d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb

Analysis

max time kernel
208s
max time network
160s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
Size

86KB
MD5

ad69f292ce2c5b3e9578a8faa2221014
SHA1

c94fb04fa337abf0529679aa2069bc0fe65f9c41
SHA256

d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb
SHA512

e30d861f1ece125128277d5364a83a88ddd0fde3d4c77d50157c9d6676b4c62b239751628c9d43fa3f4b9322eea5caebaa34eff9c3e879732fe6cb38be89d7d4
SSDEEP

1536:xUMTIGU8vM3dG7l5rphVgEQF5NM4Jt78eRL2h+nKwwEYShTD:xbTIGbvM3dIhVYFU4JtVRqYnK09

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1000	achsv.exe
684	COM7.EXE
1076	COM7.EXE
1324	achsv.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1000	achsv.exe
1000	achsv.exe
684	COM7.EXE
684	COM7.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\C:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE
File created	C:\Program Files\FoxitReader\FoxitReader.exe	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1868	reg.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1000	achsv.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1076	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1324	achsv.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE
1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
684	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1000	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1000	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	27
PID 1984 wrote to memory of 1000	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	27
PID 1984 wrote to memory of 1000	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	27
PID 1984 wrote to memory of 1000	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	27
PID 1984 wrote to memory of 684	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	28
PID 1984 wrote to memory of 684	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	28
PID 1984 wrote to memory of 684	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	28
PID 1984 wrote to memory of 684	1984	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	28
PID 1000 wrote to memory of 1076	1000	achsv.exe	29
PID 1000 wrote to memory of 1076	1000	achsv.exe	29
PID 1000 wrote to memory of 1076	1000	achsv.exe	29
PID 1000 wrote to memory of 1076	1000	achsv.exe	29
PID 684 wrote to memory of 1868	684	COM7.EXE	30
PID 684 wrote to memory of 1868	684	COM7.EXE	30
PID 684 wrote to memory of 1868	684	COM7.EXE	30
PID 684 wrote to memory of 1868	684	COM7.EXE	30
PID 684 wrote to memory of 1324	684	COM7.EXE	32
PID 684 wrote to memory of 1324	684	COM7.EXE	32
PID 684 wrote to memory of 1324	684	COM7.EXE	32
PID 684 wrote to memory of 1324	684	COM7.EXE	32

C:\Users\Admin\AppData\Local\Temp\d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
"C:\Users\Admin\AppData\Local\Temp\d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1076
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\C:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1868
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
86KB

MD5
406c1c573e2a2f0673d1ad6b2ea80552

SHA1
4da269d39a84de58eebe796f2f2b082f27cc5501

SHA256
8b53c6718e524a39b58241ea2ae126d900fa7ea5665d696452aaa41cf09aa3d7

SHA512
fa9d489ac040f94360dfcaf55a1be824dc9b90086e7bd838e615b57a10f2d39b237d16ee3cb6364bbc4e58cc3c63eb22d2366502d76f747128351f3bf7004598

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
a0dc5494e2fba8626643b8edf7adf624

SHA1
8f15b81fa22fbda092d184f2afc8bc827c914fcc

SHA256
3b441dac1d0472800bdb301ab506d568f3f5e81ff17566508bdc8e1311a027ba

SHA512
4d70139fd590b0b2bc5e7eb7616d96bfc1e30642a479440e367a6c517321c1262ed70c149c9443b383afe386715f9ce741cceabab4415d41ae38ab609c94463f

Download Submit
memory/1984-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download