Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22/02/2022, 21:15
Static task
static1
Behavioral task
behavioral1
Sample
0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe
Resource
win7-en-20211208
General
-
Target
0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe
-
Size
2.2MB
-
MD5
7274a59e5c87187d46207585fc7e9f14
-
SHA1
4dd4feb0a99f3e67ca075572f2a4e8007b5e87fe
-
SHA256
0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7
-
SHA512
5e82120d85131b684e75e66b8d63b3816a0c08cf678df4f4447d15f11ef66d04ca62f146865164483d0d5ba665e9f3452816226675fdcf85644cbeb8258696d6
Malware Config
Signatures
-
NirSoft MailPassView 3 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/memory/3540-131-0x00000000003A0000-0x00000000005D4000-memory.dmp MailPassView behavioral2/files/0x000400000000072b-132.dat MailPassView behavioral2/files/0x000400000000072b-134.dat MailPassView -
NirSoft WebBrowserPassView 3 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/memory/3540-131-0x00000000003A0000-0x00000000005D4000-memory.dmp WebBrowserPassView behavioral2/files/0x000400000000072b-132.dat WebBrowserPassView behavioral2/files/0x000400000000072b-134.dat WebBrowserPassView -
Nirsoft 3 IoCs
resource yara_rule behavioral2/memory/3540-131-0x00000000003A0000-0x00000000005D4000-memory.dmp Nirsoft behavioral2/files/0x000400000000072b-132.dat Nirsoft behavioral2/files/0x000400000000072b-134.dat Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 2848 Synapse.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3540 0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3540 wrote to memory of 2848 3540 0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe 83 PID 3540 wrote to memory of 2848 3540 0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe 83 PID 3540 wrote to memory of 2848 3540 0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe 83 PID 2848 wrote to memory of 3596 2848 Synapse.exe 84 PID 2848 wrote to memory of 3596 2848 Synapse.exe 84 PID 2848 wrote to memory of 3596 2848 Synapse.exe 84 PID 3596 wrote to memory of 4800 3596 fondue.exe 85 PID 3596 wrote to memory of 4800 3596 fondue.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe"C:\Users\Admin\AppData\Local\Temp\0a6122f38d670eec50dfb91aeb8791c7ce24928480e4a32793d71e472a55c1f7.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\Synapse.exe"C:\Users\Admin\AppData\Local\Temp\Synapse.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:4800
-
-
-