5ea84f8f933017eb51519e628002909ba5dcf81a34830147ff2368a9d430496d

Analysis

max time kernel
93s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Thunder.exe
Size

2.0MB
MD5

16f50a44d7ff076f87806f5a6710bc13
SHA1

8af1513250078aa085c8cedc3f4d49a833b7d74c
SHA256

a596f3bcf6c8b26a5c407c2c234546f1b0808126037426869865d61b8868f1de
SHA512

36950a4fdc591dcc44fb6a416039b413d96678e52bf3e5e455bcc47742254bb11060689a319304c53396ddef9573e1848446d2c7926799fde5fbebb247cce286
SSDEEP

49152:69UGevOS9BDQMi+Zh3KUFhzhnwx10DOnm52SA6KZHgofvnH:69zeWS9BDQQFhmyOnm5dIgoHH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4536	ThunderFW.exe

Loads dropped DLL 1 IoCs

pid	Process
3636	Thunder.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcr71.dll	Thunder.exe
File created	C:\Windows\SysWOW64\libpng13.dll	Thunder.exe
File created	C:\Windows\SysWOW64\zlib1.dll	Thunder.exe
File created	C:\Windows\SysWOW64\atl71.dll	Thunder.exe
File created	C:\Windows\SysWOW64\msvcp71.dll	Thunder.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ThunderFW.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thunder.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4536	3636	Thunder.exe	86
PID 3636 wrote to memory of 4536	3636	Thunder.exe	86
PID 3636 wrote to memory of 4536	3636	Thunder.exe	86

C:\Users\Admin\AppData\Local\Temp\Thunder.exe
"C:\Users\Admin\AppData\Local\Temp\Thunder.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\MiniXL\bin\ThunderFW.exe
  "C:\Users\Admin\AppData\Local\Temp\MiniXL\bin\ThunderFW.exe" ThunderMini1.0.1.86 "C:\Users\Admin\AppData\Local\Temp\MiniXL\bin\ThunderMini.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MiniXL\Bin\ThunderFW.exe

Filesize
67KB

MD5
5db78d4e1a2139e566b608d33396ffb3

SHA1
c52fbece711b5a819802983a1a4f3b44f135dab0

SHA256
b378b9c3bfc3fdb32df381d339112cb4244e05ed7dc9e26cb82943e0f758ab42

SHA512
db685c5acabec782f9dff6452b9a6d09942fdd26ff2632623d7968a9f595ffcd22241ffd9e49505da47a45302cfc9de6cb70ada005ec209f44317fe093dbad05

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz91A3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit