d0fcb3afeca9a0f16c39831bb2f1f6d4cf2b9fa5c26c3dde017b45e2f972ebc4 | Triage

Analysis

max time kernel
86s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
05-02-2022 09:45

Sharing

Report Analysis Logs

General

Target

HSBC BANK LETTER.exe
Size

722KB
MD5

c9f3af24ebda7a1bcaa94dc81156cf45
SHA1

14dff67f355616a09733afabff2cf836bf9ebe52
SHA256

07236ee497bab6187ef9e5ea42f6a184a9bb32030b50d88f251a449b03890305
SHA512

719cfafe427d48211d4364954ac40bc714409b8b7a1b84cac8c208491daeee47418f25dd18b94800330485ed764539e0c62360913f59a04d44f3f87605f22663

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	612	svchost.exe
Token: SeCreatePagefilePrivilege	612	svchost.exe
Token: SeShutdownPrivilege	612	svchost.exe
Token: SeCreatePagefilePrivilege	612	svchost.exe
Token: SeShutdownPrivilege	612	svchost.exe
Token: SeCreatePagefilePrivilege	612	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

HSBC BANK LETTER.exefondue.exe

description	pid	process	target process
PID 4960 wrote to memory of 2240	4960	HSBC BANK LETTER.exe	fondue.exe
PID 4960 wrote to memory of 2240	4960	HSBC BANK LETTER.exe	fondue.exe
PID 4960 wrote to memory of 2240	4960	HSBC BANK LETTER.exe	fondue.exe
PID 2240 wrote to memory of 2812	2240	fondue.exe	FonDUE.EXE
PID 2240 wrote to memory of 2812	2240	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC BANK LETTER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-130-0x000001B826B90000-0x000001B826BA0000-memory.dmp

Filesize
64KB

Download
memory/612-137-0x000001B829910000-0x000001B829914000-memory.dmp

Filesize
16KB

Download