e25e4fbcb48fa3007b8a1477b56f72e2442217fc5f53c63c1aae7cf8d828e6ff

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 20:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9a8454216ca4b321293109b998a58ba.exe
Size

250KB
MD5

d9a8454216ca4b321293109b998a58ba
SHA1

858d29d569d46558e9161a6060a068d3aca71609
SHA256

e25e4fbcb48fa3007b8a1477b56f72e2442217fc5f53c63c1aae7cf8d828e6ff
SHA512

8374c9ae4add060ed5173d678b744af34a2221dc525868e49a7244fc4c59f7dbaaf89f652fa7173dbc1411edc4b349b948e0d186e0a050c85a41292d31a66bec
SSDEEP

6144:Kt8IhVYFVED7l08BkjIf0r9b5if7/F0ZiCs9n/nLgpy:Kt8vVED3Bk0Mr9Vif7/F1h9nvLgpy

Score

7^/10

persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Executes dropped EXE 4 IoCs

pid	Process
1068	achsv.exe
3068	COM7.EXE
2616	achsv.exe
2312	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
3068	COM7.EXE
1068	achsv.exe
1068	achsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\F:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2624	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	d9a8454216ca4b321293109b998a58ba.exe
1068	achsv.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
2616	achsv.exe
2312	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE
3068	COM7.EXE
2004	d9a8454216ca4b321293109b998a58ba.exe
3068	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1068	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1068	2004	d9a8454216ca4b321293109b998a58ba.exe	28
PID 2004 wrote to memory of 1068	2004	d9a8454216ca4b321293109b998a58ba.exe	28
PID 2004 wrote to memory of 1068	2004	d9a8454216ca4b321293109b998a58ba.exe	28
PID 2004 wrote to memory of 1068	2004	d9a8454216ca4b321293109b998a58ba.exe	28
PID 2004 wrote to memory of 3068	2004	d9a8454216ca4b321293109b998a58ba.exe	29
PID 2004 wrote to memory of 3068	2004	d9a8454216ca4b321293109b998a58ba.exe	29
PID 2004 wrote to memory of 3068	2004	d9a8454216ca4b321293109b998a58ba.exe	29
PID 2004 wrote to memory of 3068	2004	d9a8454216ca4b321293109b998a58ba.exe	29
PID 3068 wrote to memory of 2624	3068	COM7.EXE	30
PID 3068 wrote to memory of 2624	3068	COM7.EXE	30
PID 3068 wrote to memory of 2624	3068	COM7.EXE	30
PID 3068 wrote to memory of 2624	3068	COM7.EXE	30
PID 3068 wrote to memory of 2616	3068	COM7.EXE	32
PID 3068 wrote to memory of 2616	3068	COM7.EXE	32
PID 3068 wrote to memory of 2616	3068	COM7.EXE	32
PID 3068 wrote to memory of 2616	3068	COM7.EXE	32
PID 1068 wrote to memory of 2312	1068	achsv.exe	33
PID 1068 wrote to memory of 2312	1068	achsv.exe	33
PID 1068 wrote to memory of 2312	1068	achsv.exe	33
PID 1068 wrote to memory of 2312	1068	achsv.exe	33

C:\Users\Admin\AppData\Local\Temp\d9a8454216ca4b321293109b998a58ba.exe
"C:\Users\Admin\AppData\Local\Temp\d9a8454216ca4b321293109b998a58ba.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\F:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2624
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
251KB

MD5
8089c27d5dc31e9106f90cce45aa83df

SHA1
729ef10dede207f1a547500ba2ee23b21abe3ed5

SHA256
a7d9aefe910b50dbe94da73b85c537e4c9e05218dfb266312c5d0dcb99ac4ccd

SHA512
f0cbefc1e279d5517ec2848ff2c03482200cbe7d5090dbe0be7dd5bffbb440671c0e8c975aa3a59496c5c142a9e393b7d76aedd967c89eccec1062d27903bafd

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
250KB

MD5
1c8358e6dbffa3d9464ddc80dd9012e9

SHA1
c7d5a9abffd2cb942b4d6cd3aeabfae458c1dc18

SHA256
1301268ec7231ee9ca5ff3335be19eb5a33d63c05ea7b74dd3b6a6116c74500a

SHA512
24eeb29ae789ca9e1b51876cf8ccf6ed2c5ab11dc16b23af5de2c77d210a4f7a9b4721265d9292451b0aef7d2e803910450651abe103d2fa3a9d566f6cdf15e2

Download Submit
memory/1068-24-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1068-43-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2004-21-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2312-39-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2616-33-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3068-27-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download