aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483 | Triage

Analysis

max time kernel
121s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 00:36

Sharing

Report Analysis Logs

General

Target

aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exe
Size

552KB
MD5

ed19c0ef486b1536ec5024c09bbf680d
SHA1

b0e734c80dbc9612479c18740728de95f4e22661
SHA256

aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483
SHA512

f92e5092a0357b414ca515bcbf429cc7367929dab23f6b1a1eb4e4f19d8072bec7c048b7addd0b07343d9b5b4b38c7ca61552379c06cb79731262d24b923528a

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400647F126EC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000003f9eac8f07ce2a0ecc394bccd8bee46ab09c0ee8d8456d0c3cb83ca627b7e3e0000000000e80000000020000200000002a21f88e0932a397ffa4e11a3fbe5a55f0fc0c46476fe97bf34478ec086a74b680000000306be76993dfab1f7888e0d37a4bfece6566e69b6bf9db29bc02803ec35ca37cc470daec72384a4e26cb5d5e03932202857e8d4c192b73a56b4495997eddefe2c433ef095be662178227a6420c9c94b3e070ac3d44f1a97b57dbcc7b0ce2c999402720216a57e12c0155e1d567a56421660be67cd3487db4e4024eece9eae22d400000002f0375c0f555e2c661c73b299c240c81629a2a031bfadfc71f03c063fd46a87102f12e298774d7f5f3587e37d64c9193facb6248c7d5bed6b04eac778104e122	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000000f461f8b59f30b0e6f3eb940ebbcd2707c54edfe66dd7eb3f2b11febd7f08713000000000e800000000200002000000069ecdfc74276a1c55dca04935b353d63364ef9e76dcad454736d90c690a7c358100d0000a975a3566dbf92c19047dfe1d5ed3d342a6cf9fb821ee6fa7df283a7dbaf7bb02a354b59b3f0a514d77789797b4bf2267f4f23621df5f9bf360a40603d10ca26cbaccfaad8cf1289e2524b2b6723d519c89068463c5d2a2d9d27a393ab58180df7616793890c0608b83f46a5c9b0095d08e3f29599c05c1c9225364409ce17656fff21a1eda1aa7b9c138ea456d3d8da03144628bbb84d3e350cb3f81267d802ab3d3e140eb8dafc9ed662953f40bc1698c28343a68b438fc47272b54228d949a1736e687c43555a952eedff4fbf526f3793e6d25a5cec7519fe01fb27c2f7b42c010f5fee47d24e9cf1d26864f0f5d5ffb573847213616e0c0c2d76d3a08b42a18e97120152a332f514e6a9a8ef7a4a75d7fa77de818174d21af6bbabe2a200abf1b1465ea697047d95973d68b5e8a44699e55bafd04945e654332339ad2ebab639c12586483da5caa1d92789ddd8da2cd1ea1bee3dda6256010003bf0a39248af7f92959cfaa981dbd2791a7e0298226876dbc48ca567f3f1e45c58e4b74867f17365bb84cec6c85e86d1a62d9503aedca763e39b21245416552826e92d914d6236f914657c8c8a1073e5c64afea824f4b69e77ba9d0b71cc128a0ba617d29ba3bdff3835d7f7cb93cafa59b11127014124bb866a420a0731bc5923c47447a914b91c7b379f2a1635e925990f2bb26570b32b761fc5e549bdd2f08586cdba6c218d44f24198ab83ae9c5b3e7a630d39d425c1668ad9a312674192cddde613a5956d20eae7f8a25f18ee80a2a3d95137fd2c3022ef3eab68981c1a99dc8dab281f93213de0b6df4865b1ce244c34de6eab9a70735a11742d829101d24ad494b44b8f828c0dbe5a7092c3994c598169cc1868926bb4e8902f3587fd2f47150690eaeb804634130719d7aceffa80478da7322b840eb35b6ab476a862bf5a90ad1eada00279f260c72755209cdec50454dc9d6ead0786127452cada2bc21e512f9bf0c4c287be84a5f8d04b35e704d56b1c89afbc54d15d6ecdd6caaea8937783d5d3fee0a8f02fc11a84cf31fe33c22754be1de42967a32f6b7a8fd613c5ac8b4920511f382ae859512609149cf6abafad6080d2c7333bae2b7774d353804ff0457f9d5181058c92fca2d7bfe1837c724e91634bf0af493658f1cd87387baf706942f4e72ade24cd6e55f1f9a98e233ea894f2a9034729d337db6ef2d493bcd1d056ae5122cd783d8e06c1328cc56d291869ef72ab0c8fd2aefe07b8fc5fd64ffc7ed48c1de3b2255db8d7d12a9fda31b42af13286ca45541d61e8389bd5b37c28ac027f75f0a4db90626f880ab925c9b13c7658e22d8d0c956be35c74fc94618c4c1e44c70ee28576086e6744021993f6a8404bcaa75e1470d9d672240ca92784d7868c1069184406a1cd2da64ce878c02abe7523b5ce835ec303b0b6ca87168a89b394c31f44641d6361ae7a369911e2e5da3f4cb764189e233e451e778f39d1740a8e0a50959a422ba01fff392b9659a3f58c716350123f7d608b67c53fbfafd073b94aa731d82c8daed07e64d6d10773df5d4b1da7c0e5e4091e607e8982f6db10f36ed41ae5106f5714b5d8521e8de1860caa6c44215cfdf47c2626d5df47941b829585476102c9980fa3f59c309e997f7cc0d07ab17fbfb8a619d402974138fe8c63aa1485e7aad0962771f441788bc02a4273ee99a2d06ac0098e86492926fb8be4a9d23c0d40270bf6fb88ba6036fa0360ba23ca074dc3437110e2a030cace35ab4ead6d9621b8697ad7b2000e01066b7b714c40ab1ee88c2c82854dbb8a64dfb603f1fbfe544786790e035117d695fc703aeb966ca0616be92ae20bc4b8034dd7343f776367ae48833da5d648ac56ad20f6199c2f5378fcf75a22ffbede6bd866a651b7559cbd1db227565b045503ffaefe2623e77ee29c90e6f6f8ce2359fd27b15191dab3fb7919aa68368364a325c87e36358074d018715cc9909c6b0582d609ca16e08bc914c1c84f8395edb26089f82c0ad8c00b3c0d3c27ac9bb7c8aa80f6574ca38014077a572b76dc94538e1e020660ef8b3ec99725ed3c38d20e38a0a25043f11ce82800aa9f66014b803e4f682e5aed8188158726c9e529f2b0e2d0dabede81b5c55e04a36b5bfb5f5d8a1f1f6df977c9dc90a125bacfbb86213d4cafcdbc3c0bf74515fa4fed8ae83cb0f00cdc3d91abfa7db25894995006a09cb4d5b57a32ef5c5222bf47c5ca795203d3d95215a49336c0afdc694ffaf9016a3e3a4bd4a4ded4ecfd755c0d5080ebd7b1b4db5c1bccd9fb84a53f0aaa8d14f0a5697f003b2c334eaf23712b1be22f2dc040ad43888e5576339b3897a5d15f5feb85ddcfc79bff55d974781516c6299f30eb8b78875e09a8ca0882c792b679760826d896dbe5777e218bc631c3b4b185acacf5da501faa5dcfbe6889932425b1ef37260776b0af7a89f41cea1fa2acd84a315f7d47d18cc1a3e204a5d83529677c0c2e3865fe65423c81f385a3123053e7bc96a32e1e8a157877edf280bd943d3ea2296c78e4ec7f77695517db94f0fb69951d9597d152b45994ae858903799a99da539466156e72645292c9d4543b302eeb024dced08a944402dd6a730502cee35b03d106d616309917f66efc6b9acaf64d1f060e14152372f61baaccbb00a194812291de7ca60defda565849b1c50e49c3b99db2a85ae6ba53dcbb56a6ce3fdf690bf0c0160a6591239644caa5cd3c962efa87490deda2462bba4939b34b3a2186779376f59a01463db769a56ab811787255e350757ab2e81a09280fcc813964e09aa1d41138aa4e548ca01789fcabb3d25dbb4c98778eb1c1814ed7616f132dfa62c48392e5d440b65dc157ccdca57be496dbeefa2051ebabea64cc6a91f93e074bf1b8ec9e786d9505b72f6aaee3f5d106e3dfc2ebac3da2fc42e08b274a7bd877d078ee19348da6f87e870d9c6ea3556745e076a1ea1309e6d47b0ce2926c12e2fa9105c73cc7eadc06daaff267a323d2c085cc40708496da1426f62120aee059dac70ecb92d1f38acdaf9a346ef95600e4da2e1f063a4be21bc679bead84b3f02a6ee5a2677069bba68d3d43bb64787f62738d9d222f98e2b76b1fb1c0b69bbb84c7785e81f9f4420ca7556168acb219fc131b878b86c59673bca3e25a5c041490756659e5e241d0d06b805779d597f3d8f6ee0efd91bf2168273e002f2a87b4de87b8388c389b42059946b1abd21d221feb67d3364471259ef6804f2a67b2a131a4b4eabbb2cd2005a5c2bb06fdd7dfe7296eeb232b87fb9e63a9ae1077eb20f318faa23b835582d031db6071ec9832c09b646c097109ccc60026bc1bb6c2f9318272a0d8ecc5a1598f73c8a4e7e02a1c055747a0a24f78d2564635aac5e881eafd46da403ffc20e3f8ce05ba65c123459acae42b3c2b073b738870a9caac2fd80d97ab1a4cb361a717019a4fb6b6cb0e274a071234fe5ed20c56b911676e9d84d05e3e3a9a8c26e41ebd0e3feda3569a9796b9e45ab94441eefb7a83d6559244c44efd394a1c75456172f170cdd3a6b1b9a869039c992e98b6e1baa132bfc6ccb19cb4c982016f2a24e20473f350d77e5fc73cb555327dc7889592a26bfc2265d2784452fca44b6238511b30d65e9e8f1efb1b6901bd8291cb5634f2e8c7c124df765f67c9d985b4459163c26a8507964fd685d50dc64970e51825df1a0c2dfa91e0180ac0b7b0288f1ad0ba579ab7a15631fe8e373ecaa2e0ca650e98266897d46daac70efa99cf0d08f5c4efa7427359828e966636e5b893eb98839fb0a863d7a214207f3254c6e651f59acf199adfdea72de6e73c3cc6cac80e0e6ded9f50642bf4abe34273e8a967572e5e4eea3b5112c969f44745a12c92b4531a3df2d7907d574441c33eda2af4be75baefb0d1d9295e9660e69d13e2a8ba21bcb218c2f748b89742f0ae305f7fce5f62475a8db55835bdd784380de3afc67e6a430fa39fa8668322c2daacf7fc01d82ee7dffc26b02f412b16eda1431aef63a4f8944898b836a0160da00ac58f083a19d2f3f909c184fdcb3d1b5c20faef3d4233f77515a8408dcd3f876ec6aeadeee6db1907d7ca330f2b270c452ee8197e9582da35b062ebfb4c2c3c5d332e77a375b0b84944a549051ff9dd2290970f8b2d7dda12baf933c9fd9344ff07f1b82ef1ec6cc20c02a120282691c458c92210962e8a50d0f4e9c8afb283ccaad5f3ae8f954922af7a4e767a600dc6322fb90e455cac44e073740800d25a91d0bfe676b84b6c4cd1f5912fbcb7b1d73b104bdb4c9c913f32064fc916c327379b59068ae541266d6cb446daeb83eb336e2ee68ee9a034e5531528904b548dd96c0e90a89c2a29fb858821669fe2406e211bfb7f8d8e1aebe4e77568c0a00c8c934a015b5063c44193dd17d38e376e7ad46f9e70a1ff582d5351ffa61910c9be43341fa125349b192f6c32e83758e954080c0efda24063a19fdb76a661c7b6a99d648e23e46d52e41ca3f99160f0a8eb7e232ba4d3e7589fd685537c8a9fbe36014860f5f49391de53cae7127d12b0a3ed80988a9c661c82768d0f9147475abb07060815610951d9c615ece6242a30d6f23c7cf2ff1936aa107816d8e4064586228b10158472e8cf668393ed0b0d3139517ab9944016cdf8f11086a765a9d2a33e0f0e1ca813c500e3f501bb37c075b17da71910bae5d76127fbeb68d98e916e2400000003d850fa530397ba7a430084a8061f1123136f2049e9c0599862c0bf31c66f8d7ad5a5de25d4e5f77b9cd10a280916432408667ce26605ef42caede2bb5312650	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400647F126EC"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exefondue.exe

description	pid	process	target process
PID 4192 wrote to memory of 4292	4192	aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exe	fondue.exe
PID 4192 wrote to memory of 4292	4192	aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exe	fondue.exe
PID 4192 wrote to memory of 4292	4192	aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exe	fondue.exe
PID 4292 wrote to memory of 4148	4292	fondue.exe	FonDUE.EXE
PID 4292 wrote to memory of 4148	4292	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exe
"C:\Users\Admin\AppData\Local\Temp\aa9266ff03617a741d5f39aa1c56dc8902831b0e97b99cf1f5e3b3827f9aa483.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads