56215c5f2038644fa2c414ca0a498903c2d7eeed8b4e060f9acec131e0c3718e | Triage

Analysis

max time kernel
129s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-04-2022 13:46

Sharing

Report Analysis Logs

General

Target

SWIFT.exe
Size

798KB
MD5

2964939592941753fa4294aa4e1389e8
SHA1

ec6966f36bb3e2dbf698e4984faac9e8a311a1c3
SHA256

cf079000d12cefafc5b2d251df1bd9a8ee96a62a67062f22dd9027693adfeeea
SHA512

8c01f9faefd3b761f5d810e84c6088600a77bdd8c55d93b4a18dd67ac4d04189e5c9fcd4e07a770d72dac2a09b260d5e3a47722e1f1db972fb62a189e56fdb99

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

SWIFT.exefondue.exe

description	pid	process	target process
PID 3372 wrote to memory of 1820	3372	SWIFT.exe	fondue.exe
PID 3372 wrote to memory of 1820	3372	SWIFT.exe	fondue.exe
PID 3372 wrote to memory of 1820	3372	SWIFT.exe	fondue.exe
PID 1820 wrote to memory of 4376	1820	fondue.exe	FonDUE.EXE
PID 1820 wrote to memory of 4376	1820	fondue.exe	FonDUE.EXE

C:\Users\Admin\AppData\Local\Temp\SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3372

C:\Windows\SysWOW64\fondue.exe
"C:\Windows\system32\fondue.exe" /enable-feature:NetFx3 /caller-name:mscoreei.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\FonDUE.EXE
"C:\Windows\sysnative\FonDUE.EXE" /enable-feature:NetFx3 /caller-name:mscoreei.dll
3⤵
PID:4376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1820-130-0x0000000000000000-mapping.dmp

Download
memory/4376-131-0x0000000000000000-mapping.dmp

Download