d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb

Analysis

max time kernel
152s
max time network
90s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
Size

392KB
MD5

82805fe0c771d3d7660012d0e5d63060
SHA1

e762d3caf6d045e66f2d9ba5a2ce3bd65c0b6600
SHA256

d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb
SHA512

aadc35efe7618be3c2b344063146091916223402ab75b824f1fc9520355c7292ab0e6f78fb25748e4b56199d0592e3f136806516a23cae3e1be41f326740c44d
SSDEEP

12288:tt8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS23:tt+gvMpVij/F1hV5HuvAId

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1976	achsv.exe
2040	COM7.EXE
1980	COM7.EXE
1748	achsv.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	achsv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
1976	achsv.exe
1976	achsv.exe
2040	COM7.EXE
2040	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1100	reg.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
1976	achsv.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
1980	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
1748	achsv.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2040	COM7.EXE
968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1976	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 1976	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	27
PID 968 wrote to memory of 1976	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	27
PID 968 wrote to memory of 1976	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	27
PID 968 wrote to memory of 1976	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	27
PID 968 wrote to memory of 2040	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	28
PID 968 wrote to memory of 2040	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	28
PID 968 wrote to memory of 2040	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	28
PID 968 wrote to memory of 2040	968	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	28
PID 1976 wrote to memory of 1980	1976	achsv.exe	29
PID 1976 wrote to memory of 1980	1976	achsv.exe	29
PID 1976 wrote to memory of 1980	1976	achsv.exe	29
PID 1976 wrote to memory of 1980	1976	achsv.exe	29
PID 2040 wrote to memory of 1100	2040	COM7.EXE	30
PID 2040 wrote to memory of 1100	2040	COM7.EXE	30
PID 2040 wrote to memory of 1100	2040	COM7.EXE	30
PID 2040 wrote to memory of 1100	2040	COM7.EXE	30
PID 2040 wrote to memory of 1748	2040	COM7.EXE	32
PID 2040 wrote to memory of 1748	2040	COM7.EXE	32
PID 2040 wrote to memory of 1748	2040	COM7.EXE	32
PID 2040 wrote to memory of 1748	2040	COM7.EXE	32

C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
"C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1980
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1100
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
7fea966d846b91cd0e1dfa19145dd29f

SHA1
1991f0b24061e46a23271ee2040c153cf5ca53c3

SHA256
7e24965e317ef3878d6f9069861ceeaf22bcc765ad5636ad624c04de997b531a

SHA512
b3c08c1d38d7d02e465e8f493f4643bd0344341643c7d8db03e2751306e748608ca3a79c0d585840d99811b357229907f35e1b98c811512646209ceec160c576

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
561f24a4e09b57c56909bcce5ea5a924

SHA1
f987f1b19a8b129160e760df67c8d5eea27166a3

SHA256
bbd90fa5b5f6c5edd400950043b97a3a3255508bdefd350e66a84ad2a21d3419

SHA512
69f88b6516178be98ba7f7c837cfcbe3691ba38a6508bcf33eb30e1ef94045018390750ba68ae9299fe1dfd76cdad4aa02eab4b1178359d527caf26bb88c8dcb

Download Submit
memory/968-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download