Overview

overview

9

Static

static

3

Fecurity.exe

windows7-x64

Fecurity.exe

windows10-2004-x64

Analysis

  • max time kernel
    14s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/09/2024, 02:20

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Fecurity.exe

  • Size

    32.8MB

  • MD5

    a067f1efe56b765be66a9e58adff827c

  • SHA1

    60315081692114b04c3acb3d5e1bc61fa6a1bd58

  • SHA256

    efe036fd49132595fa7de725775ebf1e8eae046052d8b2c368588b898c6a94d2

  • SHA512

    c85eb8e04426f4fc1a37879de579b659552a7c86af33fafb099e092fc353fb4dac9ae9305111f270f011ab4b0443865378d5945c3b683ed85e1373a6d7b16567

  • SSDEEP

    786432:XYfuS/7XuhD+dV7YzuFMKF2u+q60jiCAI:ofLjXuR+d8n0eC

Score
9/10
evasionransomware

Malware Config

Signatures

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fecurity.exe
    "C:\Users\Admin\AppData\Local\Temp\Fecurity.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:2724
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C bcdedit /set hypervisorlaunchtype auto
      2⤵
        PID:2736
        • C:\Windows\system32\bcdedit.exe
          bcdedit /set hypervisorlaunchtype auto
          3⤵
          • Modifies boot configuration data using bcdedit
          PID:3044
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
        2⤵
          PID:2572
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
          2⤵
            PID:2624
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C bcdedit /default {current}
            2⤵
              PID:2144
              • C:\Windows\system32\bcdedit.exe
                bcdedit /default {current}
                3⤵
                • Modifies boot configuration data using bcdedit
                PID:776

          Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/2724-0-0x0000000140366000-0x0000000141786000-memory.dmp

                  Filesize

                  20.1MB

                  Download

                • memory/2724-10-0x0000000076F00000-0x0000000076F02000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-8-0x0000000076F00000-0x0000000076F02000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-6-0x0000000076F00000-0x0000000076F02000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-5-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-11-0x0000000140000000-0x000000014384E000-memory.dmp

                  Filesize

                  56.3MB

                  Download

                • memory/2724-3-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-1-0x0000000076EF0000-0x0000000076EF2000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2724-15-0x0000000140000000-0x000000014384E000-memory.dmp

                  Filesize

                  56.3MB

                  Download

                • memory/2724-16-0x0000000140366000-0x0000000141786000-memory.dmp

                  Filesize

                  20.1MB

                  Download

                • memory/2724-17-0x0000000140000000-0x000000014384E000-memory.dmp

                  Filesize

                  56.3MB

                  Download

                • memory/2724-18-0x0000000140000000-0x000000014384E000-memory.dmp

                  Filesize

                  56.3MB

                  Download

                • memory/2724-19-0x0000000140000000-0x000000014384E000-memory.dmp

                  Filesize

                  56.3MB

                  Download