9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4

Analysis

max time kernel
188s
max time network
128s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
Size

288KB
MD5

3d1d3faac138fe47b3b82f87c425e1a2
SHA1

c3947e854178a887131a51970e2d8c4caaee0c6e
SHA256

9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4
SHA512

1016986c099d73afc0fae4458e7d2ff910950267bcbbf380e1540c6204497788ea0d13db61d69a7739931ee638a6c67dfb59aa806f8daa9e441ee0f1998a1d77
SSDEEP

3072:AU0nk+hQdiP8OZAksTCPkix7Fe7dEN8EXgNqf5cTrWi6ei2uiTbtTmH8Fe90p06h:70WiPQbYJFsE0NMCP6wJYj8t/xh

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	foeocap.exe

Executes dropped EXE 1 IoCs

pid	Process
1068	foeocap.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe

Adds Run key to start application 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /W"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /S"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /C"	foeocap.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /f"	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /J"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /f"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /Y"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /o"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /z"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /l"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /i"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /g"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /j"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /P"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /v"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /u"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /c"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /V"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /k"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /B"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /T"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /O"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /e"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /R"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /Z"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /Q"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /I"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /s"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /E"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /p"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /t"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /U"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /X"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /y"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /D"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /G"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /n"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /r"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /h"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /K"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /d"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /q"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /A"	foeocap.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeocap = "C:\\Users\\Admin\\foeocap.exe /M"	foeocap.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe
1068	foeocap.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
1068	foeocap.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1068	2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe	28
PID 2044 wrote to memory of 1068	2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe	28
PID 2044 wrote to memory of 1068	2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe	28
PID 2044 wrote to memory of 1068	2044	9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe	28

C:\Users\Admin\AppData\Local\Temp\9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe
"C:\Users\Admin\AppData\Local\Temp\9a4014f6f831c6922b4c908d563d028602664fc6d7f7aa4ff3d36f32da0a7da4.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\foeocap.exe
  "C:\Users\Admin\foeocap.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\foeocap.exe

Filesize
288KB

MD5
72d079413a76ec899b713576c025b6f3

SHA1
7420dddddf97602c64cb6eeab409db9388cffc99

SHA256
23728cc0dec1ed180d632d8599d9e014efbcc587979d1e2c0e19cdb74690b918

SHA512
d836933ab9e8ec119e2dfe5a8117864fc482b7e8b0ff53e4d6f9221f67e218a14ab6a5f9443261d9f4f3f0e4578d4bea7a198eef8496b9bc119bad043fb146b6

Download Submit
C:\Users\Admin\foeocap.exe

Filesize
288KB

MD5
72d079413a76ec899b713576c025b6f3

SHA1
7420dddddf97602c64cb6eeab409db9388cffc99

SHA256
23728cc0dec1ed180d632d8599d9e014efbcc587979d1e2c0e19cdb74690b918

SHA512
d836933ab9e8ec119e2dfe5a8117864fc482b7e8b0ff53e4d6f9221f67e218a14ab6a5f9443261d9f4f3f0e4578d4bea7a198eef8496b9bc119bad043fb146b6

Download Submit
\Users\Admin\foeocap.exe

Filesize
288KB

MD5
72d079413a76ec899b713576c025b6f3

SHA1
7420dddddf97602c64cb6eeab409db9388cffc99

SHA256
23728cc0dec1ed180d632d8599d9e014efbcc587979d1e2c0e19cdb74690b918

SHA512
d836933ab9e8ec119e2dfe5a8117864fc482b7e8b0ff53e4d6f9221f67e218a14ab6a5f9443261d9f4f3f0e4578d4bea7a198eef8496b9bc119bad043fb146b6

Download Submit
\Users\Admin\foeocap.exe

Filesize
288KB

MD5
72d079413a76ec899b713576c025b6f3

SHA1
7420dddddf97602c64cb6eeab409db9388cffc99

SHA256
23728cc0dec1ed180d632d8599d9e014efbcc587979d1e2c0e19cdb74690b918

SHA512
d836933ab9e8ec119e2dfe5a8117864fc482b7e8b0ff53e4d6f9221f67e218a14ab6a5f9443261d9f4f3f0e4578d4bea7a198eef8496b9bc119bad043fb146b6

Download Submit
memory/2044-56-0x0000000076941000-0x0000000076943000-memory.dmp

Filesize
8KB

Download