803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be

Analysis

max time kernel
171s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07/12/2022, 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe
Size

200KB
MD5

138cb66ce783d31d377b47f8b8e48441
SHA1

95176afca9fa70f41ffae1ca3f1c7b147d659cf3
SHA256

803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be
SHA512

a0fafa2b3e11665956a4292783b8c693ca576e579bb754f344e60e03594f613e14301bae15e4f961c89d0389a6e320cebd9750cb695b360eedaffe99d16ce988
SSDEEP

3072:UTtcstTstk/pSBAFtbCduLCADMcgg7keGdJu:8tcATstk/pp2ADMVCwJ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	foiozo.exe

Executes dropped EXE 1 IoCs

pid	Process
3740	foiozo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe

Adds Run key to start application 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /o"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /N"	foiozo.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /B"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /J"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /i"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /X"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /u"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /x"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /Z"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /U"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /r"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /L"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /g"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /K"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /p"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /H"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /D"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /Y"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /a"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /q"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /W"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /G"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /I"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /l"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /w"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /F"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /f"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /s"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /t"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /v"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /y"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /c"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /S"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /T"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /V"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /E"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /P"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /R"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /h"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /e"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /z"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /C"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /d"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /Q"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /M"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /m"	foiozo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\foiozo = "C:\\Users\\Admin\\foiozo.exe /b"	foiozo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe
3740	foiozo.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5104	803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe
3740	foiozo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 3740	5104	803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe	86
PID 5104 wrote to memory of 3740	5104	803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe	86
PID 5104 wrote to memory of 3740	5104	803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe	86
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46
PID 3740 wrote to memory of 5104	3740	foiozo.exe	46

C:\Users\Admin\AppData\Local\Temp\803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe
"C:\Users\Admin\AppData\Local\Temp\803853669515bfa17050e02ef9074acf3d5d68b1b9043196dfe4f483306cc2be.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Users\Admin\foiozo.exe
  "C:\Users\Admin\foiozo.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\foiozo.exe

Filesize
200KB

MD5
7f6280c0bd94d4a3ac96d5754f020c68

SHA1
9c3e2f6e43034ffe3ac67f4c0ab987f03de49e25

SHA256
1c4e044ae4909e334244cac645970d03e83a56a1deb001eb919d6ee756407684

SHA512
f3d010959ba7de6f08b937091ebdc3714e50dfe1a09b19ae1cfb20d9d3ab6790e5ad27ee97e9e48ee349c3deaaa33f398b12116996f95eb6a9219004fc1f3ba2

Download Submit
C:\Users\Admin\foiozo.exe

Filesize
200KB

MD5
7f6280c0bd94d4a3ac96d5754f020c68

SHA1
9c3e2f6e43034ffe3ac67f4c0ab987f03de49e25

SHA256
1c4e044ae4909e334244cac645970d03e83a56a1deb001eb919d6ee756407684

SHA512
f3d010959ba7de6f08b937091ebdc3714e50dfe1a09b19ae1cfb20d9d3ab6790e5ad27ee97e9e48ee349c3deaaa33f398b12116996f95eb6a9219004fc1f3ba2

Download Submit