edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220

Analysis

max time kernel
150s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
Size

283KB
MD5

4db2ac27b1f9c7c7075b715bb0553bb0
SHA1

70fb6480d347e8992eb27128efdc980e7b4ade02
SHA256

edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220
SHA512

8d10d81bab6c9c4589f4f5a7bca003b32767aaf027fceae5bc182618d1f5060a1d01829e643a16405d3829eccc85dccd0bf9164f22f184588d86d2d238d99606
SSDEEP

6144:Ot8IhVYFVED7l08BkjIf0r9b5if7/F0ZiCs+9O8IKOCzHD2:Ot8vVED3Bk0Mr9Vif7/F1hIIabD2

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
3588	achsv.exe
3872	COM7.EXE
3392	achsv.exe
3540	COM7.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4296	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3588	achsv.exe
3588	achsv.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3392	achsv.exe
3392	achsv.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3540	COM7.EXE
3540	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
3872	COM7.EXE
3872	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3588	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 3588	3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe	83
PID 3716 wrote to memory of 3588	3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe	83
PID 3716 wrote to memory of 3588	3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe	83
PID 3716 wrote to memory of 3872	3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe	84
PID 3716 wrote to memory of 3872	3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe	84
PID 3716 wrote to memory of 3872	3716	edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe	84
PID 3872 wrote to memory of 4296	3872	COM7.EXE	85
PID 3872 wrote to memory of 4296	3872	COM7.EXE	85
PID 3872 wrote to memory of 4296	3872	COM7.EXE	85
PID 3872 wrote to memory of 3392	3872	COM7.EXE	87
PID 3872 wrote to memory of 3392	3872	COM7.EXE	87
PID 3872 wrote to memory of 3392	3872	COM7.EXE	87
PID 3588 wrote to memory of 3540	3588	achsv.exe	88
PID 3588 wrote to memory of 3540	3588	achsv.exe	88
PID 3588 wrote to memory of 3540	3588	achsv.exe	88

C:\Users\Admin\AppData\Local\Temp\edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe
"C:\Users\Admin\AppData\Local\Temp\edd1bc42fd43b0e48a6b414f08d592847866acd1be7d1a502146eddba8a56220.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3540
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4296
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
283KB

MD5
3ad18eac198dcab9f3fb94746a8d9aac

SHA1
1c4acaf3342c89da18a4fd19fefcdd9aa4f507de

SHA256
4c0ded7a65a11fb937308bb07cbdcad217ad376e93dbf9068b4b49c9fe192d4c

SHA512
ccb6b7c00f37106eb1bbad2c035be0c53f2ca05245df8bc16ea41c69f99a66fd3a51fc5faf8d7042273279bc1256e9bdf1bfba9808dda336ee1f6653bd570370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
283KB

MD5
3ad18eac198dcab9f3fb94746a8d9aac

SHA1
1c4acaf3342c89da18a4fd19fefcdd9aa4f507de

SHA256
4c0ded7a65a11fb937308bb07cbdcad217ad376e93dbf9068b4b49c9fe192d4c

SHA512
ccb6b7c00f37106eb1bbad2c035be0c53f2ca05245df8bc16ea41c69f99a66fd3a51fc5faf8d7042273279bc1256e9bdf1bfba9808dda336ee1f6653bd570370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
283KB

MD5
3ad18eac198dcab9f3fb94746a8d9aac

SHA1
1c4acaf3342c89da18a4fd19fefcdd9aa4f507de

SHA256
4c0ded7a65a11fb937308bb07cbdcad217ad376e93dbf9068b4b49c9fe192d4c

SHA512
ccb6b7c00f37106eb1bbad2c035be0c53f2ca05245df8bc16ea41c69f99a66fd3a51fc5faf8d7042273279bc1256e9bdf1bfba9808dda336ee1f6653bd570370

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
284KB

MD5
0051e4ab50bbdcdd8b0fb01f78747baf

SHA1
b8673767c0acc09581252baf3f14579b53a7b776

SHA256
f2912a5694cfba3cc458f3c569d64bd3ae3a95358c14a0a945e5436e3ffb8458

SHA512
420dc3a51a4c4df6290c7e25e8f3eacefda1d7e0419a553c8a54bf26d00cce28da59841bb0851a1105cffd5f286ef6e0b01c3499704762740655a851f9fcc0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
284KB

MD5
0051e4ab50bbdcdd8b0fb01f78747baf

SHA1
b8673767c0acc09581252baf3f14579b53a7b776

SHA256
f2912a5694cfba3cc458f3c569d64bd3ae3a95358c14a0a945e5436e3ffb8458

SHA512
420dc3a51a4c4df6290c7e25e8f3eacefda1d7e0419a553c8a54bf26d00cce28da59841bb0851a1105cffd5f286ef6e0b01c3499704762740655a851f9fcc0b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
284KB

MD5
0051e4ab50bbdcdd8b0fb01f78747baf

SHA1
b8673767c0acc09581252baf3f14579b53a7b776

SHA256
f2912a5694cfba3cc458f3c569d64bd3ae3a95358c14a0a945e5436e3ffb8458

SHA512
420dc3a51a4c4df6290c7e25e8f3eacefda1d7e0419a553c8a54bf26d00cce28da59841bb0851a1105cffd5f286ef6e0b01c3499704762740655a851f9fcc0b5

Download Submit
memory/3392-139-0x0000000000000000-mapping.dmp

Download
memory/3540-141-0x0000000000000000-mapping.dmp

Download
memory/3588-132-0x0000000000000000-mapping.dmp

Download
memory/3872-135-0x0000000000000000-mapping.dmp

Download
memory/4296-138-0x0000000000000000-mapping.dmp

Download