727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94

Analysis

max time kernel
149s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 02:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
Size

90KB
MD5

fd1b7574878bf09696ee3e94ed3089b6
SHA1

b5fdb2db101f77c67de1714830a20d239bfe477c
SHA256

727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94
SHA512

7daff2a080c05ba76a5ab9eed8344506d4392ba5472b7f0de04763fc2f1624db13bdc9253bd8fb1a9e8d13f2bbc5594373ecb817fa3ca08a2969ea1001681236
SSDEEP

1536:B1Sbpfv5DOWknf7LAQkhB5EQr5PqNzH3EEIMrAgx29E9zt7Ha4h+DGunCJrs:SbpfhDOW7hBhr4pX5r9x29E9z5HaZDGg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1120	ashcv.exe
1756	COM7.EXE
880	COM7.EXE
1808	ashcv.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF Reader Launcher.exe	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1120	ashcv.exe
1120	ashcv.exe
1756	COM7.EXE
1756	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\COM_LOADER = "\\\\.\\C:\\Program Files\\PDF_Reader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\PDF_Reader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\PDF_Reader\PDF_Reader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1920	reg.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1120	ashcv.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
880	COM7.EXE
1808	ashcv.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE
1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
1756	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1120	ashcv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1120	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	27
PID 1444 wrote to memory of 1120	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	27
PID 1444 wrote to memory of 1120	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	27
PID 1444 wrote to memory of 1120	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	27
PID 1444 wrote to memory of 1756	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	28
PID 1444 wrote to memory of 1756	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	28
PID 1444 wrote to memory of 1756	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	28
PID 1444 wrote to memory of 1756	1444	727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe	28
PID 1756 wrote to memory of 1920	1756	COM7.EXE	29
PID 1756 wrote to memory of 1920	1756	COM7.EXE	29
PID 1756 wrote to memory of 1920	1756	COM7.EXE	29
PID 1756 wrote to memory of 1920	1756	COM7.EXE	29
PID 1120 wrote to memory of 880	1120	ashcv.exe	31
PID 1120 wrote to memory of 880	1120	ashcv.exe	31
PID 1120 wrote to memory of 880	1120	ashcv.exe	31
PID 1120 wrote to memory of 880	1120	ashcv.exe	31
PID 1756 wrote to memory of 1808	1756	COM7.EXE	32
PID 1756 wrote to memory of 1808	1756	COM7.EXE	32
PID 1756 wrote to memory of 1808	1756	COM7.EXE	32
PID 1756 wrote to memory of 1808	1756	COM7.EXE	32

C:\Users\Admin\AppData\Local\Temp\727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe
"C:\Users\Admin\AppData\Local\Temp\727256b35f4986f477163fd08acb69750d27e6d052408c5e2ea29816e0261d94.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:880
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COM_LOADER /d "\\.\C:\Program Files\PDF_Reader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1920
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\COM7.EXE

Filesize
90KB

MD5
9a6185bae2676c65a96123f32ea90a72

SHA1
9bad13aefe6db346c1fe7342dccc0bb6ea3f10b8

SHA256
a2958e55172edea8c389653912b20fe9161567eb6cc216fe62f8ab1cc7fad84f

SHA512
6c8374c04738c22bf713490eed8262c6c0198b67a2ce17e83d5e468ce9e700d44927bc7ed1ea910559fbeb4c641134a0473f660b6fa8d44660da6512d69f369d

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.sr77\ashcv.exe

Filesize
90KB

MD5
545d926c4114e8b79687da007013d87e

SHA1
2511711ebc4cfe488868b63aa03bb372a20d00f5

SHA256
2ffb419c24c889aa62166463cc76761cef3101fb3661e5b294893b6677948a3d

SHA512
0e348ac217de413b8f87e37819372d5451714d458655830c1452ef646e50762e067188baa9b89bda3e55eba4489063cae8eb04ac9c2e2279bd7401e8209f3696

Download Submit
memory/1444-54-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download