Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30/10/2022, 16:12
Static task
static1
Behavioral task
behavioral1
Sample
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
Resource
win10v2004-20220812-en
General
-
Target
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
-
Size
392KB
-
MD5
82805fe0c771d3d7660012d0e5d63060
-
SHA1
e762d3caf6d045e66f2d9ba5a2ce3bd65c0b6600
-
SHA256
d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb
-
SHA512
aadc35efe7618be3c2b344063146091916223402ab75b824f1fc9520355c7292ab0e6f78fb25748e4b56199d0592e3f136806516a23cae3e1be41f326740c44d
-
SSDEEP
12288:tt8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS23:tt+gvMpVij/F1hV5HuvAId
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 2364 achsv.exe 4620 COM7.EXE 3828 COM7.EXE 4780 achsv.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation COM7.EXE -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe COM7.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE" reg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\FoxitReader\bin\COM7.EXE COM7.EXE File created C:\Program Files\FoxitReader\FoxitReader.exe COM7.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry key 1 TTPs 1 IoCs
pid Process 2808 reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 2364 achsv.exe 2364 achsv.exe 4620 COM7.EXE 4620 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 3828 COM7.EXE 3828 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 4780 achsv.exe 4780 achsv.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 4620 COM7.EXE 4620 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 4620 COM7.EXE 4620 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 4620 COM7.EXE 4620 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 4620 COM7.EXE 4620 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 4620 COM7.EXE 4620 COM7.EXE 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2364 achsv.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 892 wrote to memory of 2364 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 79 PID 892 wrote to memory of 2364 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 79 PID 892 wrote to memory of 2364 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 79 PID 892 wrote to memory of 4620 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 80 PID 892 wrote to memory of 4620 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 80 PID 892 wrote to memory of 4620 892 d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe 80 PID 2364 wrote to memory of 3828 2364 achsv.exe 84 PID 2364 wrote to memory of 3828 2364 achsv.exe 84 PID 2364 wrote to memory of 3828 2364 achsv.exe 84 PID 4620 wrote to memory of 2808 4620 COM7.EXE 85 PID 4620 wrote to memory of 2808 4620 COM7.EXE 85 PID 4620 wrote to memory of 2808 4620 COM7.EXE 85 PID 4620 wrote to memory of 4780 4620 COM7.EXE 88 PID 4620 wrote to memory of 4780 4620 COM7.EXE 88 PID 4620 wrote to memory of 4780 4620 COM7.EXE 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3828
-
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops startup file
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"3⤵
- Adds Run key to start application
- Modifies registry key
PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe\\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4780
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392KB
MD522ec4a5d682705facf85c52b4937239b
SHA1394539ef2103fb7080668b876f03e58bb1c1a8de
SHA256091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba
SHA512f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2
-
Filesize
392KB
MD522ec4a5d682705facf85c52b4937239b
SHA1394539ef2103fb7080668b876f03e58bb1c1a8de
SHA256091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba
SHA512f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2
-
Filesize
392KB
MD522ec4a5d682705facf85c52b4937239b
SHA1394539ef2103fb7080668b876f03e58bb1c1a8de
SHA256091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba
SHA512f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2
-
Filesize
392KB
MD50f8d76da53f8f78f24f48c794b228f59
SHA1a28de301142a01a9077d2bf2eeef70781079deba
SHA25697d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b
SHA512f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d
-
Filesize
392KB
MD50f8d76da53f8f78f24f48c794b228f59
SHA1a28de301142a01a9077d2bf2eeef70781079deba
SHA25697d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b
SHA512f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d
-
Filesize
392KB
MD50f8d76da53f8f78f24f48c794b228f59
SHA1a28de301142a01a9077d2bf2eeef70781079deba
SHA25697d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b
SHA512f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d