Analysis
-
max time kernel
150s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22/02/2022, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
Resource
win10v2004-en-20220113
General
-
Target
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe
-
Size
1.6MB
-
MD5
ff3fe4fe833b4f463bee3ef01057bf3a
-
SHA1
7eb61441d0d14117c05edbbff96bedf438561b67
-
SHA256
0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c
-
SHA512
91d7b35777afd433b250fc1a601a172440270be2e50af55f3e035e503c5f4a61ee2a131bd19c77611beaa7262cc9fa6cef16dea23f68497c833d95c5f6bb523c
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x000400000001e7cb-130.dat MailPassView behavioral2/files/0x000400000001e7cb-131.dat MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000400000001e7cb-130.dat WebBrowserPassView behavioral2/files/0x000400000001e7cb-131.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x000400000001e7cb-130.dat Nirsoft behavioral2/files/0x000400000001e7cb-131.dat Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 4772 3466.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2492 wrote to memory of 4772 2492 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 84 PID 2492 wrote to memory of 4772 2492 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 84 PID 2492 wrote to memory of 4772 2492 0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe 84 PID 4772 wrote to memory of 4728 4772 3466.exe 87 PID 4772 wrote to memory of 4728 4772 3466.exe 87 PID 4772 wrote to memory of 4728 4772 3466.exe 87 PID 4728 wrote to memory of 2396 4728 fondue.exe 89 PID 4728 wrote to memory of 2396 4728 fondue.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"C:\Users\Admin\AppData\Local\Temp\0b76b9230ea858e5c5a1c360ffa57f8c5b4e1d3edfc86f16f5f8a8d810e2740c.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"C:\Users\Admin\AppData\Local\Temp\3466\3466.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:2396
-
-
-