Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    10/03/2022, 04:16

General

  • Target

    673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe

  • Size

    578KB

  • MD5

    acf9e25c86232c4508b3cb2b94240efc

  • SHA1

    72bf43d4cdaef66fe09033a5b3c5ca71129c9215

  • SHA256

    673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996

  • SHA512

    296261037a6ceb1d1e43994a8d54c63ac17ee1be5c3f234bd10d38dc0121237e94d9cf16e54bea61dda0367596918ebd95d23e50fa1c40dd7f2e2a87365d8e1d

Score
9/10

Malware Config

Signatures

  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
    "C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:376
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\SysWOW64\fondue.exe
        "C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4888
        • C:\Windows\system32\FonDUE.EXE
          "C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
          4⤵
            PID:4456

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads