Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
10/03/2022, 04:16
Static task
static1
Behavioral task
behavioral1
Sample
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
Resource
win10v2004-20220310-en
General
-
Target
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe
-
Size
578KB
-
MD5
acf9e25c86232c4508b3cb2b94240efc
-
SHA1
72bf43d4cdaef66fe09033a5b3c5ca71129c9215
-
SHA256
673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996
-
SHA512
296261037a6ceb1d1e43994a8d54c63ac17ee1be5c3f234bd10d38dc0121237e94d9cf16e54bea61dda0367596918ebd95d23e50fa1c40dd7f2e2a87365d8e1d
Malware Config
Signatures
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral2/files/0x0009000000021e6a-134.dat MailPassView behavioral2/files/0x0009000000021e6a-135.dat MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x0009000000021e6a-134.dat WebBrowserPassView behavioral2/files/0x0009000000021e6a-135.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x0009000000021e6a-134.dat Nirsoft behavioral2/files/0x0009000000021e6a-135.dat Nirsoft -
Executes dropped EXE 1 IoCs
pid Process 3004 Launcher.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 376 wrote to memory of 3004 376 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 78 PID 376 wrote to memory of 3004 376 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 78 PID 376 wrote to memory of 3004 376 673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe 78 PID 3004 wrote to memory of 4888 3004 Launcher.exe 80 PID 3004 wrote to memory of 4888 3004 Launcher.exe 80 PID 3004 wrote to memory of 4888 3004 Launcher.exe 80 PID 4888 wrote to memory of 4456 4888 fondue.exe 81 PID 4888 wrote to memory of 4456 4888 fondue.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe"C:\Users\Admin\AppData\Local\Temp\673abf2aebf981b77d96c63037691693e6c1539dc3403e7affcb3874f5c94996.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:4456
-
-
-