1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614

Analysis

max time kernel
151s
max time network
67s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
Size

283KB
MD5

387029020b99d98ef3f59b55db88c2b0
SHA1

bfca62968806828badf6789fc609099dc5771beb
SHA256

1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614
SHA512

89e18bc335ba77742ccc1517d8ac34021b4acd492261b50a36c0a0f194bb9e0d963d1277dd69180d96870842998d8465468e8f9d1092f5aebe1f0ba08af7dae4
SSDEEP

6144:lt8IhVYFVED7l08BkjIf0r9b5if7/F0ZiCs+9O8IKOCzH2a:lt8vVED3Bk0Mr9Vif7/F1hIIabH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1176	achsv.exe
2032	COM7.EXE
2024	COM7.EXE
896	achsv.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	achsv.exe

Loads dropped DLL 8 IoCs

pid	Process
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1176	achsv.exe
1176	achsv.exe
2032	COM7.EXE
2032	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1700	reg.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1176	achsv.exe
2032	COM7.EXE
2024	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
896	achsv.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
2032	COM7.EXE
832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1176	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1176	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	27
PID 832 wrote to memory of 1176	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	27
PID 832 wrote to memory of 1176	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	27
PID 832 wrote to memory of 1176	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	27
PID 832 wrote to memory of 2032	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	28
PID 832 wrote to memory of 2032	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	28
PID 832 wrote to memory of 2032	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	28
PID 832 wrote to memory of 2032	832	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	28
PID 1176 wrote to memory of 2024	1176	achsv.exe	29
PID 1176 wrote to memory of 2024	1176	achsv.exe	29
PID 1176 wrote to memory of 2024	1176	achsv.exe	29
PID 1176 wrote to memory of 2024	1176	achsv.exe	29
PID 2032 wrote to memory of 1700	2032	COM7.EXE	30
PID 2032 wrote to memory of 1700	2032	COM7.EXE	30
PID 2032 wrote to memory of 1700	2032	COM7.EXE	30
PID 2032 wrote to memory of 1700	2032	COM7.EXE	30
PID 2032 wrote to memory of 896	2032	COM7.EXE	32
PID 2032 wrote to memory of 896	2032	COM7.EXE	32
PID 2032 wrote to memory of 896	2032	COM7.EXE	32
PID 2032 wrote to memory of 896	2032	COM7.EXE	32

C:\Users\Admin\AppData\Local\Temp\1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
"C:\Users\Admin\AppData\Local\Temp\1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1176
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2024
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe

Filesize
24KB

MD5
c6396d7327f0ff0d8fbdbfff0b5702e4

SHA1
795ddfab6c864e9d5073d2ae17ceb41f00455bec

SHA256
c548fd8964fff900b44ddc4cf422887bfb02eedfb81669b4f5664d7d8a5c85a4

SHA512
8ea39d32d243a3261280b2cc481d50d54a3062d9c19ff0f1ddb2131d7cde884100b7c7e55e63eaafcc31d8fc17a1c5681a8e6774f5bd9b59e7b7c889f96cda00

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
0cced472bb8e4c2e4688e0e0679a5c52

SHA1
af0b76d4c6c536d158809633649278a614030c72

SHA256
8bc3ecd021e4da2253cc1b3a24b67f83f6299c1b84eeedfc89c60d81e90b1fd9

SHA512
3222b3171c06ce288ec2954f5f258f049d60b5dafc4a185e44689e26be7591284f8136cfa09a6c1c9085679fa59a632f9815624211d4ed2e6c0242388ae2e1c8

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c589f4a4ab091b2acb8d344be98d83b

SHA1
4a87baef115a96c4f8d4abb17eda82502233443d

SHA256
01d0da80e37f4f01a2d5f7a1194aedb54e45eb7a24301a425e7aa704847202be

SHA512
38ce7554e762f76e9714139f00d39d20b50dc00d98282f5611fbd5deb5c2ad5381c87795093e70e857dedf4d503e14294d8f2dc3109ec097f796cececeebbe21

Download Submit
memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download