Analysis Overview
SHA256
37d8e1ce3b6e6488942717aa78cb54785edc985143bcc8d9ba9f42d73a3dbd7a
Threat Level: Known bad
The file RIP_YOUR_PC_LOL.exe was found to be: Known bad.
Malicious Activity Summary
Nirsoft
Nanocore family
Asyncrat family
Njrat family
Async RAT payload
NirSoft MailPassView
NirSoft WebBrowserPassView
Drops file in Windows directory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-11 16:17
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Asyncrat family
Nanocore family
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Njrat family
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-11 16:17
Reported
2022-03-11 16:47
Platform
win10-20220223-en
Max time kernel
1800s
Max time network
1594s
Command Line
Signatures
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rescache\_merged\4183903823\810424605.pri | C:\Windows\system32\taskmgr.exe | N/A |
| File created | C:\Windows\rescache\_merged\1601268389\3877292338.pri | C:\Windows\system32\taskmgr.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2508 wrote to memory of 3492 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 2508 wrote to memory of 3492 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 2508 wrote to memory of 3492 | N/A | C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe | C:\Windows\SysWOW64\fondue.exe |
| PID 3492 wrote to memory of 3484 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\System32\FonDUE.EXE |
| PID 3492 wrote to memory of 3484 | N/A | C:\Windows\SysWOW64\fondue.exe | C:\Windows\System32\FonDUE.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe
"C:\Users\Admin\AppData\Local\Temp\RIP_YOUR_PC_LOL.exe"
C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\System32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4