Overview

overview

10

Static

static

94d809f4e7...ca.exe

windows7-x64

10

94d809f4e7...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    84s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    03/12/2022, 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    94d809f4e77a6d34a703a3173a93b5743986a466dfd5a4d3bc6f29c519bd0bca.exe

  • Size

    288KB

  • MD5

    6b3f29b89de28fd5c6cc658a218fd85e

  • SHA1

    81f0c0bba44b7af0b089a193199b8f339358d4e4

  • SHA256

    94d809f4e77a6d34a703a3173a93b5743986a466dfd5a4d3bc6f29c519bd0bca

  • SHA512

    20307e349a1af9516e010c546c4174e87b6ad48647e11aa510d23390593d19b94be2549c96e60ffad76cdc790490ad58a59b21dd209fd376aaa5d41ad4fa83ee

  • SSDEEP

    6144:QAyfc0f7XP+g3AGJpWVzue2oMKnvmb7/D26jiuX1N38RAFrjgWtokZkuL6O96/Yl:Qo27/XvLWpue2oMKnvmb7/D26j138RAh

Score
10/10
evasionpersistence

Malware Config

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 54 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\94d809f4e77a6d34a703a3173a93b5743986a466dfd5a4d3bc6f29c519bd0bca.exe
    "C:\Users\Admin\AppData\Local\Temp\94d809f4e77a6d34a703a3173a93b5743986a466dfd5a4d3bc6f29c519bd0bca.exe"
    1⤵
    • Modifies visiblity of hidden/system files in Explorer
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\foufo.exe
      "C:\Users\Admin\foufo.exe"
      2⤵
      • Modifies visiblity of hidden/system files in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\foufo.exe
    Filesize

    288KB

    MD5

    7288e25d688e24ef67605adce2774ec5

    SHA1

    8e39278fb84398ef59787e3d5460cbc75d832486

    SHA256

    c8d901cc87d41a9eaeaaf95e3c62af17ccbd95b77d7dd8ca376fc91dc4e1ffb5

    SHA512

    d674b403982c482010310cc0b06b292a8d786d9e9afdeb887c41ff546d42d5c0ab19e01a78f7357803472bc372e1b8e80881a12df3a71c0723a6386c1073d8c6

    Download Submit

  • C:\Users\Admin\foufo.exe
    Filesize

    288KB

    MD5

    7288e25d688e24ef67605adce2774ec5

    SHA1

    8e39278fb84398ef59787e3d5460cbc75d832486

    SHA256

    c8d901cc87d41a9eaeaaf95e3c62af17ccbd95b77d7dd8ca376fc91dc4e1ffb5

    SHA512

    d674b403982c482010310cc0b06b292a8d786d9e9afdeb887c41ff546d42d5c0ab19e01a78f7357803472bc372e1b8e80881a12df3a71c0723a6386c1073d8c6

    Download Submit

  • \Users\Admin\foufo.exe
    Filesize

    288KB

    MD5

    7288e25d688e24ef67605adce2774ec5

    SHA1

    8e39278fb84398ef59787e3d5460cbc75d832486

    SHA256

    c8d901cc87d41a9eaeaaf95e3c62af17ccbd95b77d7dd8ca376fc91dc4e1ffb5

    SHA512

    d674b403982c482010310cc0b06b292a8d786d9e9afdeb887c41ff546d42d5c0ab19e01a78f7357803472bc372e1b8e80881a12df3a71c0723a6386c1073d8c6

    Download Submit

  • \Users\Admin\foufo.exe
    Filesize

    288KB

    MD5

    7288e25d688e24ef67605adce2774ec5

    SHA1

    8e39278fb84398ef59787e3d5460cbc75d832486

    SHA256

    c8d901cc87d41a9eaeaaf95e3c62af17ccbd95b77d7dd8ca376fc91dc4e1ffb5

    SHA512

    d674b403982c482010310cc0b06b292a8d786d9e9afdeb887c41ff546d42d5c0ab19e01a78f7357803472bc372e1b8e80881a12df3a71c0723a6386c1073d8c6

    Download Submit

  • memory/1280-56-0x0000000075811000-0x0000000075813000-memory.dmp

    Filesize

    8KB

    Download