eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e

Analysis

max time kernel
188s
max time network
119s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
Size

392KB
MD5

51d8233383c4f3da02361ef625c09a42
SHA1

aa112dae8bb3233367fa7fa4c0c4fdf2236dc290
SHA256

eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e
SHA512

b957eb31b2ca46ec87eb1f3f61772c8e6bab921f96a357c94666847da16e4c2e408db7fc19875d827bcdbe601538fd1173842eb10093a439a8565cc353df9e64
SSDEEP

12288:Et8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS26:Et+gvMpVij/F1hV5HuvAIs

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1972	achsv.exe
1480	COM7.EXE
1720	COM7.EXE
1816	achsv.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1972	achsv.exe
1972	achsv.exe
1480	COM7.EXE
1480	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1636	reg.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1972	achsv.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1720	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1816	achsv.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE
1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
1480	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1972	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1972	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	27
PID 1708 wrote to memory of 1972	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	27
PID 1708 wrote to memory of 1972	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	27
PID 1708 wrote to memory of 1972	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	27
PID 1708 wrote to memory of 1480	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	28
PID 1708 wrote to memory of 1480	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	28
PID 1708 wrote to memory of 1480	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	28
PID 1708 wrote to memory of 1480	1708	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	28
PID 1972 wrote to memory of 1720	1972	achsv.exe	29
PID 1972 wrote to memory of 1720	1972	achsv.exe	29
PID 1972 wrote to memory of 1720	1972	achsv.exe	29
PID 1972 wrote to memory of 1720	1972	achsv.exe	29
PID 1480 wrote to memory of 1636	1480	COM7.EXE	30
PID 1480 wrote to memory of 1636	1480	COM7.EXE	30
PID 1480 wrote to memory of 1636	1480	COM7.EXE	30
PID 1480 wrote to memory of 1636	1480	COM7.EXE	30
PID 1480 wrote to memory of 1816	1480	COM7.EXE	32
PID 1480 wrote to memory of 1816	1480	COM7.EXE	32
PID 1480 wrote to memory of 1816	1480	COM7.EXE	32
PID 1480 wrote to memory of 1816	1480	COM7.EXE	32

C:\Users\Admin\AppData\Local\Temp\eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
"C:\Users\Admin\AppData\Local\Temp\eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1720
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1636
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
fe2517383c9007bfdfcf0212ef052754

SHA1
abeb5b538ec3a98266113429966813dc3779d507

SHA256
3a0abbf1fafade96f2b8b820b794f7ae4e164db8007e3916d4dab95413ad9c6b

SHA512
92519dd81be85478fbcc13834c75eae5ab026813e2b83a608eff5a787cfe1dda2ccda543333e9b41fafd0472fdcaef6701ff24527b3cf8d4292fda1e1a4b3945

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
37af269fa8f2f0136bb246ff3e0e805e

SHA1
22cc71b4de092bd19a12e9a677869984e1481070

SHA256
5f4cce123877b1434b33972f66ebfb59cbd9972b72d014b6550bf1cd80d18f09

SHA512
4456c3ba4bd5859d8731ad1e1d09523f203437a5962222b8496d08845adc04d2c46872bd5156ff44fe733cfcbc41915d15cd533aa5cc87cf3f43c8a7b20d1e1b

Download Submit
memory/1708-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download