ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050

Analysis

max time kernel
119s
max time network
35s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21/11/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
Size

93KB
MD5

e4a98e87a9335207fd785a7ac84d8c90
SHA1

ae86720e0e0e70a277cf15714f90c5b41f0bb4d9
SHA256

ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050
SHA512

6c06cc4a6580bdd44599a9fe68d94e53fd648fa2aba736f88ea73b3308e94abc084cac58dbb516a1f1b2219c4e3f5bb2bcadf7fac42208821353057b7cd207b7
SSDEEP

1536:OUMTIGU8vM3dG7l5rphVgEQF5NM4Jt78eRL2h+nhMJ41me:ObTIGbvM3dIhVYFU4JtVRqYnCJ41me

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PDF FoxitReader.exe	COM7.EXE

Executes dropped EXE 4 IoCs

pid	Process
768	achsv.exe
1320	COM7.EXE
2660	achsv.exe
2972	COM7.EXE

Loads dropped DLL 8 IoCs

pid	Process
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
1320	COM7.EXE
768	achsv.exe
768	achsv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\COMLOADER = "\\\\.\\F:\\Program Files\\FoxitReader\\bin\\COM7.EXE"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	achsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	achsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	COM7.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2780	reg.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
768	achsv.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2660	achsv.exe
2972	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE
2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
1320	COM7.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
768	achsv.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 768	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	30
PID 2368 wrote to memory of 768	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	30
PID 2368 wrote to memory of 768	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	30
PID 2368 wrote to memory of 768	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	30
PID 2368 wrote to memory of 1320	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	31
PID 2368 wrote to memory of 1320	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	31
PID 2368 wrote to memory of 1320	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	31
PID 2368 wrote to memory of 1320	2368	ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe	31
PID 1320 wrote to memory of 2780	1320	COM7.EXE	33
PID 1320 wrote to memory of 2780	1320	COM7.EXE	33
PID 1320 wrote to memory of 2780	1320	COM7.EXE	33
PID 1320 wrote to memory of 2780	1320	COM7.EXE	33
PID 1320 wrote to memory of 2660	1320	COM7.EXE	35
PID 1320 wrote to memory of 2660	1320	COM7.EXE	35
PID 1320 wrote to memory of 2660	1320	COM7.EXE	35
PID 1320 wrote to memory of 2660	1320	COM7.EXE	35
PID 768 wrote to memory of 2972	768	achsv.exe	36
PID 768 wrote to memory of 2972	768	achsv.exe	36
PID 768 wrote to memory of 2972	768	achsv.exe	36
PID 768 wrote to memory of 2972	768	achsv.exe	36

C:\Users\Admin\AppData\Local\Temp\ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe
"C:\Users\Admin\AppData\Local\Temp\ed79100c1e1051ddce0e08da195154ff4ef2cbb73ae650251596c5d135f89050N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f /t REG_SZ /v COMLOADER /d "\\.\F:\Program Files\FoxitReader\bin\COM7.EXE"
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    \\.\C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\achsv.exe

Filesize
93KB

MD5
bfcc26ae840373f5ad9dd7127db9d1c7

SHA1
94b4f5878076ee75e33b7adbf42e2f24fe14f547

SHA256
4b9d7a8fa2b5cd75e9cfbeac16c578b6321ec0fb1d92b04f656698cce48d59c9

SHA512
c4d065ad816f71b8409cb167d2cf5c84bb1cf50b1c925e7afc634cfa2c66af463a6866440f260a4bda53bcf3e9893bbc9e2c3caa98f99f2aa8bc212747f24192

Download Submit
\Users\Admin\AppData\Local\Temp\Rar$EX7.src777\COM7.EXE

Filesize
93KB

MD5
d39138e8ca4ea7d0868898714ad7b8a5

SHA1
f2d82155f1fde5fe2411df9eb5ea33976019c0fe

SHA256
d7ac3f1bb0c6d21df6b872711dd3da45f65c73866586aa3d855de96f135eea3e

SHA512
9c05bc974870e89dbe072fc5dfec7ed8b06b4586407b0e6ef70652c2ea26e9552351e57e30c197c917e9932a2cd542c178477738be869023fd15b70a1cb82470

Download Submit
memory/768-24-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/768-43-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1320-27-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2368-21-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2660-33-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/2972-39-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download