9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380

Analysis

max time kernel
150s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
Size

392KB
MD5

09700f2ed192a2f28154d4e9433b8da0
SHA1

75c76b59c334009ba48f3d567eea7d13c0f8d051
SHA256

9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380
SHA512

ae4f8acb3aaeca54b237414afac403433d786fa525ebd481c14ae6e1af0f6f14a3baae9cc3904c797a260174e54416467439a02d40363ceace07c5e0380c2b81
SSDEEP

12288:+t8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS2x:+t+gvMpVij/F1hV5HuvAIr

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1548	achsv.exe
2704	COM7.EXE
3160	COM7.EXE
3184	achsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	achsv.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1836	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
1548	achsv.exe
1548	achsv.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
3160	COM7.EXE
3160	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
3184	achsv.exe
3184	achsv.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
2704	COM7.EXE
2704	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1548	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 1548	4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	79
PID 4868 wrote to memory of 1548	4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	79
PID 4868 wrote to memory of 1548	4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	79
PID 4868 wrote to memory of 2704	4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	80
PID 4868 wrote to memory of 2704	4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	80
PID 4868 wrote to memory of 2704	4868	9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe	80
PID 1548 wrote to memory of 3160	1548	achsv.exe	86
PID 1548 wrote to memory of 3160	1548	achsv.exe	86
PID 1548 wrote to memory of 3160	1548	achsv.exe	86
PID 2704 wrote to memory of 1836	2704	COM7.EXE	87
PID 2704 wrote to memory of 1836	2704	COM7.EXE	87
PID 2704 wrote to memory of 1836	2704	COM7.EXE	87
PID 2704 wrote to memory of 3184	2704	COM7.EXE	91
PID 2704 wrote to memory of 3184	2704	COM7.EXE	91
PID 2704 wrote to memory of 3184	2704	COM7.EXE	91

C:\Users\Admin\AppData\Local\Temp\9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe
"C:\Users\Admin\AppData\Local\Temp\9acb4107fc42340085b92b61623f241b3b87136e167e8e22bc3c1467bd2c1380.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3160
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1836
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3184

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7486b941bc76877a8b88ecfb4e045655

SHA1
800c3c5657d9b7c0339854812b63f651c47346a2

SHA256
11fad865ea61509315b7cc24aa6e6ce3245a617abe1c6de9244254663fac866b

SHA512
2701b24bb4494cb93351f910f2a7c788659dfc097d2d0ee752bf4a30721cd33db827c98350f65655ae8cf1248fef3c84b0de472b399187453e63c5c2e2a4364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7486b941bc76877a8b88ecfb4e045655

SHA1
800c3c5657d9b7c0339854812b63f651c47346a2

SHA256
11fad865ea61509315b7cc24aa6e6ce3245a617abe1c6de9244254663fac866b

SHA512
2701b24bb4494cb93351f910f2a7c788659dfc097d2d0ee752bf4a30721cd33db827c98350f65655ae8cf1248fef3c84b0de472b399187453e63c5c2e2a4364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7486b941bc76877a8b88ecfb4e045655

SHA1
800c3c5657d9b7c0339854812b63f651c47346a2

SHA256
11fad865ea61509315b7cc24aa6e6ce3245a617abe1c6de9244254663fac866b

SHA512
2701b24bb4494cb93351f910f2a7c788659dfc097d2d0ee752bf4a30721cd33db827c98350f65655ae8cf1248fef3c84b0de472b399187453e63c5c2e2a4364b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
7fd06f7f467278531f64d85b0647eae4

SHA1
3272355badd121ce155b4f3ef3ffbb61c3ddb791

SHA256
82f3f8819254770227ca06bec917012f11ccad1d118f66c666542530e0d3c8a7

SHA512
b709a6b7d7060598422cc8d80a17d0b327b4d854a2c9cde45840cac0f41fdbe413e61fd56b07f61b5cbcb4de08f417de30156cf8b1426b513a9b1dfa76fb4616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
7fd06f7f467278531f64d85b0647eae4

SHA1
3272355badd121ce155b4f3ef3ffbb61c3ddb791

SHA256
82f3f8819254770227ca06bec917012f11ccad1d118f66c666542530e0d3c8a7

SHA512
b709a6b7d7060598422cc8d80a17d0b327b4d854a2c9cde45840cac0f41fdbe413e61fd56b07f61b5cbcb4de08f417de30156cf8b1426b513a9b1dfa76fb4616

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
7fd06f7f467278531f64d85b0647eae4

SHA1
3272355badd121ce155b4f3ef3ffbb61c3ddb791

SHA256
82f3f8819254770227ca06bec917012f11ccad1d118f66c666542530e0d3c8a7

SHA512
b709a6b7d7060598422cc8d80a17d0b327b4d854a2c9cde45840cac0f41fdbe413e61fd56b07f61b5cbcb4de08f417de30156cf8b1426b513a9b1dfa76fb4616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe

Filesize
4KB

MD5
36858b4871ff6a48b7d6563a4a861ce9

SHA1
1d71d934b1a2914c98ecf65226e22d296e4aee8b

SHA256
3f3ce312571b37467fed59db127edc2e45acc9e44944decc4a9d13cf48c3cda2

SHA512
bb4ef681c363c94bc562f33f931cd3c00bb5d648376d5e51944eec9a183f08bdd4f54bd24daabcb6d95f48bd93662db8f1ee82605e671791e1df784e9f0efcb0

Download Submit