b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 01:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe
Size

196KB
MD5

2e5902eb4eaef49c62517c8fca2bafcd
SHA1

88f31bce7ebb7fa36c629d5fb2501116276d635c
SHA256

b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6
SHA512

d774fc72ac9ca83604f16ff610369db1108023356a30d338c4f78212a4844ea4074c79471d6d2427865a7d9adc41a0f277172e0244bb783951d6ed7c1a8d3146
SSDEEP

1536:PZqk3NqDmdeOaZk1GDGe0Pdb+d6DiUYot00gw3:YrKduzDDypy6DiUru0gk

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	foialor.exe

Executes dropped EXE 1 IoCs

pid	Process
2876	foialor.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe
3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /q"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /W"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /f"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /y"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /V"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /a"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /Z"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /A"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /D"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /c"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /C"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /U"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /p"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /R"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /x"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /H"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /e"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /F"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /h"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /G"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /u"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /o"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /P"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /O"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /s"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /X"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /i"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /j"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /d"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /g"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /T"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /k"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /J"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /B"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /w"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /t"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /v"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /K"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /L"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /I"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /E"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /n"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /r"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /b"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /S"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /Y"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /m"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /M"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /l"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /Q"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /z"	foialor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\foialor = "C:\\Users\\Admin\\foialor.exe /N"	foialor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe
2876	foialor.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe
2876	foialor.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2876	3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe	28
PID 3000 wrote to memory of 2876	3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe	28
PID 3000 wrote to memory of 2876	3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe	28
PID 3000 wrote to memory of 2876	3000	b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe	28
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27
PID 2876 wrote to memory of 3000	2876	foialor.exe	27

C:\Users\Admin\AppData\Local\Temp\b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe
"C:\Users\Admin\AppData\Local\Temp\b2a6ae97469059eb68d792dff7128f98bfada06c63a02108d3ea1092bddbcdf6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\foialor.exe
  "C:\Users\Admin\foialor.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\foialor.exe

Filesize
196KB

MD5
95d121cd4c5bf232ee308c913d0df69a

SHA1
fe1421c5b6cea3a4d31d6fff84c815366a51fe8f

SHA256
2eb9774959e9c3d4cffaab7797e6d6213bf1b4124d33e80eb8c9bc1de7be9b4f

SHA512
adf87df0f1065d4d06266e73813576ea15b65f9614c9cfc493f30de2b443b29fe60d809819dc473d8f3d9001dc02a729c8e3949b90a864b1fca90b831af85de6

Download Submit