58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d

General

Target

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Size

2.0MB
MD5

83933516d5bec305eca233671d58d70e
SHA1

cd2861e8ac5004907f0d1e2b54ab43078fe315fb
SHA256

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d
SHA512

339c909d8198f998c4672aa5a81c2d5b2d6c910e5af5ff6660ac8c101d83df5d9836dd80a3b027ce0a7ccb0d7ab375bb11644847835f167939763390686f94d8
SSDEEP

49152:LAHmZWttPz/DFeBgmk2fMagFW06rwa9LvQZy9LvQZgipCDh0:a+eX+gDDMHwa9bQZy9bQZgipEh0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Protector-olab.exe

pid process

2120 Protector-olab.exe

pid	process
2120	Protector-olab.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 42 IoCs

Processes:

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\0\win32\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\VersionIndependentProgID	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\DataFormats\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Programmable\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\ProgID	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\ProgID\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\ = "TvRatings 1.0 Type Library"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\DataFormats	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Insertable\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\VersionIndependentProgID\ = "SketchObj.SketchInk"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\FLAGS\ = "0"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\ = "Ijakerhi Esajovve class"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\0	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\MiscStatus\ = "0"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\0\win32	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\tvratings.dll"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\HELPDIR	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Version\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\InprocServer32	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\InprocServer32\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Programmable	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\FLAGS	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\TypeLib	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\TypeLib\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\VersionIndependentProgID\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\MiscStatus	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\ProgID\ = "SketchObj.SketchInk.1"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\FLAGS\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Version	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Version\ = "1.0"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\MiscStatus\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\0\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\TypeLib\ = "{F5493984-B2D7-83ED-53D5-2E60B26B1652}"	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C185F089-843F-42F6-2B95-86DE4B46670A}\Insertable	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5493984-B2D7-83ED-53D5-2E60B26B1652}\1.0\HELPDIR\	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exeProtector-olab.exe

description	pid	process
Token: SeDebugPrivilege	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Token: SeShutdownPrivilege	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
Token: SeDebugPrivilege	2120	Protector-olab.exe
Token: SeShutdownPrivilege	2120	Protector-olab.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exeProtector-olab.exe

pid process

428 58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
2120 Protector-olab.exe

pid	process
428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
2120	Protector-olab.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe

description	pid	process	target process
PID 428 wrote to memory of 2120	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe	Protector-olab.exe
PID 428 wrote to memory of 2120	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe	Protector-olab.exe
PID 428 wrote to memory of 2120	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe	Protector-olab.exe
PID 428 wrote to memory of 4784	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe	cmd.exe
PID 428 wrote to memory of 4784	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe	cmd.exe
PID 428 wrote to memory of 4784	428	58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe
"C:\Users\Admin\AppData\Local\Temp\58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Roaming\Protector-olab.exe
C:\Users\Admin\AppData\Roaming\Protector-olab.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\58084E~1.EXE" >> NUL
2⤵
PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-olab.exe
Filesize
2.0MB

MD5
83933516d5bec305eca233671d58d70e

SHA1
cd2861e8ac5004907f0d1e2b54ab43078fe315fb

SHA256
58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d

SHA512
339c909d8198f998c4672aa5a81c2d5b2d6c910e5af5ff6660ac8c101d83df5d9836dd80a3b027ce0a7ccb0d7ab375bb11644847835f167939763390686f94d8

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-olab.exe
Filesize
2.0MB

MD5
83933516d5bec305eca233671d58d70e

SHA1
cd2861e8ac5004907f0d1e2b54ab43078fe315fb

SHA256
58084e8f26d34d6773e5a1a30f4f713ec160944df86996fde281972ff7afc82d

SHA512
339c909d8198f998c4672aa5a81c2d5b2d6c910e5af5ff6660ac8c101d83df5d9836dd80a3b027ce0a7ccb0d7ab375bb11644847835f167939763390686f94d8

Download Submit
memory/428-135-0x0000000003650000-0x0000000003653000-memory.dmp

Filesize
12KB

Download
memory/428-132-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/428-134-0x0000000000E60000-0x0000000000EBA000-memory.dmp

Filesize
360KB

Download
memory/428-133-0x0000000000E60000-0x0000000000EBA000-memory.dmp

Filesize
360KB

Download
memory/428-143-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/428-144-0x0000000000E60000-0x0000000000EBA000-memory.dmp

Filesize
360KB

Download
memory/2120-136-0x0000000000000000-mapping.dmp

Download
memory/2120-139-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/2120-140-0x00000000009E0000-0x0000000000A3A000-memory.dmp

Filesize
360KB

Download
memory/2120-141-0x0000000003510000-0x0000000003513000-memory.dmp

Filesize
12KB

Download
memory/2120-145-0x0000000000400000-0x0000000000833000-memory.dmp

Filesize
4.2MB

Download
memory/4784-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads