Analysis
-
max time kernel
125s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
11-03-2022 01:08
Static task
static1
Behavioral task
behavioral1
Sample
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe
Resource
win10v2004-en-20220113
General
-
Target
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe
-
Size
661KB
-
MD5
a302f849f03f9d0986062f4eb4032824
-
SHA1
15848e1df366bf37158cc70ab13f01a693a733f0
-
SHA256
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d
-
SHA512
46154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe MailPassView C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe Nirsoft -
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe revengerat C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe revengerat -
Executes dropped EXE 2 IoCs
Processes:
Gerenciador de audio HD Realltek.exeWindows Explorer.exepid process 4312 Gerenciador de audio HD Realltek.exe 2856 Windows Explorer.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exeGerenciador de audio HD Realltek.exeWindows Explorer.exefondue.exefondue.exedescription pid process target process PID 2928 wrote to memory of 4312 2928 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe Gerenciador de audio HD Realltek.exe PID 2928 wrote to memory of 4312 2928 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe Gerenciador de audio HD Realltek.exe PID 2928 wrote to memory of 4312 2928 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe Gerenciador de audio HD Realltek.exe PID 4312 wrote to memory of 4172 4312 Gerenciador de audio HD Realltek.exe fondue.exe PID 4312 wrote to memory of 4172 4312 Gerenciador de audio HD Realltek.exe fondue.exe PID 4312 wrote to memory of 4172 4312 Gerenciador de audio HD Realltek.exe fondue.exe PID 2928 wrote to memory of 2856 2928 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe Windows Explorer.exe PID 2928 wrote to memory of 2856 2928 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe Windows Explorer.exe PID 2928 wrote to memory of 2856 2928 3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe Windows Explorer.exe PID 2856 wrote to memory of 1760 2856 Windows Explorer.exe fondue.exe PID 2856 wrote to memory of 1760 2856 Windows Explorer.exe fondue.exe PID 2856 wrote to memory of 1760 2856 Windows Explorer.exe fondue.exe PID 4172 wrote to memory of 1464 4172 fondue.exe FonDUE.EXE PID 4172 wrote to memory of 1464 4172 fondue.exe FonDUE.EXE PID 1760 wrote to memory of 1248 1760 fondue.exe FonDUE.EXE PID 1760 wrote to memory of 1248 1760 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe"C:\Users\Admin\AppData\Local\Temp\3b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:1464
-
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵PID:1248
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exeMD5
cc19874b2b87478ed80aeb0db2786904
SHA104169b414112d5fc80f8ec01eed4e7edeed77e27
SHA2567be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e
SHA5122db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exeMD5
cc19874b2b87478ed80aeb0db2786904
SHA104169b414112d5fc80f8ec01eed4e7edeed77e27
SHA2567be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e
SHA5122db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5
-
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exeMD5
15febefbdf4118365bd8a67a1f182543
SHA185bd8cb479994a4f9e5e8bb0b42313bfc3a172df
SHA2561fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b
SHA5129d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc
-
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exeMD5
15febefbdf4118365bd8a67a1f182543
SHA185bd8cb479994a4f9e5e8bb0b42313bfc3a172df
SHA2561fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b
SHA5129d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc