Analysis
-
max time kernel
134s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14-03-2022 17:24
Static task
static1
Behavioral task
behavioral1
Sample
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe
Resource
win7-20220310-en
General
-
Target
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe
-
Size
1.0MB
-
MD5
20917a3dd1b362aa03532d623fbb1622
-
SHA1
b8102145d3937c2ad99f03dd9ee8da4478b0a4a4
-
SHA256
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5
-
SHA512
ce3a5d405be750e1706b8609b2fe391740af446205651f3a93fb5bf3f911ff83ae8af526f13fcefdde0c4a36873d4a04756b40779d1cb4525251aad0407175b8
Malware Config
Extracted
njrat
0.7d
HacK
127.0.0.1:1234
8a6179254fb2f1e73fe707c1a92f1876
-
reg_key
8a6179254fb2f1e73fe707c1a92f1876
-
splitter
|'|'|
Signatures
-
Nirsoft 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe Nirsoft behavioral2/memory/5116-134-0x0000000000C70000-0x0000000000D6C000-memory.dmp Nirsoft -
Executes dropped EXE 2 IoCs
Processes:
Server.exeProcess Modules DLL.exepid process 4404 Server.exe 5116 Process Modules DLL.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 4984 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4984 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exeServer.exefondue.exedescription pid process target process PID 2644 wrote to memory of 4404 2644 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 2644 wrote to memory of 4404 2644 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 2644 wrote to memory of 4404 2644 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Server.exe PID 4404 wrote to memory of 5052 4404 Server.exe fondue.exe PID 4404 wrote to memory of 5052 4404 Server.exe fondue.exe PID 4404 wrote to memory of 5052 4404 Server.exe fondue.exe PID 2644 wrote to memory of 5116 2644 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Process Modules DLL.exe PID 2644 wrote to memory of 5116 2644 b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe Process Modules DLL.exe PID 5052 wrote to memory of 3544 5052 fondue.exe FonDUE.EXE PID 5052 wrote to memory of 3544 5052 fondue.exe FonDUE.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe"C:\Users\Admin\AppData\Local\Temp\b8b02e781ca3b049b61e31b5b3f508ac1ecffd335a6c6c83b7dbc1de88e69ed5.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Server.exe"C:\Users\Admin\AppData\Local\Temp\Server.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fondue.exe"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\FonDUE.EXE"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll4⤵
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exe"2⤵
- Executes dropped EXE
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x300 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Process Modules DLL.exeMD5
d27ba7e620a8c3a36b62d3a983d3fe61
SHA1ac86faf6c358002254a032d4f7a9bdbef093c573
SHA2563d793d0f14382c8f28ba9efd2f35bfb18c2abaf5f4654d81726ddebe4310fa07
SHA512e0ef5dac3c50fe6bf1e03116dd7239d89c85d0a47bf2254705c1f4527b1b4843cc5b04ed76d5f618a61f127c6b54587e2e02f7050525d819f6aa3b93ede91a00
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
C:\Users\Admin\AppData\Local\Temp\Server.exeMD5
cd756c506aedc1507c79b7c81d51dfe0
SHA10428b30df265076b61499266050ecbb461b1ae95
SHA2563a06815118520f21257729a0ef3a86159f927a9b0f598f442fc2b699b9a8adff
SHA5129fde72774fd3deba541c69e37343a10e600f6bf4c5111b670397d4740d4d5405c7ba4b0436d12fc796c3662381ec62b226e6801685f5eff75cc7df069bd1f062
-
memory/5116-134-0x0000000000C70000-0x0000000000D6C000-memory.dmpFilesize
1008KB
-
memory/5116-135-0x00007FFB177A0000-0x00007FFB18261000-memory.dmpFilesize
10.8MB
-
memory/5116-136-0x000000001CEF0000-0x000000001CEF2000-memory.dmpFilesize
8KB
-
memory/5116-137-0x000000001CEF3000-0x000000001CEF5000-memory.dmpFilesize
8KB