33668692ad696856f95471e2b2834d75ff6ab285fe1a5d9098d340362e127454

Analysis

max time kernel
5s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 03:10

Target

WinThruster/WinThruster.exe
Size

10.3MB
MD5

89b970cb172b86730c76c3df31551767
SHA1

0ae55b3a41e4fc1c3074dbb738065ac4cd2309e5
SHA256

7e97fe6c675e5842f38514056b2c3c7a928185f4dd2cdd97cd0d0ee4d5d319fd
SHA512

18b0416e3120e1554845153f988a5757e3d03605e729450f93393611566cbc6f904b9acae6ffabafdef673c2d1b4b77fb688f27ab7437eec5428fb48aad246ba
SSDEEP

98304:RDw3Ni9wMMTis0Vu2KKHGAmm3X+A3G8ZyUC3EQED2enKAcOe9z3eH4l40Mffh/b:G3Ni9zzFmmBgUUk9MOe9yObMXh/b

Score

7^/10

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

WinThruster.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WinThruster.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WinThruster.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4684 schtasks.exe

pid	process
4684	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\WinThruster\WinThruster.exe
"C:\Users\Admin\AppData\Local\Temp\WinThruster\WinThruster.exe"
1⤵
- Checks processor information in registry
PID:3736

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "WinThruster automatic scan and notifications" /TR "\"C:\Users\Admin\AppData\Local\Temp\WinThruster\WTNotifications.exe\"" /SC ONLOGON /RL HIGHEST /F
2⤵
- Scheduled Task/Job: Scheduled Task
PID:4684

C:\Users\Admin\AppData\Local\Temp\WinThruster\WTNotifications.exe
"C:\Users\Admin\AppData\Local\Temp\WinThruster\WTNotifications.exe"
2⤵
PID:4368

C:\Users\Admin\AppData\Roaming\WinThruster\Log\Tasks.log
Filesize
416B

MD5
6b150ba809cce29c574d81de4d043369

SHA1
23f32083131d1db7aa40ed6db065991273e6df59

SHA256
1e2034fc4360e036448df635b9a30763d8423b5fc7cfa13a93c79fda347ca8f2

SHA512
b105c9c56345894e430dc5a5ee38d01795301a44dc0f35840810bccf77705cf0f701056520123bfe8803d11c8431ca990fda347db29d40eb85d8269808489dd1

Download Submit
memory/3736-0-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3736-31-0x0000000061E00000-0x0000000061EF4000-memory.dmp

Filesize
976KB

Download
memory/3736-30-0x0000000000CE0000-0x000000000173E000-memory.dmp

Filesize
10.4MB

Download
memory/3736-36-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/4368-20-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4368-32-0x00000000002D0000-0x00000000007D1000-memory.dmp

Filesize
5.0MB

Download
memory/4368-33-0x0000000061E00000-0x0000000061EF4000-memory.dmp

Filesize
976KB

Download
memory/4368-39-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/4368-54-0x00000000002D0000-0x00000000007D1000-memory.dmp

Filesize
5.0MB

Download