Analysis

  • max time kernel
    150s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    22/02/2022, 20:50

General

  • Target

    0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe

  • Size

    1.6MB

  • MD5

    ff3fe4fe833b4f463bee3ef01057bf3a

  • SHA1

    7eb61441d0d14117c05edbbff96bedf438561b67

  • SHA256

    0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c

  • SHA512

    91d7b35777afd433b250fc1a601a172440270be2e50af55f3e035e503c5f4a61ee2a131bd19c77611beaa7262cc9fa6cef16dea23f68497c833d95c5f6bb523c

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
    "C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\3466\3466.exe
      "C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Windows\SysWOW64\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4728
        • C:\Windows\system32\FonDUE.EXE
          "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          4⤵
            PID:2396

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads