f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6

General

Target

f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe
Size

2.2MB
MD5

10cd5734c6f11561bb2d3f386000fb17
SHA1

12d3158d6c93c8c9dc942accbc5249db0b210ad2
SHA256

f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6
SHA512

fb371554d75cf7873c7531f2da9e39980af863c4ba12252715b2bbe52c7a63dc4c7fd4a273c469c0f8dfa00231daa6a82976c043ba303ffd0fc1a6ce9927b946
SSDEEP

24576:nit5hHI87j+Fnj+ft9rkswm8lf9q06hMOKZ9kL8fEOlr4QGHfmdi3KPePVvd9wYa:niXhEJqt6swV4xrKnFfrreHFtvdVzJOP

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Protector-oetw.exe

pid process

4296 Protector-oetw.exe

pid	process
4296	Protector-oetw.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/976-134-0x0000000000400000-0x0000000000767000-memory.dmp	upx
behavioral2/memory/976-135-0x0000000000400000-0x000000000099E000-memory.dmp	upx
behavioral2/memory/4296-140-0x0000000000400000-0x000000000099E000-memory.dmp	upx
behavioral2/memory/4296-142-0x0000000000400000-0x000000000099E000-memory.dmp	upx
behavioral2/memory/4296-143-0x0000000000400000-0x0000000000767000-memory.dmp	upx
behavioral2/memory/976-146-0x0000000000400000-0x0000000000767000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exeProtector-oetw.exe

description	pid	process
Token: SeDebugPrivilege	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe
Token: SeShutdownPrivilege	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe
Token: SeDebugPrivilege	4296	Protector-oetw.exe
Token: SeShutdownPrivilege	4296	Protector-oetw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exeProtector-oetw.exe

pid process

976 f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe
4296 Protector-oetw.exe

pid	process
976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe
4296	Protector-oetw.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe

description	pid	process	target process
PID 976 wrote to memory of 4296	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe	Protector-oetw.exe
PID 976 wrote to memory of 4296	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe	Protector-oetw.exe
PID 976 wrote to memory of 4296	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe	Protector-oetw.exe
PID 976 wrote to memory of 364	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe	cmd.exe
PID 976 wrote to memory of 364	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe	cmd.exe
PID 976 wrote to memory of 364	976	f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe
"C:\Users\Admin\AppData\Local\Temp\f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:976

C:\Users\Admin\AppData\Roaming\Protector-oetw.exe
C:\Users\Admin\AppData\Roaming\Protector-oetw.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\F34E46~1.EXE" >> NUL
2⤵
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-oetw.exe
Filesize
2.2MB

MD5
10cd5734c6f11561bb2d3f386000fb17

SHA1
12d3158d6c93c8c9dc942accbc5249db0b210ad2

SHA256
f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6

SHA512
fb371554d75cf7873c7531f2da9e39980af863c4ba12252715b2bbe52c7a63dc4c7fd4a273c469c0f8dfa00231daa6a82976c043ba303ffd0fc1a6ce9927b946

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-oetw.exe
Filesize
2.2MB

MD5
10cd5734c6f11561bb2d3f386000fb17

SHA1
12d3158d6c93c8c9dc942accbc5249db0b210ad2

SHA256
f34e46d37ac5ae09ff842fbd4bcb385adcca8b637ec509001f48fca07d5ef8e6

SHA512
fb371554d75cf7873c7531f2da9e39980af863c4ba12252715b2bbe52c7a63dc4c7fd4a273c469c0f8dfa00231daa6a82976c043ba303ffd0fc1a6ce9927b946

Download Submit
memory/364-145-0x0000000000000000-mapping.dmp

Download
memory/976-135-0x0000000000400000-0x000000000099E000-memory.dmp

Filesize
5.6MB

Download
memory/976-132-0x0000000000400000-0x000000000099E000-memory.dmp

Filesize
5.6MB

Download
memory/976-134-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/976-133-0x0000000074160000-0x00000000741F3000-memory.dmp

Filesize
588KB

Download
memory/976-146-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download
memory/976-147-0x0000000074160000-0x00000000741F3000-memory.dmp

Filesize
588KB

Download
memory/4296-136-0x0000000000000000-mapping.dmp

Download
memory/4296-140-0x0000000000400000-0x000000000099E000-memory.dmp

Filesize
5.6MB

Download
memory/4296-141-0x0000000074160000-0x00000000741F3000-memory.dmp

Filesize
588KB

Download
memory/4296-142-0x0000000000400000-0x000000000099E000-memory.dmp

Filesize
5.6MB

Download
memory/4296-144-0x0000000074160000-0x00000000741F3000-memory.dmp

Filesize
588KB

Download
memory/4296-143-0x0000000000400000-0x0000000000767000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads