Resubmissions
15-03-2022 08:40
220315-klcjwshbh7 1011-03-2022 16:17
220311-trnzjsdcar 1011-03-2022 15:27
220311-sv8yfsdbam 1009-03-2022 15:19
220309-sp9ykacfan 10Analysis
-
max time kernel
1800s -
max time network
1594s -
platform
windows10_x64 -
resource
win10-20220223-en -
submitted
11-03-2022 16:17
Behavioral task
behavioral1
Sample
RIP_YOUR_PC_LOL.exe
Resource
win10-20220223-en
windows10_x64
0 signatures
0 seconds
General
-
Target
RIP_YOUR_PC_LOL.exe
-
Size
22.5MB
-
MD5
52867174362410d63215d78e708103ea
-
SHA1
7ae4e1048e4463a4201bdeaf224c5b6face681bf
-
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
-
SHA512
89e17e147d3f073e479e85d0b0321f6264bbc2aa84c930ed645e8f5cde3f1e58812c3db1ba0f10bee6ce7ac0731e1e3de6747a9b3c4d63a564dd8d904bd726ab
Score
4/10
Malware Config
Signatures
-
Drops file in Windows directory 2 IoCs
Processes:
taskmgr.exedescription ioc process File created C:\Windows\rescache\_merged\4183903823\810424605.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3877292338.pri taskmgr.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
taskmgr.exepid process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 3764 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3764 taskmgr.exe Token: SeSystemProfilePrivilege 3764 taskmgr.exe Token: SeCreateGlobalPrivilege 3764 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe 3764 taskmgr.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
RIP_YOUR_PC_LOL.exefondue.exedescription pid process target process PID 2508 wrote to memory of 3492 2508 RIP_YOUR_PC_LOL.exe fondue.exe PID 2508 wrote to memory of 3492 2508 RIP_YOUR_PC_LOL.exe fondue.exe PID 2508 wrote to memory of 3492 2508 RIP_YOUR_PC_LOL.exe fondue.exe PID 3492 wrote to memory of 3484 3492 fondue.exe FonDUE.EXE PID 3492 wrote to memory of 3484 3492 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage