4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8

Analysis

max time kernel
160s
max time network
162s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 09:44

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
Size

709KB
MD5

6e9b570076b7fd137363a78af0747755
SHA1

3aa07a562ed1d0aa82bf638f62aa84580f3d448f
SHA256

4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8
SHA512

9f08e2f2030a6d23d016f9f2098d044b9e83e8b13379faa62df686cba8f6fef94c9deca35f7ba7856e5060e5763d8a62d575b8d593617b3800867c3239d1d7a1
SSDEEP

12288:F6kOqfZQE8a26yQIETJ7WcYXopqvVQG+UDRz+3:8k1fyE8gyJEN7Hx03L+3

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	process
848	bcdedit.exe
1128	bcdedit.exe
1036	bcdedit.exe
1020	bcdedit.exe
916	bcdedit.exe
1176	bcdedit.exe
784	bcdedit.exe
984	bcdedit.exe
980	bcdedit.exe
1892	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

fouzbe.exe

description ioc process

File created C:\Windows\system32\drivers\6cd21f.sys fouzbe.exe
Executes dropped EXE 1 IoCs

Processes:

fouzbe.exe

pid process

2044 fouzbe.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1540 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe

pid process

1148 4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe

description	ioc	process
File created	C:\Windows\system32\drivers\6cd21f.sys	fouzbe.exe

pid	process
2044	fouzbe.exe

pid	process
1540	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

fouzbe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run	fouzbe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fouzbe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Jiunu\\fouzbe.exe"	fouzbe.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe

description	pid	process	target process
PID 1148 set thread context of 1540	1148	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exefouzbe.exe

pid	process
1148	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe
2044	fouzbe.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

fouzbe.exe

description pid process

Token: SeShutdownPrivilege 2044 fouzbe.exe

pid	process
460

description	pid	process
Token: SeShutdownPrivilege	2044	fouzbe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exefouzbe.exe

description	pid	process	target process
PID 1148 wrote to memory of 2044	1148	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe	fouzbe.exe
PID 1148 wrote to memory of 2044	1148	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe	fouzbe.exe
PID 1148 wrote to memory of 2044	1148	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe	fouzbe.exe
PID 1148 wrote to memory of 2044	1148	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe	fouzbe.exe
PID 2044 wrote to memory of 1128	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1128	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1128	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1128	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 848	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 848	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 848	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 848	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1036	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1036	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1036	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1036	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1020	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1020	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1020	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1020	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 916	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 916	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 916	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 916	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1176	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1176	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1176	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1176	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1892	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1892	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1892	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1892	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 980	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 980	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 980	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 980	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 984	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 984	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 984	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 984	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 784	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 784	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 784	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 784	2044	fouzbe.exe	bcdedit.exe
PID 2044 wrote to memory of 1136	2044	fouzbe.exe	taskhost.exe
PID 2044 wrote to memory of 1136	2044	fouzbe.exe	taskhost.exe
PID 2044 wrote to memory of 1136	2044	fouzbe.exe	taskhost.exe
PID 2044 wrote to memory of 1136	2044	fouzbe.exe	taskhost.exe
PID 2044 wrote to memory of 1136	2044	fouzbe.exe	taskhost.exe
PID 2044 wrote to memory of 1200	2044	fouzbe.exe	Dwm.exe
PID 2044 wrote to memory of 1200	2044	fouzbe.exe	Dwm.exe
PID 2044 wrote to memory of 1200	2044	fouzbe.exe	Dwm.exe
PID 2044 wrote to memory of 1200	2044	fouzbe.exe	Dwm.exe
PID 2044 wrote to memory of 1200	2044	fouzbe.exe	Dwm.exe
PID 2044 wrote to memory of 1288	2044	fouzbe.exe	Explorer.EXE
PID 2044 wrote to memory of 1288	2044	fouzbe.exe	Explorer.EXE
PID 2044 wrote to memory of 1288	2044	fouzbe.exe	Explorer.EXE
PID 2044 wrote to memory of 1288	2044	fouzbe.exe	Explorer.EXE
PID 2044 wrote to memory of 1288	2044	fouzbe.exe	Explorer.EXE
PID 2044 wrote to memory of 1148	2044	fouzbe.exe	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
PID 2044 wrote to memory of 1148	2044	fouzbe.exe	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
PID 2044 wrote to memory of 1148	2044	fouzbe.exe	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
PID 2044 wrote to memory of 1148	2044	fouzbe.exe	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
PID 2044 wrote to memory of 1148	2044	fouzbe.exe	4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe
"C:\Users\Admin\AppData\Local\Temp\4b93016587c5573e8516b560a99c9c7d9ee4f70aef528489e89783727294ddb8.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148

C:\Users\Admin\AppData\Local\Temp\Jiunu\fouzbe.exe
"C:\Users\Admin\AppData\Local\Temp\Jiunu\fouzbe.exe"
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:848

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1128

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1036

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1020

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:916

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1176

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:784

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:984

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:980

C:\Windows\system32\bcdedit.exe
bcdedit.exe -set TESTSIGNING ON
4⤵
- Modifies boot configuration data using bcdedit
PID:1892

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HHP14EA.bat"
3⤵
- Deletes itself
PID:1540

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1200

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1136

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-139462852-153164769-41651773611306038451498597314-2104948662-1932138801231049099"
1⤵
PID:1944

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1260

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HHP14EA.bat

Filesize
276B

MD5
da7c2cf1b0ee9208ca84ee1eeb7e9e3e

SHA1
aa24fe070a38e2102df40da4ef8c4d0efca0e591

SHA256
7ddae63424d5e87e5f6ff44ee8515352dc975aa6a78577f0f79c3387d764a91b

SHA512
c62d2889b5dcbe292e1f6dcb5f2890929d2aaaae8a4848aebd50e5932078a0a2bdac533af821506abdd65f9e2e906fd60b44882c50443a3a96233a65b92958a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jiunu\fouzbe.exe

Filesize
709KB

MD5
71ed5cf7e32e18325e02d961d5ef9bcb

SHA1
9eb75000f4354d1b38e85529440d6ac22962a4e0

SHA256
8f9e1a8122780b54659d29ec9d6ccce7699ccc40abe4430d513d95d042e6a63b

SHA512
49b603fa8e77cbcd6a4d7604ea99acae11f6bed78c05737511ce86bdcdcd1abd7d96ba1f07ac8bf5ee6bb26dc052f7bc6857d337ca8a6a0847ff1921d273995e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jiunu\fouzbe.exe

Filesize
709KB

MD5
71ed5cf7e32e18325e02d961d5ef9bcb

SHA1
9eb75000f4354d1b38e85529440d6ac22962a4e0

SHA256
8f9e1a8122780b54659d29ec9d6ccce7699ccc40abe4430d513d95d042e6a63b

SHA512
49b603fa8e77cbcd6a4d7604ea99acae11f6bed78c05737511ce86bdcdcd1abd7d96ba1f07ac8bf5ee6bb26dc052f7bc6857d337ca8a6a0847ff1921d273995e

Download Submit
\Users\Admin\AppData\Local\Temp\Jiunu\fouzbe.exe

Filesize
709KB

MD5
71ed5cf7e32e18325e02d961d5ef9bcb

SHA1
9eb75000f4354d1b38e85529440d6ac22962a4e0

SHA256
8f9e1a8122780b54659d29ec9d6ccce7699ccc40abe4430d513d95d042e6a63b

SHA512
49b603fa8e77cbcd6a4d7604ea99acae11f6bed78c05737511ce86bdcdcd1abd7d96ba1f07ac8bf5ee6bb26dc052f7bc6857d337ca8a6a0847ff1921d273995e

Download Submit
memory/784-73-0x0000000000000000-mapping.dmp

Download
memory/848-65-0x0000000000000000-mapping.dmp

Download
memory/916-68-0x0000000000000000-mapping.dmp

Download
memory/980-71-0x0000000000000000-mapping.dmp

Download
memory/984-72-0x0000000000000000-mapping.dmp

Download
memory/1020-67-0x0000000000000000-mapping.dmp

Download
memory/1036-66-0x0000000000000000-mapping.dmp

Download
memory/1128-64-0x0000000000000000-mapping.dmp

Download
memory/1136-75-0x0000000002010000-0x0000000002079000-memory.dmp

Filesize
420KB

Download
memory/1136-77-0x0000000002010000-0x0000000002079000-memory.dmp

Filesize
420KB

Download
memory/1136-78-0x0000000002010000-0x0000000002079000-memory.dmp

Filesize
420KB

Download
memory/1136-79-0x0000000002010000-0x0000000002079000-memory.dmp

Filesize
420KB

Download
memory/1136-80-0x0000000002010000-0x0000000002079000-memory.dmp

Filesize
420KB

Download
memory/1148-96-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1148-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-55-0x0000000075001000-0x0000000075003000-memory.dmp

Filesize
8KB

Download
memory/1148-128-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1148-56-0x0000000001DB0000-0x0000000001E68000-memory.dmp

Filesize
736KB

Download
memory/1148-98-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1148-97-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1148-54-0x0000000001DB0000-0x0000000001E68000-memory.dmp

Filesize
736KB

Download
memory/1148-95-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1148-101-0x00000000004C0000-0x0000000000529000-memory.dmp

Filesize
420KB

Download
memory/1148-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1148-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1176-69-0x0000000000000000-mapping.dmp

Download
memory/1200-86-0x0000000001F30000-0x0000000001F99000-memory.dmp

Filesize
420KB

Download
memory/1200-85-0x0000000001F30000-0x0000000001F99000-memory.dmp

Filesize
420KB

Download
memory/1200-84-0x0000000001F30000-0x0000000001F99000-memory.dmp

Filesize
420KB

Download
memory/1200-83-0x0000000001F30000-0x0000000001F99000-memory.dmp

Filesize
420KB

Download
memory/1260-132-0x000007FEFB531000-0x000007FEFB533000-memory.dmp

Filesize
8KB

Download
memory/1288-90-0x0000000002A90000-0x0000000002AF9000-memory.dmp

Filesize
420KB

Download
memory/1288-89-0x0000000002A90000-0x0000000002AF9000-memory.dmp

Filesize
420KB

Download
memory/1288-91-0x0000000002A90000-0x0000000002AF9000-memory.dmp

Filesize
420KB

Download
memory/1288-92-0x0000000002A90000-0x0000000002AF9000-memory.dmp

Filesize
420KB

Download
memory/1540-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-120-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-110-0x0000000000220000-0x0000000000289000-memory.dmp

Filesize
420KB

Download
memory/1540-111-0x0000000000220000-0x0000000000289000-memory.dmp

Filesize
420KB

Download
memory/1540-112-0x0000000000220000-0x0000000000289000-memory.dmp

Filesize
420KB

Download
memory/1540-113-0x000000000025387C-mapping.dmp

Download
memory/1540-115-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-116-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-131-0x0000000000220000-0x0000000000289000-memory.dmp

Filesize
420KB

Download
memory/1540-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-108-0x0000000000220000-0x0000000000289000-memory.dmp

Filesize
420KB

Download
memory/1540-121-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1540-129-0x0000000000220000-0x0000000000289000-memory.dmp

Filesize
420KB

Download
memory/1892-70-0x0000000000000000-mapping.dmp

Download
memory/1944-125-0x0000000001BD0000-0x0000000001C39000-memory.dmp

Filesize
420KB

Download
memory/1944-126-0x0000000001BD0000-0x0000000001C39000-memory.dmp

Filesize
420KB

Download
memory/1944-127-0x0000000001BD0000-0x0000000001C39000-memory.dmp

Filesize
420KB

Download
memory/1944-124-0x0000000001BD0000-0x0000000001C39000-memory.dmp

Filesize
420KB

Download
memory/2044-58-0x0000000000000000-mapping.dmp

Download
memory/2044-62-0x0000000000330000-0x00000000003E8000-memory.dmp

Filesize
736KB

Download
memory/2044-74-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads