d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 16:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
Size

392KB
MD5

82805fe0c771d3d7660012d0e5d63060
SHA1

e762d3caf6d045e66f2d9ba5a2ce3bd65c0b6600
SHA256

d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb
SHA512

aadc35efe7618be3c2b344063146091916223402ab75b824f1fc9520355c7292ab0e6f78fb25748e4b56199d0592e3f136806516a23cae3e1be41f326740c44d
SSDEEP

12288:tt8vVED3Bk0Mr9Vif7/F1hIIaYHuvAIS23:tt+gvMpVij/F1hV5HuvAId

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2364	achsv.exe
4620	COM7.EXE
3828	COM7.EXE
4780	achsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2808	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
2364	achsv.exe
2364	achsv.exe
4620	COM7.EXE
4620	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
3828	COM7.EXE
3828	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
4780	achsv.exe
4780	achsv.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
4620	COM7.EXE
4620	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
4620	COM7.EXE
4620	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
4620	COM7.EXE
4620	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
4620	COM7.EXE
4620	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
4620	COM7.EXE
4620	COM7.EXE
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2364	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 2364	892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	79
PID 892 wrote to memory of 2364	892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	79
PID 892 wrote to memory of 2364	892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	79
PID 892 wrote to memory of 4620	892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	80
PID 892 wrote to memory of 4620	892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	80
PID 892 wrote to memory of 4620	892	d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe	80
PID 2364 wrote to memory of 3828	2364	achsv.exe	84
PID 2364 wrote to memory of 3828	2364	achsv.exe	84
PID 2364 wrote to memory of 3828	2364	achsv.exe	84
PID 4620 wrote to memory of 2808	4620	COM7.EXE	85
PID 4620 wrote to memory of 2808	4620	COM7.EXE	85
PID 4620 wrote to memory of 2808	4620	COM7.EXE	85
PID 4620 wrote to memory of 4780	4620	COM7.EXE	88
PID 4620 wrote to memory of 4780	4620	COM7.EXE	88
PID 4620 wrote to memory of 4780	4620	COM7.EXE	88

C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe
"C:\Users\Admin\AppData\Local\Temp\d34288be36729f88516878d0a153bddb88959be609f0d913114f9dbaa9701efb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3828
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
22ec4a5d682705facf85c52b4937239b

SHA1
394539ef2103fb7080668b876f03e58bb1c1a8de

SHA256
091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba

SHA512
f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
22ec4a5d682705facf85c52b4937239b

SHA1
394539ef2103fb7080668b876f03e58bb1c1a8de

SHA256
091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba

SHA512
f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
392KB

MD5
22ec4a5d682705facf85c52b4937239b

SHA1
394539ef2103fb7080668b876f03e58bb1c1a8de

SHA256
091215dc7fa868e87b982b9836cbf4e15344717f41d439a036f93ab026aac1ba

SHA512
f9ac6f90ddcb0b012a5c8ab9ee8293f1695f4aa46ca01775110526106363d8c99a4452ef0d44fdb9ce93e0ed5593b39d4a407cfefd66dd21b29bdd1c6ae763e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
0f8d76da53f8f78f24f48c794b228f59

SHA1
a28de301142a01a9077d2bf2eeef70781079deba

SHA256
97d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b

SHA512
f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
0f8d76da53f8f78f24f48c794b228f59

SHA1
a28de301142a01a9077d2bf2eeef70781079deba

SHA256
97d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b

SHA512
f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
392KB

MD5
0f8d76da53f8f78f24f48c794b228f59

SHA1
a28de301142a01a9077d2bf2eeef70781079deba

SHA256
97d81dbcb27f299cbca9da3e81fe2d1350b8c65d8eed49695b9e37add2ed226b

SHA512
f11d95a375ca9f2027e45215efe61f7718fe64191b62dc73332671fa5a7dd149e4134140df1972dc81a437853df6e6e0fc3e4cf6382ea9f0a56e085aad56a51d

Download Submit