eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e

General

Target

eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
Size

392KB
MD5

51d8233383c4f3da02361ef625c09a42
SHA1

aa112dae8bb3233367fa7fa4c0c4fdf2236dc290
SHA256

eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e
SHA512

b957eb31b2ca46ec87eb1f3f61772c8e6bab921f96a357c94666847da16e4c2e408db7fc19875d827bcdbe601538fd1173842eb10093a439a8565cc353df9e64
SSDEEP

12288:Et8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS26:Et+gvMpVij/F1hV5HuvAIs

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2760	achsv.exe
2768	COM7.EXE
3908	achsv.exe
3504	COM7.EXE

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1040	reg.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
2760	achsv.exe
2760	achsv.exe
2768	COM7.EXE
2768	COM7.EXE
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3908	achsv.exe
3908	achsv.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3504	COM7.EXE
3504	COM7.EXE
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
2768	COM7.EXE
2768	COM7.EXE
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
2768	COM7.EXE
2768	COM7.EXE
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
2768	COM7.EXE
2768	COM7.EXE
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
2768	COM7.EXE
2768	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 2760	3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	82
PID 3356 wrote to memory of 2760	3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	82
PID 3356 wrote to memory of 2760	3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	82
PID 3356 wrote to memory of 2768	3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	83
PID 3356 wrote to memory of 2768	3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	83
PID 3356 wrote to memory of 2768	3356	eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe	83
PID 2768 wrote to memory of 1040	2768	COM7.EXE	90
PID 2768 wrote to memory of 1040	2768	COM7.EXE	90
PID 2768 wrote to memory of 1040	2768	COM7.EXE	90
PID 2768 wrote to memory of 3908	2768	COM7.EXE	92
PID 2768 wrote to memory of 3908	2768	COM7.EXE	92
PID 2768 wrote to memory of 3908	2768	COM7.EXE	92
PID 2760 wrote to memory of 3504	2760	achsv.exe	93
PID 2760 wrote to memory of 3504	2760	achsv.exe	93
PID 2760 wrote to memory of 3504	2760	achsv.exe	93

C:\Users\Admin\AppData\Local\Temp\eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe
"C:\Users\Admin\AppData\Local\Temp\eef336425ec990a798ea694dc2f5590195edc3f360046fa23cfd62663b3ebb4e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3504
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1040
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7f32cb298441402214d95be5c75a8699

SHA1
b4d8386f97f9af6543e02d01d2d0350ddfca59af

SHA256
7ebe5c39210b5fa143273fbe7c82ecd7821c78c166b060e436d553d8f9f6f757

SHA512
a8a6bbcb4a62b346143e2a77202aa7bfeb26d6c96312313fe45cf450b93b101e142b965d34f3f8fb0a3296e4111fd8747eeb2ef06bbcff8fdf418b4e3b87357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7f32cb298441402214d95be5c75a8699

SHA1
b4d8386f97f9af6543e02d01d2d0350ddfca59af

SHA256
7ebe5c39210b5fa143273fbe7c82ecd7821c78c166b060e436d553d8f9f6f757

SHA512
a8a6bbcb4a62b346143e2a77202aa7bfeb26d6c96312313fe45cf450b93b101e142b965d34f3f8fb0a3296e4111fd8747eeb2ef06bbcff8fdf418b4e3b87357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7f32cb298441402214d95be5c75a8699

SHA1
b4d8386f97f9af6543e02d01d2d0350ddfca59af

SHA256
7ebe5c39210b5fa143273fbe7c82ecd7821c78c166b060e436d553d8f9f6f757

SHA512
a8a6bbcb4a62b346143e2a77202aa7bfeb26d6c96312313fe45cf450b93b101e142b965d34f3f8fb0a3296e4111fd8747eeb2ef06bbcff8fdf418b4e3b87357d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
4d8cbbe4a04181c28edb913d69000ea7

SHA1
baf4969a565c9f4795adfbe1fd64a4c2a054602c

SHA256
af7ce5ca9eec4b9c3f8048bd0532a5938405ab607466c8ddd130fff1ba2e26af

SHA512
049e1f828ee61904e36f164c15975421748bac6a18700bf237be0d1923d62f2e7ec491fbbf39098bd25f285b22ac194f4620dc5ba2c6debf00886b0d6fa34aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
4d8cbbe4a04181c28edb913d69000ea7

SHA1
baf4969a565c9f4795adfbe1fd64a4c2a054602c

SHA256
af7ce5ca9eec4b9c3f8048bd0532a5938405ab607466c8ddd130fff1ba2e26af

SHA512
049e1f828ee61904e36f164c15975421748bac6a18700bf237be0d1923d62f2e7ec491fbbf39098bd25f285b22ac194f4620dc5ba2c6debf00886b0d6fa34aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
4d8cbbe4a04181c28edb913d69000ea7

SHA1
baf4969a565c9f4795adfbe1fd64a4c2a054602c

SHA256
af7ce5ca9eec4b9c3f8048bd0532a5938405ab607466c8ddd130fff1ba2e26af

SHA512
049e1f828ee61904e36f164c15975421748bac6a18700bf237be0d1923d62f2e7ec491fbbf39098bd25f285b22ac194f4620dc5ba2c6debf00886b0d6fa34aa7

Download Submit
memory/1040-138-0x0000000000000000-mapping.dmp

Download
memory/2760-132-0x0000000000000000-mapping.dmp

Download
memory/2768-135-0x0000000000000000-mapping.dmp

Download
memory/3504-141-0x0000000000000000-mapping.dmp

Download
memory/3908-139-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads