Analysis
-
max time kernel
156s -
max time network
161s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22/02/2022, 22:29
Static task
static1
Behavioral task
behavioral1
Sample
07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe
Resource
win10v2004-en-20220113
General
-
Target
07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe
-
Size
3.4MB
-
MD5
a823ce034acab9c8e810ca94927b3815
-
SHA1
fcbe558da3085f502ffe2ee248b955804f5dfc5b
-
SHA256
07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c
-
SHA512
1422b8205a839ed155065ea7555cde3b52cc8d82b1042e3143cd933dc31464f34c6b7fe4cc11cc65979f6f3266734ccd793668da36172b5aea35d812c2947b9d
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000600000001e7e1-132.dat MailPassView behavioral2/files/0x000600000001e7e1-133.dat MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000600000001e7e1-132.dat WebBrowserPassView behavioral2/files/0x000600000001e7e1-133.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x000600000001e7e1-132.dat Nirsoft behavioral2/files/0x000600000001e7e1-133.dat Nirsoft -
Executes dropped EXE 3 IoCs
pid Process 2992 3.exe 2576 1.exe 1888 2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2612 OpenWith.exe 3032 OpenWith.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2992 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 81 PID 1884 wrote to memory of 2992 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 81 PID 2992 wrote to memory of 1056 2992 3.exe 82 PID 2992 wrote to memory of 1056 2992 3.exe 82 PID 1884 wrote to memory of 2576 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 85 PID 1884 wrote to memory of 2576 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 85 PID 1884 wrote to memory of 2576 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 85 PID 1884 wrote to memory of 1888 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 86 PID 1884 wrote to memory of 1888 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 86 PID 1884 wrote to memory of 1888 1884 07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe 86 PID 2576 wrote to memory of 3380 2576 1.exe 88 PID 2576 wrote to memory of 3380 2576 1.exe 88 PID 2576 wrote to memory of 3380 2576 1.exe 88 PID 1888 wrote to memory of 2240 1888 2.exe 87 PID 1888 wrote to memory of 2240 1888 2.exe 87 PID 1888 wrote to memory of 2240 1888 2.exe 87 PID 2240 wrote to memory of 2884 2240 fondue.exe 90 PID 2240 wrote to memory of 2884 2240 fondue.exe 90 PID 3380 wrote to memory of 3460 3380 fondue.exe 89 PID 3380 wrote to memory of 3460 3380 fondue.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe"C:\Users\Admin\AppData\Local\Temp\07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\system32\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵PID:1056
-
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:3460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:2884
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2612
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3032