Overview

overview

10

Static

static

10

ThunderKit...lt.exe

windows10-2004-x64

7

ThunderKit...lt.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    92s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/12/2024, 14:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ThunderKitty_Built.exe

  • Size

    9.7MB

  • MD5

    6fac67027fa756d82665d69627f21cd4

  • SHA1

    cd62b5622a58f88c9a62dfa68804b1017d312f6e

  • SHA256

    0da67f4bffe1d30feabc5d784579dd119f131ae2380327d3fc32dd17aedba1f9

  • SHA512

    a5bbb300aaf508165e7da51d64fe54ccd4fc62401c9339444254bf05012b9dc4071c3cd6ed7651d094feced705bc9bbf601d182353d167b1e9be09c27dcedb35

  • SSDEEP

    98304:v9Rjwt5p24UX+fgIhC+XP1chzKEuVSjMAh80q:V/WxP1clXd8D

Score
7/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Kills process with taskkill 15 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ThunderKitty_Built.exe
    "C:\Users\Admin\AppData\Local\Temp\ThunderKitty_Built.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3264
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM chrome.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4988
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM firefox.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:960
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM brave.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2704
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM opera.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3080
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM kometa.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:956
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM orbitum.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM centbrowser.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3100
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM 7star.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2036
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM sputnik.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM vivaldi.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3440
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM epicprivacybrowser.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4044
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM msedge.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4068
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM uran.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1964
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM yandex.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3992
    • C:\Windows\system32\taskkill.exe
      taskkill /F /IM iridium.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4780
    • C:\Windows\system32\reagentc.exe
      reagentc.exe /disable
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:4376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads