1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2022 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
Size

283KB
MD5

387029020b99d98ef3f59b55db88c2b0
SHA1

bfca62968806828badf6789fc609099dc5771beb
SHA256

1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614
SHA512

89e18bc335ba77742ccc1517d8ac34021b4acd492261b50a36c0a0f194bb9e0d963d1277dd69180d96870842998d8465468e8f9d1092f5aebe1f0ba08af7dae4
SSDEEP

6144:lt8IhVYFVED7l08BkjIf0r9b5if7/F0ZiCs+9O8IKOCzH2a:lt8vVED3Bk0Mr9Vif7/F1hIIabH

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4828	achsv.exe
968	COM7.EXE
4380	achsv.exe
1752	COM7.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4892	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
4828	achsv.exe
4828	achsv.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
4380	achsv.exe
4380	achsv.exe
1752	COM7.EXE
1752	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
968	COM7.EXE
968	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4828	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4828	1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	81
PID 1684 wrote to memory of 4828	1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	81
PID 1684 wrote to memory of 4828	1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	81
PID 1684 wrote to memory of 968	1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	82
PID 1684 wrote to memory of 968	1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	82
PID 1684 wrote to memory of 968	1684	1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe	82
PID 968 wrote to memory of 4892	968	COM7.EXE	84
PID 968 wrote to memory of 4892	968	COM7.EXE	84
PID 968 wrote to memory of 4892	968	COM7.EXE	84
PID 968 wrote to memory of 4380	968	COM7.EXE	86
PID 968 wrote to memory of 4380	968	COM7.EXE	86
PID 968 wrote to memory of 4380	968	COM7.EXE	86
PID 4828 wrote to memory of 1752	4828	achsv.exe	87
PID 4828 wrote to memory of 1752	4828	achsv.exe	87
PID 4828 wrote to memory of 1752	4828	achsv.exe	87

C:\Users\Admin\AppData\Local\Temp\1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe
"C:\Users\Admin\AppData\Local\Temp\1b859b2a03afc08ac0799b92cbee57003f6ab653b001e37fcb683618974fb614.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1752
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4892
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
08aec12c424ca896060006646deca4fc

SHA1
432b45aea252c1606a8116c37f1bffd115e12d09

SHA256
9371b7164f03eded8ee62d4643a2f75318e2701ef811767965aa4e01096683b2

SHA512
d4b2c8a8a2742507f0b2ceea7759f94eadfb48041def85afaf1d82de4700d6d7ae092d7040e017de8af427ed5d8113b9a49a3696be2f8e6a3291f7bb379c0267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
08aec12c424ca896060006646deca4fc

SHA1
432b45aea252c1606a8116c37f1bffd115e12d09

SHA256
9371b7164f03eded8ee62d4643a2f75318e2701ef811767965aa4e01096683b2

SHA512
d4b2c8a8a2742507f0b2ceea7759f94eadfb48041def85afaf1d82de4700d6d7ae092d7040e017de8af427ed5d8113b9a49a3696be2f8e6a3291f7bb379c0267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
284KB

MD5
08aec12c424ca896060006646deca4fc

SHA1
432b45aea252c1606a8116c37f1bffd115e12d09

SHA256
9371b7164f03eded8ee62d4643a2f75318e2701ef811767965aa4e01096683b2

SHA512
d4b2c8a8a2742507f0b2ceea7759f94eadfb48041def85afaf1d82de4700d6d7ae092d7040e017de8af427ed5d8113b9a49a3696be2f8e6a3291f7bb379c0267

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c110c483e9699eac9bcc2314c354390

SHA1
0a78b65e1ecccbb19b5b72f16dbdd98cb6cf3278

SHA256
e60981f39eff06082f13187d7d10c2d034c22f90fe02ccbfd12ff1f1463e6517

SHA512
de54fee65c80d8677ad69bdaa4e652013f41baa80fc34149530ac69f31a3880d16142515fba88389497523001ebb2417956f00d319c19f1e79c407a0f80cfb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c110c483e9699eac9bcc2314c354390

SHA1
0a78b65e1ecccbb19b5b72f16dbdd98cb6cf3278

SHA256
e60981f39eff06082f13187d7d10c2d034c22f90fe02ccbfd12ff1f1463e6517

SHA512
de54fee65c80d8677ad69bdaa4e652013f41baa80fc34149530ac69f31a3880d16142515fba88389497523001ebb2417956f00d319c19f1e79c407a0f80cfb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
283KB

MD5
8c110c483e9699eac9bcc2314c354390

SHA1
0a78b65e1ecccbb19b5b72f16dbdd98cb6cf3278

SHA256
e60981f39eff06082f13187d7d10c2d034c22f90fe02ccbfd12ff1f1463e6517

SHA512
de54fee65c80d8677ad69bdaa4e652013f41baa80fc34149530ac69f31a3880d16142515fba88389497523001ebb2417956f00d319c19f1e79c407a0f80cfb7b

Download Submit