Analysis
-
max time kernel
17s -
max time network
82s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
26-02-2024 18:30
General
-
Target
FiddlerSetup.exe
-
Size
6.3MB
-
MD5
77a80b10028f9c800c5cbb5a80fde929
-
SHA1
7e8a8ce83bba6bec7b62cca06ae7680ef5c5ddec
-
SHA256
207e1a39c74a03ae535ad04fe74bc435baa777ecefaec95abe78664cd2b34690
-
SHA512
883600cb4d5114cef47dba6d7fde929c02f0f4d2baafa9dbb746fccfee92ebb6bfb02602e64dfb2c93b773abfdf8b49ac780b0c02414107761dd66e6999480bc
-
SSDEEP
98304:mIouszMd5OYRxqFu5rMnb8ELGUHjvYEarhIPAT99taafHOwRcxzv77Nd6fKnCKbX:FqzMSx3oohYTXt5WwREv77cKCKkBbYOY
Malware Config
Signatures
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies registry class 15 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\FiddlerSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsp53BE.tmp\FiddlerSetup.exe"C:\Users\Admin\AppData\Local\Temp\nsp53BE.tmp\FiddlerSetup.exe" /D=2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="FiddlerProxy"3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="FiddlerProxy" program="C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe" action=allow profile=any dir=in edge=deferuser protocol=tcp description="Permit inbound connections to Fiddler"3⤵
- Modifies Windows Firewall
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\Fiddler.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c8 -Pipe 16c -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1cc -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 28c -Pipe 29c -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2a8 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 2ac -Pipe 2c4 -Comment "NGen Worker Process"4⤵
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper"C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelper" /a "C:\Users\Admin\AppData\Local\Programs\Fiddler"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://fiddler2.com/r/?Fiddler2FirstRun3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc18ba46f8,0x7ffc18ba4708,0x7ffc18ba47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,16009504584057836832,13120655218750670654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,16009504584057836832,13120655218750670654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,16009504584057836832,13120655218750670654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16009504584057836832,13120655218750670654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16009504584057836832,13120655218750670654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:14⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,16009504584057836832,13120655218750670654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:14⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD59f44d6f922f830d04d7463189045a5a3
SHA12e9ae7188ab8f88078e83ba7f42a11a2c421cb1c
SHA2560ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a
SHA5127c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57740a919423ddc469647f8fdd981324d
SHA1c1bc3f834507e4940a0b7594e34c4b83bbea7cda
SHA256bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221
SHA5127ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD541558b90d1b687f0246309afeb13e867
SHA1aa9697f4fa2e196a47fbd1d68bb74db73b4a54f4
SHA25675ba4e26c32d05ba9315c1492348c08a93669e7f06090a1c8108205b3b5e1f2e
SHA5128891c6458fd4a8227d90854551a77bb39e5ff6ac609418cb1430a3fa910fd190e48afce7a9805ed7c218e4b9137ec564724341af038b7ad1efc33aa88f63a2a1
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\EnableLoopback.exeFilesize
87KB
MD513072c3b2a5a405b32a60d8cf1631bbc
SHA16996ab027fe913cccb9f8e26ad0e9491d4a609b1
SHA256f8ed4cb272e52b7ef2b1c2672dbc6ace9f3ef752a38ce535265cfab891c9cbff
SHA512337311e0b2c0a22b749930f7212b5040d27c2b997404dc8cecfbbf89c86f2f5d5077d6157090078a8421acaa23850b24f963ba1b984b0600e9b80505bdb125c5
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Common.dllFilesize
192KB
MD5ac80e3ca5ec3ed77ef7f1a5648fd605a
SHA1593077c0d921df0819d48b627d4a140967a6b9e0
SHA25693b0f5d3a2a8a82da1368309c91286ee545b9ed9dc57ad1b31c229e2c11c00b5
SHA5123ecc0fe3107370cb5ef5003b5317e4ea0d78bd122d662525ec4912dc30b8a1849c4fa2bbb76e6552b571f156d616456724aee6cd9495ae60a7cb4aaa6cf22159
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Editor.dllFilesize
816KB
MD5eaa268802c633f27fcfc90fd0f986e10
SHA121f3a19d6958bcfe9209df40c4fd8e7c4ce7a76f
SHA256fe26c7e4723bf81124cdcfd5211b70f5e348250ae74b6c0abc326f1084ec3d54
SHA512c0d6559fc482350c4ed5c5a9a0c0c58eec0a1371f5a254c20ae85521f5cec4c917596bc2ec538c665c3aa8e7ee7b2d3d322b3601d69b605914280ff38315bb47
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\ScriptEditor\QWhale.Syntax.dllFilesize
228KB
MD53be64186e6e8ad19dc3559ee3c307070
SHA12f9e70e04189f6c736a3b9d0642f46208c60380a
SHA25679a2c829de00e56d75eeb81cd97b04eae96bc41d6a2dbdc0ca4e7e0b454b1b7c
SHA5127d0e657b3a1c23d13d1a7e7d1b95b4d9280cb08a0aca641feb9a89e6b8f0c8760499d63e240fe9c62022790a4822bf4fe2c9d9b19b12bd7f0451454be471ff78
-
C:\Users\Admin\AppData\Local\Programs\Fiddler\SetupHelperFilesize
23KB
MD5103e70888d3168b462da35876f150add
SHA10cadf863c5650da80f44f82dbf05a51cb7183cc0
SHA256a942a48680eae2a6641c41d4ade9cc947dc02678d76f8fd81a6cece64260a2d2
SHA512ff3f882ad05b3f988bf4f2a1fd3573e0a3f793a606f12f2cb5992bb47e16d2e93840d791f3d495b3cda9abce93b0f0110d296da346663c4db8b55f90a16b00d9
-
C:\Users\Admin\AppData\Local\Temp\nsk9230.tmp\System.dllFilesize
11KB
MD5b8992e497d57001ddf100f9c397fcef5
SHA1e26ddf101a2ec5027975d2909306457c6f61cfbd
SHA25698bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b
SHA5128823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c
-
C:\Users\Admin\AppData\Local\Temp\nsp53BE.tmp\FiddlerSetup.exeFilesize
3.1MB
MD57e3090e237b9f252efc88d097f71ed47
SHA18a1cae86f421c4c74f7f543609826cfc472e5fa8
SHA25691547aa10f5b4d1be95c7bfa289499ded2b65d1070ec6fce0208e61771df5318
SHA512378d29ca00b73ff5b729d6bc39e63b61f833f7baad9d806db77ee7acab993b3b567f7e533aae2178bf8a9391bc8d205aadd72d75a29a71c0f2827196ff040afa
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\EnableLoopback\de63264ccb25432b0b7b719d4fbddebe\EnableLoopback.ni.exeFilesize
161KB
MD55c71cad12b659c914d9252b83c29ef25
SHA1a23c5057436718a7db757841c8fd020ff370cf60
SHA25686c9af4194ee1b59d536abb269838f9a813321428bd0c46e0b7354f9465cf6b9
SHA5127866d07b9f4546b29635d7117b04542735223fd6760724f7f7821eaee48c97bb4fc44a61528e937e56a7c8c710b866657753ad6eeefecfccbdc00b84ee1e0c26
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dllFilesize
1.1MB
MD54032f5a5ae76780c25c657bc5e24cf5a
SHA11cf25b940925b7ea86ad5ef89c6dc9aafc2a06ac
SHA256517c6ef7deaf64bde83307ac49c801c5f6c118ac53ee6db72f51cd25c2dae638
SHA5129a55bd2278603ad0c6cac4bcecffcf7620086a4351a7722fc276a1812ab829f178336636c97d04d06c4da68a02061bc76d82eb73fea04c8979b2fd1da37c8fca
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dllFilesize
64KB
MD54115ed781acbba897670821c6989c209
SHA19fff02623557f80128da311e6db7af72af51c0ec
SHA256ec9f00da3c9e3fd7790fb30f863f659c19190da3de1c10fbe46b393a322d7cbb
SHA51227bf9964702fba97cec06f5bfe692f49ff15aa099263c8ec10eb70a341f7447f71bca729da79d2676a2662028ce074217e2a54b466bd8f029c290cf0a3027567
-
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\22b31f1b9eca85580b198424dd16a98a\System.Data.SqlXml.ni.dll.auxFilesize
708B
MD5688ac15ac387cbac93d705be85b08492
SHA1a4fabce08bbe0fee991a8a1a8e8e62230f360ff2
SHA256ce64b26c005cfc1bcf6ac0153f1dbcae07f25934eab3363ff05a72a754992470
SHA512a756ea603d86a66b67163e3aa5d2325174a2748caf6b0eaa9f0600d42c297daa35aa5bfaf4962a1dedbae9437308d19571818cbd3e1542d7a7a26a4d20796074
-
\??\pipe\LOCAL\crashpad_788_DARDDGUXVEDPRTYGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1924-252-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/1924-214-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/1924-215-0x0000064488000000-0x000006448802B000-memory.dmpFilesize
172KB
-
memory/2248-106-0x00000000002B0000-0x00000000002B8000-memory.dmpFilesize
32KB
-
memory/2248-198-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/2640-203-0x000001E37D790000-0x000001E37D916000-memory.dmpFilesize
1.5MB
-
memory/2640-200-0x000001E3636E0000-0x000001E3636F8000-memory.dmpFilesize
96KB
-
memory/2640-206-0x000001E365390000-0x000001E3653B2000-memory.dmpFilesize
136KB
-
memory/2640-204-0x000001E3652F0000-0x000001E365312000-memory.dmpFilesize
136KB
-
memory/2640-208-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/2640-202-0x000001E365340000-0x000001E365390000-memory.dmpFilesize
320KB
-
memory/2640-201-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/2640-205-0x000001E37D6C0000-0x000001E37D772000-memory.dmpFilesize
712KB
-
memory/3284-263-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/3284-268-0x0000064449A20000-0x0000064449B18000-memory.dmpFilesize
992KB
-
memory/3452-269-0x0000064443EC0000-0x0000064443F11000-memory.dmpFilesize
324KB
-
memory/3452-272-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/4196-216-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB
-
memory/4196-231-0x00000644451A0000-0x00000644454A4000-memory.dmpFilesize
3.0MB
-
memory/4196-267-0x00007FFC1D6B0000-0x00007FFC1E171000-memory.dmpFilesize
10.8MB