475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3

Analysis

max time kernel
155s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
Size

358KB
MD5

0d023b8420e8da7e672eb12c5f998220
SHA1

c533e5833866ff357dc313638375f38271a009b6
SHA256

475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3
SHA512

367a3532c48086b6270fd1be82a714504ae5d6c6459344707caf7b750e4f50604430b593641842e26f6ffa31bb5742dc522a82641e62644019e0f5e0549aae94
SSDEEP

6144:Rt8IhVYFVED7l08BkjIf0r9b5if7/F0ZiCs+9O8IKOCYppYHstwThjR34dy:Rt8vVED3Bk0Mr9Vif7/F1hIIaYHuvAdy

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2296	achsv.exe
4760	COM7.EXE
1244	COM7.EXE
2260	achsv.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	COM7.EXE

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1232	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2296	achsv.exe
2296	achsv.exe
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
1244	COM7.EXE
1244	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2260	achsv.exe
2260	achsv.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
4760	COM7.EXE
4760	COM7.EXE
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2296	achsv.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2296	2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe	78
PID 2084 wrote to memory of 2296	2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe	78
PID 2084 wrote to memory of 2296	2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe	78
PID 2084 wrote to memory of 4760	2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe	80
PID 2084 wrote to memory of 4760	2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe	80
PID 2084 wrote to memory of 4760	2084	475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe	80
PID 4760 wrote to memory of 1232	4760	COM7.EXE	82
PID 4760 wrote to memory of 1232	4760	COM7.EXE	82
PID 4760 wrote to memory of 1232	4760	COM7.EXE	82
PID 2296 wrote to memory of 1244	2296	achsv.exe	84
PID 2296 wrote to memory of 1244	2296	achsv.exe	84
PID 2296 wrote to memory of 1244	2296	achsv.exe	84
PID 4760 wrote to memory of 2260	4760	COM7.EXE	85
PID 4760 wrote to memory of 2260	4760	COM7.EXE	85
PID 4760 wrote to memory of 2260	4760	COM7.EXE	85

C:\Users\Admin\AppData\Local\Temp\475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe
"C:\Users\Admin\AppData\Local\Temp\475c4753de348155c65414e1cf837951269e2ccfe5a41cf40189d609962f6ed3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops startup file
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1232
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
358KB

MD5
9b27b7ca008a6a9f951f6c71f8529961

SHA1
79f8849715a5447ee48b4bcd41eda32591147136

SHA256
da2dcf21942bde19ee2250fb2f567500e4a8c96fca66b1a38b67b03ca6f82a64

SHA512
6f69c42e9d999631fe3171dc78d94002ff7c921da8fedf735c899882f67b5b88e1c42b37dfd069bf19b6bbf6aaee456fbd6cb084906479b225b8e47d633ccb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
358KB

MD5
9b27b7ca008a6a9f951f6c71f8529961

SHA1
79f8849715a5447ee48b4bcd41eda32591147136

SHA256
da2dcf21942bde19ee2250fb2f567500e4a8c96fca66b1a38b67b03ca6f82a64

SHA512
6f69c42e9d999631fe3171dc78d94002ff7c921da8fedf735c899882f67b5b88e1c42b37dfd069bf19b6bbf6aaee456fbd6cb084906479b225b8e47d633ccb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
358KB

MD5
9b27b7ca008a6a9f951f6c71f8529961

SHA1
79f8849715a5447ee48b4bcd41eda32591147136

SHA256
da2dcf21942bde19ee2250fb2f567500e4a8c96fca66b1a38b67b03ca6f82a64

SHA512
6f69c42e9d999631fe3171dc78d94002ff7c921da8fedf735c899882f67b5b88e1c42b37dfd069bf19b6bbf6aaee456fbd6cb084906479b225b8e47d633ccb34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
358KB

MD5
c02bf8fc0710fa0f5f319e54eadf3399

SHA1
e1077e01b9c5fc8f541587895bf7fc9373fe7dd5

SHA256
dabbe458c79ad7cff044c923995a4fde6f11a53d0420290b13effba1e0a3da4b

SHA512
6da78ffa36ea0a1aec5f3a27b9e939a391f2a298a91e3571af93e581628f6a85906a51c2dc8810c8818030b72531189bd41157c690d235b75847f49804b418f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
358KB

MD5
c02bf8fc0710fa0f5f319e54eadf3399

SHA1
e1077e01b9c5fc8f541587895bf7fc9373fe7dd5

SHA256
dabbe458c79ad7cff044c923995a4fde6f11a53d0420290b13effba1e0a3da4b

SHA512
6da78ffa36ea0a1aec5f3a27b9e939a391f2a298a91e3571af93e581628f6a85906a51c2dc8810c8818030b72531189bd41157c690d235b75847f49804b418f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
358KB

MD5
c02bf8fc0710fa0f5f319e54eadf3399

SHA1
e1077e01b9c5fc8f541587895bf7fc9373fe7dd5

SHA256
dabbe458c79ad7cff044c923995a4fde6f11a53d0420290b13effba1e0a3da4b

SHA512
6da78ffa36ea0a1aec5f3a27b9e939a391f2a298a91e3571af93e581628f6a85906a51c2dc8810c8818030b72531189bd41157c690d235b75847f49804b418f7

Download Submit