| CN | 111.48.108.100:80 | static-xl9-ssl.xunlei.com | tcp |
| NL | 52.111.243.29:443 | tcp | |
| CN | 111.48.138.100:80 | static-xl9-ssl.xunlei.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\InstallEntry.dll
| MD5 | f1a0499d697fc29999887ded4d73674f |
| SHA1 | 53b5ce94b6abe984eaa890a8609eb2e44292fdd8 |
| SHA256 | 9445e6fee25cf21b06e9cbee5745dadc5242dab6632dc3ecf53f00f9e6665961 |
| SHA512 | 7201f9f2fd241ec956cff0fde79dfd12a3df2d4245298c38033e53110cc92359579ced43339974ecc3e331b29b9004e0edc7b32ea7ad926b7b0a2859c9317dfc |
C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat
| MD5 | e39ea0426b3af95bfd9f9e8fa131d8a8 |
| SHA1 | b68fb34c82da80d3dd7039be96ef8f89ed975d95 |
| SHA256 | b028e5e9cf6bcb8a7624c2566eb0aee159bdc17b3ff7248d5500fa54c8cb2ef8 |
| SHA512 | 6e58d87208e5bfbe2cd46de024d7832da6bed55184587852f12357f28291c3596f870b2d8ce0d5d0005adb317558596bf4cb3a269857fc7375fcf38c73954d1a |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\install_bkg.png
| MD5 | 68a017c094dc1dcd136e6f2677e41848 |
| SHA1 | 3ebba5af4ddeeaea06942bf1ed5e11014ec3994c |
| SHA256 | 6132f8b3d88cc71932332d18778c4bea460f7d0d7a08cd9f25b033300efbc595 |
| SHA512 | 99030b787c9c18ed01a24772633bbcf431171a831cb4e281ac1dfd20845c496922e55877634e7eca7ad303adf8989c571fe8ee2220504dd10074cacd67f0726f |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | c5e7f2e6b187e5b4e5e4ad304e5f140e |
| SHA1 | 3f3fb5c143af1812e1e169ef4f4f88c95522c76c |
| SHA256 | 4ec810b1c88a36e61b16e9b24853a6c843935ca0d46fc68cbadd79719bf3bf76 |
| SHA512 | 2cc0b0aba250342a2aa048c4b39273618af6145316cd40131415d89cc0ab2ba91a974d5a1ac9f6888bb84cf92b5340ece1c859c4f625eddafdab3b1c39806820 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | 043b6f91f1716b40fa718ef0f53d1223 |
| SHA1 | 6ca9eef90f4734484faea2612f8466312e3fc77c |
| SHA256 | 06c8277deafecf8193727acb23636013e6d6dc7cc2e9b3e6ea02ca4f140b01be |
| SHA512 | be8c849374c199462e107c46c213759604b8edd14ecab437acb7387eed3ebc6d44469368f3a77081917fcf4a34d8662ac7e827ec21d9d5aecb5dab1d1ae58503 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | 8df00ad52e2964cf24843502b66d15c2 |
| SHA1 | 06249b51a09df4e2bdaf6bfe27a8474dde105d2a |
| SHA256 | 0880a80a3a8e89092dcc65bff5bf63a044c3a8763f543adea5bf3f027a125716 |
| SHA512 | e09a539e232ba37de09ecfb7e6558354b6d233d790074f291136f7c168d5f58bb77bf6c065a63f87d3732ce3dc1eb526a8e54bd546872c0c0e6a17645e3e5be4 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | cb8dc16b59722999e762558ac0afce45 |
| SHA1 | 17673bbecb6a999073dffab34b73009c13cece24 |
| SHA256 | a92b1cac68378fcaef9d46be0f8e1f4b6d5ca3de30b4ec26bdc30eff3f6b3051 |
| SHA512 | 381df44b51001f1bc213a9c224e1fe3fbe270b80a332a9655e2aafbef3229227c0672a541f405a66c68796f4c8380053b02daf35694115226b178b4641054d81 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | e242c73869a1c02d57a46dcd0ac50cbc |
| SHA1 | b332bf954f7e90291416ff30085cb84c3bc3c603 |
| SHA256 | a2fe60fe06ce387f0ae59dff7ddf310818f8c2d58336501987064bbe3afa9893 |
| SHA512 | 4434b63314d1afe911e38632c730ce5d5b618816dded7986e1b61ecafcdad359868586a43284a1cb7f6f58f15219488680b1a69215d21dc98b171d2d4017adc6 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | f350f4bb9cea348bc42eafdfd7f52182 |
| SHA1 | 02a8fea0deac529d362a31969f7c8fc27bfcce3d |
| SHA256 | 3885706db8c031d804e7eeb87ec8a3826dbb407a103ce15b347bf33ae41f5c52 |
| SHA512 | 708c23c67e00afe4387200efd1a313988546de0b13fd7d757b1d13bd1680ba29e585cdda159c705239e8520a57ecb4bbf35727c9be9e123aad81c76c4299ca70 |
C:\Users\Admin\AppData\Local\Temp\OnlineInstall\11.4.7.2104\OnlineResource\resource\[email protected]
| MD5 | 83e7f0808802d4aefaba3ecbb87460b2 |
| SHA1 | f669f175562aae608f2a307d8c4b8a327b56de2a |
| SHA256 | 8d528e66094e298c9542215823363b66516a33a6bf8490b2122e74151b567dab |
| SHA512 | c552181fdf3899336a5d5a2a5541c7c666e3ab0276563007c56a8e878386c6178024d30f7fe8b0bf75ece6ad371c553666e2bd09f935891db5741d23d3fba253 |