Analysis
-
max time kernel
92s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 23:57
Static task
static1
Behavioral task
behavioral1
Sample
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
Resource
win7-20220223-en
General
-
Target
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe
-
Size
2.1MB
-
MD5
c0d3b6f38e5253f59f2f15cdcf14edf0
-
SHA1
4442c0d76b86470ebd8d8cea91382107ff9ad96d
-
SHA256
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6
-
SHA512
578d245a5e7444a741d946dd20b7e9506ac7436ed08132af7549d12f293b9e92d9c3c7174284c92a7a8802211799dc09847f3428c758da0632c471b3aa80e696
Malware Config
Extracted
njrat
0.7d
HacK
127.0.0.1:1234
8a6179254fb2f1e73fe707c1a92f1876
-
reg_key
8a6179254fb2f1e73fe707c1a92f1876
-
splitter
|'|'|
Signatures
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft behavioral2/memory/448-134-0x0000000000B00000-0x0000000000BFC000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Server.exeProcess Modules DLL.exepid process 3616 Server.exe 448 Process Modules DLL.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 3348 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3348 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exeServer.exefondue.exedescription pid process target process PID 3508 wrote to memory of 3616 3508 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 3508 wrote to memory of 3616 3508 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 3508 wrote to memory of 3616 3508 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Server.exe PID 3616 wrote to memory of 4868 3616 Server.exe fondue.exe PID 3616 wrote to memory of 4868 3616 Server.exe fondue.exe PID 3616 wrote to memory of 4868 3616 Server.exe fondue.exe PID 3508 wrote to memory of 448 3508 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Process Modules DLL.exe PID 3508 wrote to memory of 448 3508 3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe Process Modules DLL.exe PID 4868 wrote to memory of 1432 4868 fondue.exe FonDUE.EXE PID 4868 wrote to memory of 1432 4868 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe"C:\Users\Admin\AppData\Local\Temp\3f16985a58d42af0b56b8cbcefbfea709d32b3041633c4037f4d46cddb6b16e6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c 0x3fc1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
memory/448-134-0x0000000000B00000-0x0000000000BFC000-memory.dmpFilesize
1008KB
-
memory/448-135-0x00007FFC4E0E0000-0x00007FFC4EBA1000-memory.dmpFilesize
10.8MB
-
memory/448-136-0x000000001CD30000-0x000000001CD32000-memory.dmpFilesize
8KB
-
memory/448-137-0x000000001CD33000-0x000000001CD35000-memory.dmpFilesize
8KB