98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce | Triage

Analysis

max time kernel
121s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
12-03-2022 06:00

Sharing

Report Analysis Logs

General

Target

98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exe
Size

552KB
MD5

9d90c41a96b8d9a9f98e86aac5fc16ec
SHA1

00f9ae3bb79ed31d4226bfc607e841bec7c3e0a8
SHA256

98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce
SHA512

4e2e30b660c5fab287ba4028f6ea6dd0411406e1401b13faa81449b42ddfbe6eb8aba4585ce3d598fd9d1e9e6407abe65849ea0f57cc9b3c493ffc64b49b6034

Score

1^/10

Malware Config

Signatures

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400647F126EC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000879b5545ec8eccbde300c9c87d6291425e54ef603f41bbfd4c1a368eca10dafe000000000e80000000020000200000003a274a5c26b46d3b9b25cc50c1beba9401957deebc300aa7909f324d3c40ece180000000d729976013017d4ba0a198ea5523a4dcc21450dd6d9deecf2bf89ba9630e93f5e299fbe3632ebbfebc20da0fc48dc46a38725b4fbda989e6fa3eca1d27a3fb3dc1b6472863813de443e268116d23d7c4a9935c54dfee423b6da1b893e3eab61214f36cb899ed7f3e47edf5cb5bf4638c86bd10203eb8ac5db3f8e1aa446352134000000035dbc587b6918b825d0666c121da9c2734e509abcf61cdbd5bbbe918af0a3fbb447d48787105d33932ec2eb4dc4fb3a6eafae0a6df92e1fbe2eb41824a22fe01	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000c6662c2e83e4f0cbd3d2349e1f2ccf01cb52cb7bfa797083a1adefbc9b468986000000000e80000000020000200000007e1a8f0246fcd4f98022de8230f5116e8b15c6b7cc75e238fad5b6d2e7beb940100d000026ebb957d1aaf261bb492a99baca598d09de407f3a6105fda5ce69e56d1738542aca6ddc572765b5c4ebb169d3c8934c8152929951db6203a3afcb77506f8b1301430fdaf0418d3a2595ef272a1d432597dc89d38b6c93fd56fefe59381d9ac016557aa274156e52d1447e70b17a65ac2df159104541e2435936a7e1d0151756e7dd8f6301c0072d7c9fb761afba6f11effc3415f682147ef57fdf342190deb2da98b8dd7888251901d40542d966d6c82c14b31afc4b77d5e166b6a0f66dee095cebe7b71cf0c93e5c44cc3d3930129e2f0fbb680898d7405a1f296463711004e524b6ccf951e0e1677f00268d0b6517a6f8fbd0cf6fa4c71b0d3711d376a1e503b2929487dd2540885f0969bbfcdce6ccb8e51dd827ef6a0115c245f39a20815552ba5c947a9fbf43ed5e8205561b8475afdc7a04973f3b5bb0f6b6db23019a371e582acf63c4645680b6ae7e86fc7c5ef07676997d6b4fa20a5930339db3006da4063b18a2a1fb51fd5cba1536b5fd9417d9476ef6409f536a1f70dc33c8109a1c08b6d7c4d42f9b32e679be8b9746123ff93fcd3bc4d822338420cf68d96f881e67f277a2526f2891c441c1db1fe7cbcb0c1f2b1be7a2a6ede2f7ed3f987823d82f969603024b3352342518aa545f61284484f2988a14cdea3c46daecae9556591b71acaae35a2c4ae7ff03283b5ee2d686129b62c5de024f0bfe9d55296959c0ec951b02ea48891c9b2a78b429f39d117eca17ea95ecff7cf78f3e98b2936584483b2e58b0c3b149954804edf2e3444e64ca043c97496aa68c92390a9620417075ff3fbeffbdabd83848832bdb20ec321fdc3e7b7a13152ee1da55c6184ae2596a06153518d69c2c4dc88a0f6cba67800014c3d2e360579ee213df6175b7c77d684dca3f5735d9031f61d92e4086f92e16e3a80377b24bf410b16b6809a0a55b578ae93bac426b35c61738c6aafc2db4143731e03303126167532c581265aeb8ca44e04640706779368a5b763426133420386aaac731e2724035fdfc75114838932090ab612fde9e90c5846f6ff817662aee9d2be1f0ed425453b440bb505b707d994e41942518893c5d3fa759acb0f1758029b4753a0874a3f016f72bd1d3a16aee182242d69245a0037355952d0503a18a6967debf766bd0c7322631f06112ebb3560a16cef8d488d2a6d2fd54114644e209b03c44a8b266d7076cd7e993a207c0a71a68d904e84ac33b8bb26b6593bd926a3dc254fc6cd279a40663e9326bcda881619603554f8ec2d9e492c9f15e2800811f7606db08ec454377be010cb19573d77f02220b1d05b799945561cf870f9df1fd2f41f6984bf1f59ffb3195aa4bb955038d29f5b8823e72ab851f663122e040eae6169ecd9994f8ac473965510874664f369ccf32d274ac1b12ab82314d79aea18b1791be6c20b6fcd6f33c4b8ba7aa70d2309c26991364de9678d058db6662a85a7c6d9f7bd87c587c30d4218847a332172eca55278b4cbbaa99d197c34f9ed90ab694fcd40441bb42d0d05f437ac0101d59424d2580cbbe93b3c446d20423b2c17766c66334f331924453774e90fd5997debe982f3f4c19be889cfb1a8f40c392ce014cfe5510dc15c253b0273093edb07688c75cf193761b841bef87253f63620c9a8059aa0d9bebb9290d78a157f36c4dd5bb7f40342203565146033241577ee625a4c3f038a302f6f2fd3e2b7531a718cc727bd31a9fb67fca78c00209206e89e125809e624dd4b4def4a0fb0577bd49425e9691ed42fd00d6b6558e45d294c3a3c6490f2b066e55c45c1adc28da39eb01d758112fd40580336d3d7a0a9a8ed2c6da3854e7cf7cab244cc3c12b3b08d313f37e7d95e463fb1096fa37e1d19dc2539678ff8d16de5c9fab499553cd809bda529541a1befb25ef11359cb8384880ce237004676191c8b1f5d4e216e83bbcd2e673b48956335adfce23779222a6d467c77eb834018562a827207749f9c135ced9625e420569d38f5958e6eeebc5c7fbad2a365dd03840af31beeaa9b7aeef93bbe744fa500dd39534f4993e935a36238d2d9965e71d01c110993ced1b1406c28de68f6aadff6559799dcac2ab0511bd0fb04883ce2a4212dd448972641ac6daa0f33e05b8a81df7fb6b301a63c4e997124a04afc2823899d89ed167adf25fb377867078a7d0ed15aac7cbbd666ea83fb15ca51e04a0c85c0c6847bc0e9bbd201cede64168ad2d96d6b5c8d392fd3553f81554272b96563fb6de5db890e81173c4ccc609074ceed5c289c4acf11e07d93cf3f75edc1abd0837bbea3252227352e981c713e58677063c57c965e53a45c11f7d7e5c409419845255fbb7251c3dd797e8371e8fa7da3df54b65dc98ad2f754651cd951b8afcb3716936152e1ae756eb4ceee9a7e2b688b8b0427512a7e84b2b06d139049cf5826b457a7f4065304682d66fe7a3a885257d921d82369a189d929b31a8600783b37d91c79f6afa98ec39d8d0c3ee0d97cad507fb62470453e603c41501a8a99f569a14174049c1126d19d9342a5705ba2906761983dfe238e59b4c0d399030d24482ed370c8d817acb549b281d8052d9ddeb78595a07eaa07582d2805fc52a8a9ed565ecbd8b461e6e9f76c6e55ab96522810ba721609f86601d31f20897c65223398af5d2c83b9048d11a253e8e1c6bad86bea7027ba0a19d9cf1777ada5f6d4dc09e084c5b1f1e440b1db6d2339ba8a15590463d0a5ecb4cf4265ad00e35e0909f62deb679f751f5be0b4b376b999f6eefe0300c24caec18a46ae05451bc49d4093a0d929a21ca326ee8f813879034eb94d0dd500942b5fd3c6e1b6bdfbd867821c806cc90f9e4bf4a9a223aac59ccda708dd66a14643f6634109a9da78b5c0b61f06328baf32c99b605551b15a63114f96f0996ed1d7d15cc25453f1a07d016f84e662e088f3854f40107d9e95fa8987e3c2e7e68eeac713b7bbca7aab1fece339918c3ab5d45c1d502ed267a2185965ded4354a5ad16ad293a45a247ad213b4fdf668e6c43e2c836af865dae3afd21d9f2e42ba58098125cb0ed782d34dd93e986d494080f1b6f8cba745d6b2a37aa8ad36163a6b31102fb95f75da4c6780bee820e685fbaa4bde8f651772bee1d930b19b2463a645a0d6ee3dcc9a286ed1ea626f33d9a2e7a8fe2dce3669f0f34cc568fd46cac81e597026a17e06a7fbb3c9bee94e13e028ed0aca413b6add535696b8f172adfc0b040b1b42fa7d1971cbc402d54980467e058c296ce7706d76b4a3821ea47e8359c814a9446cc929a07d98702183f84a1cdaab9cc57369b53ac3137c4c3d5d48f986bc6b14a281fec20ff2baa8d528c1883f4039bb3ed026a53b7e2bc822d24e7dac0aa310cd3c325e2d37f6f64380ace40d0334ea64ba4ecfe1b2c68b1ddd7cb7d0135d20b582f8e7e3ff1290668db992cfc41da441e4e3e0214db3389315dd0d502063968acf3d3319464e49d4237d107b58b719c52c9e6513ec5dd9a7a3e4a90383a8290e4b4f0471d20a44c6f23bbf5fca4ccb907d35d2f1f3e487e37d52d1aeb4bed1419c50691af2b817656e843786469d11e1aab39b7a7efa701c3b7963ba262cac6b9386eebca1282384ee04738173c231aa6f72d673f228fe43b4705573b3becf67219a7b56a309726342ede9f669b231353160a0ff8094760eb04daff3f387c45325b904261ab2d8373050378da5238ad27bef95820fbdb49b53ffccffc2ceb2a1009feb838e7bfc29f23739d33fa2fc0ffcba986192f75090531af6d2e09a816cc6e96e7e81a4aa08756147ac1e65aeb1852465e71c3b63b315ec522254497cab3cb8e40c24703b35d12afc151e866a533af08c32a42f4e0886c7796ed231c71817d860a7bd4c482802374cbd4ed7fb07b5c893dda71b9d0b0c549e379844140e7282a84465a2925ea805c3eb5764d1997613af7aab71a4c6b9b7b9528985bf2b96af1eb10cbebc672e36dfd0168303dbfb07b28ee0b6841488454420cf8ef716ca5afd300f2d7d074f08f636c8f1d57e7f1a0657e36ef03804f2bc6430983e4e822d61ff41ea0faf7f1b06d1fb22568d680d6a95903d94f6db8ea1a48166132cdcb5fce791a24be89040726b8fe16f43adaa285d05b358c9b6b32d2c3ab4dfdedfebabd565906336990f82fb5fe453d321711e1f9314dc8617b5c85d86519237c66f4b1af775bd8165aa58b64dd9b2b493cc5149a01cfd7a5c071d019e029ccfe19f8037ec266a33a6c00c0d360a2e31233044de0abef037f5d025e2958e0b6d0b86439c963f4d5c0cacf5834dc3fac851221cc4f4c9e091e9d8a53d52c5e30945dd4416abea5ad6f6a62f050b5ef5d4aec3b5c239f8b551ea62b7f53a16b70dae9835c9139293a2428b3b4e6f8d1c92b24c9502d114b7897f9cdb4b2a73be1783af2549c73075f28d5d73949ec756a46f92f92fcb352174c104fa82c29581ab8f353b6fcfe237b1624bf9e513d327835ff3917535bfc463284c7cafad7d5cee26963fade0e06ec0052b23f17f79743b33bed475e3e7b8daff3da28767effe1d2a94449b4bd1ecbc1d4ee5886ed9e147af99d38414b9a7688ac8079c3cae59186924ac6ad3fc1a00f981439787844e4ff08a70db3c2d02795d8f40bc83985eacbd40631b4a60d4e00e5a1d09ce91a35a4516992e3fe2ae7162a096b3ab0b7c52eb1141e9fac3f675a92c4e9e4291d1dfd5176b540000000ea787f56fd918e0fc5cd2dd1562ade8d7822c95323633588cf8abc435524fd4802872aa986aac49d1d630064fa8f1ff1b3cb6a8fa991596f99349be616221cdc	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400647F126EC"	svchost.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exefondue.exe

description	pid	process	target process
PID 4320 wrote to memory of 4296	4320	98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exe	fondue.exe
PID 4320 wrote to memory of 4296	4320	98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exe	fondue.exe
PID 4320 wrote to memory of 4296	4320	98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exe	fondue.exe
PID 4296 wrote to memory of 1616	4296	fondue.exe	FonDUE.EXE
PID 4296 wrote to memory of 1616	4296	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exe
"C:\Users\Admin\AppData\Local\Temp\98c816edf300bd18ccd8c3bd3549500ca15ae83d726d073093f6ff32372072ce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:1616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads