Analysis

  • max time kernel
    156s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    22/02/2022, 22:29

General

  • Target

    07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe

  • Size

    3.4MB

  • MD5

    a823ce034acab9c8e810ca94927b3815

  • SHA1

    fcbe558da3085f502ffe2ee248b955804f5dfc5b

  • SHA256

    07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c

  • SHA512

    1422b8205a839ed155065ea7555cde3b52cc8d82b1042e3143cd933dc31464f34c6b7fe4cc11cc65979f6f3266734ccd793668da36172b5aea35d812c2947b9d

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe
    "C:\Users\Admin\AppData\Local\Temp\07f3e2d9c55de226529ac2f9d686f14877b074f58d6183ce5f30324a63fa2a0c.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Users\Admin\AppData\Local\Temp\3.exe
      "C:\Users\Admin\AppData\Local\Temp\3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\system32\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
          PID:1056
      • C:\Users\Admin\AppData\Local\Temp\1.exe
        "C:\Users\Admin\AppData\Local\Temp\1.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\SysWOW64\fondue.exe
          "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3380
          • C:\Windows\system32\FonDUE.EXE
            "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
            4⤵
              PID:3460
        • C:\Users\Admin\AppData\Local\Temp\2.exe
          "C:\Users\Admin\AppData\Local\Temp\2.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1888
          • C:\Windows\SysWOW64\fondue.exe
            "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2240
            • C:\Windows\system32\FonDUE.EXE
              "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
              4⤵
                PID:2884
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:2612
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          PID:3032

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads