Analysis
-
max time kernel
120s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 00:28
Static task
static1
Behavioral task
behavioral1
Sample
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
Resource
win10v2004-en-20220113
General
-
Target
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe
-
Size
6.6MB
-
MD5
dc70508f10ea72c1ad810c72b179bf28
-
SHA1
5c7ef633b20ad47c1a9967a181ebf42a5094c07d
-
SHA256
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e
-
SHA512
8dc1d9ef4c4b9b4fef91c55734a0e813b1a8a4582fab36b7b52c3b2c0d217a25dce3dbc1d364d438766c1fa8fc1f64498c2f779848a5208f2ea7ce06ed43f06b
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
NirSoft MailPassView 2 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe MailPassView C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe MailPassView -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe WebBrowserPassView C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe WebBrowserPassView -
Nirsoft 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe Nirsoft -
RevengeRat Executable 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe revengerat C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe revengerat -
Executes dropped EXE 4 IoCs
Processes:
1.exeGerenciador de audio HD Realltek.exeWindows Explorer.exe2.exepid process 2080 1.exe 3148 Gerenciador de audio HD Realltek.exe 4628 Windows Explorer.exe 3852 2.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2.exedescription pid process Token: SeDebugPrivilege 3852 2.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe1.exeGerenciador de audio HD Realltek.exeWindows Explorer.exefondue.exefondue.exe2.exedescription pid process target process PID 3164 wrote to memory of 2080 3164 aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe 1.exe PID 3164 wrote to memory of 2080 3164 aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe 1.exe PID 3164 wrote to memory of 2080 3164 aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe 1.exe PID 3164 wrote to memory of 3852 3164 aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe 2.exe PID 3164 wrote to memory of 3852 3164 aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe 2.exe PID 2080 wrote to memory of 3148 2080 1.exe Gerenciador de audio HD Realltek.exe PID 2080 wrote to memory of 3148 2080 1.exe Gerenciador de audio HD Realltek.exe PID 2080 wrote to memory of 3148 2080 1.exe Gerenciador de audio HD Realltek.exe PID 2080 wrote to memory of 4628 2080 1.exe Windows Explorer.exe PID 2080 wrote to memory of 4628 2080 1.exe Windows Explorer.exe PID 2080 wrote to memory of 4628 2080 1.exe Windows Explorer.exe PID 3148 wrote to memory of 4716 3148 Gerenciador de audio HD Realltek.exe fondue.exe PID 3148 wrote to memory of 4716 3148 Gerenciador de audio HD Realltek.exe fondue.exe PID 3148 wrote to memory of 4716 3148 Gerenciador de audio HD Realltek.exe fondue.exe PID 4628 wrote to memory of 4588 4628 Windows Explorer.exe fondue.exe PID 4628 wrote to memory of 4588 4628 Windows Explorer.exe fondue.exe PID 4628 wrote to memory of 4588 4628 Windows Explorer.exe fondue.exe PID 4716 wrote to memory of 780 4716 fondue.exe FonDUE.EXE PID 4716 wrote to memory of 780 4716 fondue.exe FonDUE.EXE PID 4588 wrote to memory of 3720 4588 fondue.exe FonDUE.EXE PID 4588 wrote to memory of 3720 4588 fondue.exe FonDUE.EXE PID 3852 wrote to memory of 4332 3852 2.exe arp.exe PID 3852 wrote to memory of 4332 3852 2.exe arp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe"C:\Users\Admin\AppData\Local\Temp\aafc181ac5fa1474722cc4556bc2797773cea719caad63f7f6fcc23bac27db2e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll5⤵
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\arp.exe"C:\Windows\System32\arp.exe" -a3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
a302f849f03f9d0986062f4eb4032824
SHA115848e1df366bf37158cc70ab13f01a693a733f0
SHA2563b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d
SHA51246154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36
-
C:\Users\Admin\AppData\Local\Temp\1.exeMD5
a302f849f03f9d0986062f4eb4032824
SHA115848e1df366bf37158cc70ab13f01a693a733f0
SHA2563b163eddf849e4c53923fe275b320081e31badc3f1b42b239bd6efbdbed93e3d
SHA51246154fc25ce18e92d0c360d9bb8a323304824bb6ae6a0c73a6dad64721d4891a2536b3f40b5c0ac76013a9ed3877dbc38470a0d956b8b79ad565d5052731ea36
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
b829a00948c61c7f278c5820150cfae2
SHA163affca7cab301cc1086738e2dde76fe0685ee13
SHA256b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea
SHA51227afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86
-
C:\Users\Admin\AppData\Local\Temp\2.exeMD5
b829a00948c61c7f278c5820150cfae2
SHA163affca7cab301cc1086738e2dde76fe0685ee13
SHA256b416aa42e9384b4d8b038438c86d9e56f6d614b19c478a09c3e41e2a9839d7ea
SHA51227afd7ecf75726757247846fff47453cf6b4f605324a2902464b2ae4deeb1b084007f919ea25e9f1fdd0d6ae5324afeff976a67fb7e5a36a1eefb614e6b0af86
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exeMD5
cc19874b2b87478ed80aeb0db2786904
SHA104169b414112d5fc80f8ec01eed4e7edeed77e27
SHA2567be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e
SHA5122db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5
-
C:\Users\Admin\AppData\Local\Temp\Gerenciador de audio HD Realltek.exeMD5
cc19874b2b87478ed80aeb0db2786904
SHA104169b414112d5fc80f8ec01eed4e7edeed77e27
SHA2567be748b35266e003d5eacffaf8274fd041bfb31bfc678f66acfdd9a96014e71e
SHA5122db0b362f294fbd4de5fd192ed3120774e0cf2fcd151ffadcc22237e0c477b043fb0aef404210dfe0fb908c4f577658f827e2e0a7810bb5c2d6c2e595f774ef5
-
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exeMD5
15febefbdf4118365bd8a67a1f182543
SHA185bd8cb479994a4f9e5e8bb0b42313bfc3a172df
SHA2561fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b
SHA5129d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc
-
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exeMD5
15febefbdf4118365bd8a67a1f182543
SHA185bd8cb479994a4f9e5e8bb0b42313bfc3a172df
SHA2561fa314517e2dcc8502f909baed440b5f400d32a292eda292855a6c3773e71e3b
SHA5129d7770b872dabc1662c8dedfaaf6cccd4ee0faf23d3122a110a978d507cc1c3d0d607a08abf771ae2c27f1b05320485032283c905878b01ef1ed8dc7f60adbfc
-
memory/3852-138-0x0000023195600000-0x0000023195C28000-memory.dmpFilesize
6.2MB
-
memory/3852-139-0x00007FFC41370000-0x00007FFC41E31000-memory.dmpFilesize
10.8MB
-
memory/3852-140-0x00000231B1700000-0x00000231B1702000-memory.dmpFilesize
8KB