d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb

General

Target

d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
Size

86KB
MD5

ad69f292ce2c5b3e9578a8faa2221014
SHA1

c94fb04fa337abf0529679aa2069bc0fe65f9c41
SHA256

d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb
SHA512

e30d861f1ece125128277d5364a83a88ddd0fde3d4c77d50157c9d6676b4c62b239751628c9d43fa3f4b9322eea5caebaa34eff9c3e879732fe6cb38be89d7d4
SSDEEP

1536:xUMTIGU8vM3dG7l5rphVgEQF5NM4Jt78eRL2h+nKwwEYShTD:xbTIGbvM3dIhVYFU4JtVRqYnK09

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4844	achsv.exe
1596	COM7.EXE
4376	COM7.EXE

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\FoxitReader\bin\COM7.EXE	COM7.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
4844	achsv.exe
4844	achsv.exe
1596	COM7.EXE
1596	COM7.EXE
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
4376	COM7.EXE
4376	COM7.EXE
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 4844	3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	81
PID 3624 wrote to memory of 4844	3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	81
PID 3624 wrote to memory of 4844	3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	81
PID 3624 wrote to memory of 1596	3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	82
PID 3624 wrote to memory of 1596	3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	82
PID 3624 wrote to memory of 1596	3624	d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe	82
PID 4844 wrote to memory of 4376	4844	achsv.exe	83
PID 4844 wrote to memory of 4376	4844	achsv.exe	83
PID 4844 wrote to memory of 4376	4844	achsv.exe	83

C:\Users\Admin\AppData\Local\Temp\d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe
"C:\Users\Admin\AppData\Local\Temp\d9ea418e74393b4a40147c9fc70a64aac5aca00acd5d968b9a4b2d3f0ba1b0bb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4376
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
87KB

MD5
653fc72bbd21d56cacc1a6385339f31d

SHA1
aa45b53ea5cc79b441760e293e470e7da40926d8

SHA256
8f5e5ec23c510d7f1f7fce61c8dba1c8eb0fdb63d7c4c4ceaae745d370e95b5b

SHA512
bd465b5a423a1c97495b2cd9b7c061df014efa6aaeac7850778fbc5997a9bb03a79be144155cb4ad930e53b907fecd69ecdd72ff94d6411722bfd798fbc2c692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
87KB

MD5
653fc72bbd21d56cacc1a6385339f31d

SHA1
aa45b53ea5cc79b441760e293e470e7da40926d8

SHA256
8f5e5ec23c510d7f1f7fce61c8dba1c8eb0fdb63d7c4c4ceaae745d370e95b5b

SHA512
bd465b5a423a1c97495b2cd9b7c061df014efa6aaeac7850778fbc5997a9bb03a79be144155cb4ad930e53b907fecd69ecdd72ff94d6411722bfd798fbc2c692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
87KB

MD5
653fc72bbd21d56cacc1a6385339f31d

SHA1
aa45b53ea5cc79b441760e293e470e7da40926d8

SHA256
8f5e5ec23c510d7f1f7fce61c8dba1c8eb0fdb63d7c4c4ceaae745d370e95b5b

SHA512
bd465b5a423a1c97495b2cd9b7c061df014efa6aaeac7850778fbc5997a9bb03a79be144155cb4ad930e53b907fecd69ecdd72ff94d6411722bfd798fbc2c692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
1594961b575206b9fa8a7d060367bbfa

SHA1
9c6469651a88a7cb9497c80d5cbc5f2f034d5a43

SHA256
a97a4c847a29fdc9485d91c026fb835ea9e565ca850cf57857ee1718da237e6e

SHA512
361e036dcae7430ff27852641213a82e27e9f29704768c5e732ad458bebdcf24a1989b67393b5eb45a151fb5d9e394508d9f612598aa90765f81613f1da47087

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
86KB

MD5
1594961b575206b9fa8a7d060367bbfa

SHA1
9c6469651a88a7cb9497c80d5cbc5f2f034d5a43

SHA256
a97a4c847a29fdc9485d91c026fb835ea9e565ca850cf57857ee1718da237e6e

SHA512
361e036dcae7430ff27852641213a82e27e9f29704768c5e732ad458bebdcf24a1989b67393b5eb45a151fb5d9e394508d9f612598aa90765f81613f1da47087

Download Submit

Analysis

Sharing