Analysis

  • max time kernel
    123s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    10/03/2022, 03:46

General

  • Target

    68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe

  • Size

    430KB

  • MD5

    5be38d3bc0d36a3b177d1979dc0c4f66

  • SHA1

    596a4027afbcfa3b286972c777e52e16759bf809

  • SHA256

    68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764

  • SHA512

    f71fc5f4ed65286e1416d4bea0e4fac5b658ef0d835a659e47aae6b123b81687979644d16b669d2f3f8331ace293e260d2f0a34df17402f5d2292e55f924cfa3

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
    "C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe
      "C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3312
    • C:\Users\Admin\AppData\Local\Temp\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\system32\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
          PID:1296
      • C:\Users\Admin\AppData\Local\Temp\taskhost.exe
        "C:\Users\Admin\AppData\Local\Temp\taskhost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3316
        • C:\Windows\SysWOW64\fondue.exe
          "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1660
          • C:\Windows\system32\FonDUE.EXE
            "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
            4⤵
              PID:680

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads