Analysis
-
max time kernel
123s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
10/03/2022, 03:46
Static task
static1
Behavioral task
behavioral1
Sample
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
Resource
win10v2004-en-20220112
General
-
Target
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe
-
Size
430KB
-
MD5
5be38d3bc0d36a3b177d1979dc0c4f66
-
SHA1
596a4027afbcfa3b286972c777e52e16759bf809
-
SHA256
68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764
-
SHA512
f71fc5f4ed65286e1416d4bea0e4fac5b658ef0d835a659e47aae6b123b81687979644d16b669d2f3f8331ace293e260d2f0a34df17402f5d2292e55f924cfa3
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x0005000000021422-137.dat MailPassView behavioral2/files/0x0005000000021422-139.dat MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x0005000000021422-137.dat WebBrowserPassView behavioral2/files/0x0005000000021422-139.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x0005000000021422-137.dat Nirsoft behavioral2/files/0x0005000000021422-139.dat Nirsoft -
Executes dropped EXE 3 IoCs
pid Process 3312 MULTIBOT05.exe 3364 svchost.exe 3316 taskhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3312 MULTIBOT05.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 208 wrote to memory of 3312 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 56 PID 208 wrote to memory of 3312 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 56 PID 208 wrote to memory of 3312 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 56 PID 208 wrote to memory of 3364 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 57 PID 208 wrote to memory of 3364 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 57 PID 3364 wrote to memory of 1296 3364 svchost.exe 58 PID 3364 wrote to memory of 1296 3364 svchost.exe 58 PID 208 wrote to memory of 3316 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 59 PID 208 wrote to memory of 3316 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 59 PID 208 wrote to memory of 3316 208 68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe 59 PID 3316 wrote to memory of 1660 3316 taskhost.exe 60 PID 3316 wrote to memory of 1660 3316 taskhost.exe 60 PID 3316 wrote to memory of 1660 3316 taskhost.exe 60 PID 1660 wrote to memory of 680 1660 fondue.exe 62 PID 1660 wrote to memory of 680 1660 fondue.exe 62
Processes
-
C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe"C:\Users\Admin\AppData\Local\Temp\68fbdae1edae5bd5dad66f1d91cd3feec0ee1697a1650764802c02d213ae4764.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe"C:\Users\Admin\AppData\Local\Temp\MULTIBOT05.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\system32\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵PID:1296
-
-
-
C:\Users\Admin\AppData\Local\Temp\taskhost.exe"C:\Users\Admin\AppData\Local\Temp\taskhost.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:680
-
-
-