Analysis
-
max time kernel
86s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
05-02-2022 09:45
Static task
static1
Behavioral task
behavioral1
Sample
HSBC BANK LETTER.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
HSBC BANK LETTER.exe
Resource
win10v2004-en-20220113
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
HSBC BANK LETTER.exe
-
Size
722KB
-
MD5
c9f3af24ebda7a1bcaa94dc81156cf45
-
SHA1
14dff67f355616a09733afabff2cf836bf9ebe52
-
SHA256
07236ee497bab6187ef9e5ea42f6a184a9bb32030b50d88f251a449b03890305
-
SHA512
719cfafe427d48211d4364954ac40bc714409b8b7a1b84cac8c208491daeee47418f25dd18b94800330485ed764539e0c62360913f59a04d44f3f87605f22663
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 612 svchost.exe Token: SeCreatePagefilePrivilege 612 svchost.exe Token: SeShutdownPrivilege 612 svchost.exe Token: SeCreatePagefilePrivilege 612 svchost.exe Token: SeShutdownPrivilege 612 svchost.exe Token: SeCreatePagefilePrivilege 612 svchost.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
HSBC BANK LETTER.exefondue.exedescription pid process target process PID 4960 wrote to memory of 2240 4960 HSBC BANK LETTER.exe fondue.exe PID 4960 wrote to memory of 2240 4960 HSBC BANK LETTER.exe fondue.exe PID 4960 wrote to memory of 2240 4960 HSBC BANK LETTER.exe fondue.exe PID 2240 wrote to memory of 2812 2240 fondue.exe FonDUE.EXE PID 2240 wrote to memory of 2812 2240 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4960 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵PID:2812
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:612