9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380

Analysis

max time kernel
151s
max time network
55s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
Size

392KB
MD5

09700f2ed192a2f28154d4e9433b8da0
SHA1

75c76b59c334009ba48f3d567eea7d13c0f8d051
SHA256

9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380
SHA512

ae4f8acb3aaeca54b237414afac403433d786fa525ebd481c14ae6e1af0f6f14a3baae9cc3904c797a260174e54416467439a02d40363ceace07c5e0380c2b81
SSDEEP

12288:+t8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS2x:+t+gvMpVij/F1hV5HuvAIr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1640	achsv.exe
1416	COM7.EXE
1136	COM7.EXE
1668	achsv.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1640	achsv.exe
1640	achsv.exe
1416	COM7.EXE
1416	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1968	reg.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1640	achsv.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1136	COM7.EXE
1668	achsv.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1416	COM7.EXE
1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1640	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 1640	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	28
PID 1372 wrote to memory of 1640	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	28
PID 1372 wrote to memory of 1640	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	28
PID 1372 wrote to memory of 1640	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	28
PID 1372 wrote to memory of 1416	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	29
PID 1372 wrote to memory of 1416	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	29
PID 1372 wrote to memory of 1416	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	29
PID 1372 wrote to memory of 1416	1372	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	29
PID 1416 wrote to memory of 1968	1416	COM7.EXE	30
PID 1416 wrote to memory of 1968	1416	COM7.EXE	30
PID 1416 wrote to memory of 1968	1416	COM7.EXE	30
PID 1416 wrote to memory of 1968	1416	COM7.EXE	30
PID 1640 wrote to memory of 1136	1640	achsv.exe	32
PID 1640 wrote to memory of 1136	1640	achsv.exe	32
PID 1640 wrote to memory of 1136	1640	achsv.exe	32
PID 1640 wrote to memory of 1136	1640	achsv.exe	32
PID 1416 wrote to memory of 1668	1416	COM7.EXE	33
PID 1416 wrote to memory of 1668	1416	COM7.EXE	33
PID 1416 wrote to memory of 1668	1416	COM7.EXE	33
PID 1416 wrote to memory of 1668	1416	COM7.EXE	33

C:\Users\Admin\AppData\Local\Temp\9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
"C:\Users\Admin\AppData\Local\Temp\9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fbe615bdbfd36a9517e238ab1006a89b

SHA1
24f92bb117ba3feccd7dcfa141d840848d52cd72

SHA256
920b3518af6eaf912b57b173de6eb1f651c8c5b64c6b0e10ac6937c60b5879c6

SHA512
554a55c0fa9191659b382bad154acf231363ce8092d19996b7d1cc1e67da33459b4f81cc2daaacc96a14513eff3ffba787599c6a479e223c680d37f0e724ed17

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
01cd8390991e973bff2c5782338c5251

SHA1
685f1f16c78cc32ee7f03b40456c9ee5f90ab9b8

SHA256
a59e24946e7bbe84b0b2a0a7a84041b42198c58a7629dffd8e43c8ea113309d8

SHA512
44654029051a4a4e681ca86f5ec2362038a1c20c98c9a1dab4e7f81c2b12c99f97b569f35d0f076bd406ffae31b6093a5d7aa50b6031bffd7347d191b878a80f

Download Submit
memory/1372-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download