0f4f235845c8754e55394cc7706d55cdea8d9b97e823812007ab84bbc6c57bb7

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07/01/2024, 19:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab6d596710367145a57d3be17613d299.exe
Size

288KB
MD5

ab6d596710367145a57d3be17613d299
SHA1

89760716afb81538c987501743254b975cb37662
SHA256

0f4f235845c8754e55394cc7706d55cdea8d9b97e823812007ab84bbc6c57bb7
SHA512

e42ba4590f0260fbe8f0d5cf3af72fd02982c201e48d7282f0b74b3abaab819e216d3f0318efc274703d24f7d5df2f29fbaf365ef6d16664a662254b87caec55
SSDEEP

6144:T3vJAHnqtrZjQHhOWahvVJ+Q4179iWs7hWr5tZtFvkUOt8t9Zscf9d9Y9+80QWuv:T3vmHnqtt8s1w

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ab6d596710367145a57d3be17613d299.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	foeut.exe

Executes dropped EXE 1 IoCs

pid	Process
2988	foeut.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	ab6d596710367145a57d3be17613d299.exe
1700	ab6d596710367145a57d3be17613d299.exe

Adds Run key to start application 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /s"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /v"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /p"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /f"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /g"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /o"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /i"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /j"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /c"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /d"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /q"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /a"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /z"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /e"	ab6d596710367145a57d3be17613d299.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /e"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /w"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /m"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /y"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /u"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /r"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /l"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /n"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /h"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /b"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /t"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /x"	foeut.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\foeut = "C:\\Users\\Admin\\foeut.exe /k"	foeut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	ab6d596710367145a57d3be17613d299.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe
2988	foeut.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	ab6d596710367145a57d3be17613d299.exe
2988	foeut.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2988	1700	ab6d596710367145a57d3be17613d299.exe	28
PID 1700 wrote to memory of 2988	1700	ab6d596710367145a57d3be17613d299.exe	28
PID 1700 wrote to memory of 2988	1700	ab6d596710367145a57d3be17613d299.exe	28
PID 1700 wrote to memory of 2988	1700	ab6d596710367145a57d3be17613d299.exe	28

C:\Users\Admin\AppData\Local\Temp\ab6d596710367145a57d3be17613d299.exe
"C:\Users\Admin\AppData\Local\Temp\ab6d596710367145a57d3be17613d299.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\foeut.exe
  "C:\Users\Admin\foeut.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\foeut.exe

Filesize
288KB

MD5
29b834c8e55be84de51b1c7da2b5c8c5

SHA1
0463cd0802574d14602fb174f3c71eee7e6d9c1f

SHA256
ead54d4ed40281478f015caeadb0a8a64fb290dac424450f1ef48a0450a77f2d

SHA512
dc7f801ba3c88335aee30e9df7c13426debd260fbdd79028a1d4d254672b03a623a33ed1ed3a324fc178474be98714d8921ba939748584d5ab39c9f71d1816c0

Download Submit