422bbbe224d6d58280c2fa801357b70528504d318d1f073025b0042ed99e6bbe

Analysis

max time kernel
6s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2023, 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Protector Del Este S.A.exe
Size

576KB
MD5

bf960f17b0877adff061e419d113bde5
SHA1

8e7e8814f259fdbc24ae575d84efe899c4bd0fb1
SHA256

422bbbe224d6d58280c2fa801357b70528504d318d1f073025b0042ed99e6bbe
SHA512

9f01030004f734bdf526c83c00ad58e3500bde52adb187ba99d89908d3660863c9139040270d6615928ded0fe9d2eb4508a62c167864a5843841eb63c3205414
SSDEEP

12288:PrD1Ec7ItKCZEQfrCvSTD7r35JpWrNdyOL8aWPXMv5swACzhE+Busk2ai/4CV:PrRtYNFjLlkzwP8vlVE+BY2V4c

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Protector Del Este S.A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Protector Del Este S.A.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Protector Del Este S.A.exe

Executes dropped EXE 3 IoCs

pid	Process
5088	XClient.exe
3128	XClient.exe
2804	XClient.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4612	5088	WerFault.exe	82
2784	5096	WerFault.exe	92
3284	1360	WerFault.exe	98
2164	2992	WerFault.exe	100

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	XClient.exe
Token: SeDebugPrivilege	3128	XClient.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 5088	5016	Protector Del Este S.A.exe	82
PID 5016 wrote to memory of 5088	5016	Protector Del Este S.A.exe	82
PID 5016 wrote to memory of 2576	5016	Protector Del Este S.A.exe	83
PID 5016 wrote to memory of 2576	5016	Protector Del Este S.A.exe	83
PID 2576 wrote to memory of 3128	2576	Protector Del Este S.A.exe	84
PID 2576 wrote to memory of 3128	2576	Protector Del Este S.A.exe	84
PID 2576 wrote to memory of 880	2576	Protector Del Este S.A.exe	85
PID 2576 wrote to memory of 880	2576	Protector Del Este S.A.exe	85
PID 880 wrote to memory of 2804	880	Protector Del Este S.A.exe	86
PID 880 wrote to memory of 2804	880	Protector Del Este S.A.exe	86

C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
"C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 5088 -s 1676
    3⤵
    - Program crash
    PID:4612
- C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
  "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- - C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
    "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
      "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
      4⤵
      Executes dropped EXE
      PID:2804
  - - C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
      "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
      4⤵
      PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        5⤵
        
        PID:396
    - - C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        5⤵
        
        PID:2020
      - C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        6⤵
        
        PID:5096
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 5096 -s 1644
        7⤵
        Program crash
        
        PID:2784
      - C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        6⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        7⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        7⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        8⤵
        
        PID:1360
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 1360 -s 1644
        9⤵
        Program crash
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        8⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        9⤵
        
        PID:2992
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2992 -s 1648
        10⤵
        Program crash
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        9⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        10⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        10⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\XClient.exe
        
        "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
        11⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Protector Del Este S.A.exe"
        11⤵
        
        PID:4072

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 5088 -ip 5088
1⤵
PID:1428

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 5096 -ip 5096
1⤵
PID:4200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 1360 -ip 1360
1⤵
PID:4272

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 484 -p 2992 -ip 2992
1⤵
PID:2680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Protector Del Este S.A.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\XClient.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
77KB

MD5
1b01771066056270e236a7a415e4d5d6

SHA1
e551c176070d5a97dd14288d9facdbd988ad3b5f

SHA256
240afaf97f02ecf9adafe7c2e2efd9b4a7a3e4652faaa629bb52ad3bc1553193

SHA512
63fc3c056fa3aa6d3f232f3eecd4cea4ae8490c7b0d2e8e9e51cc94eda09c64719d71ffc3df16d43ce919392c11e4607cde56cf098edbc73c6ba6e4610537e4c

Download Submit
memory/396-169-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/396-162-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/400-184-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/400-189-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/880-148-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/880-154-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/1360-196-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/1360-182-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2020-168-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2020-164-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2576-146-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2576-141-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2692-203-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2692-198-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2804-156-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2804-158-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/2992-190-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/3128-147-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/3128-153-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/3636-191-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/3636-195-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4180-161-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4180-155-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4408-175-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4408-170-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4660-176-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4660-183-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4748-197-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4748-202-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4756-181-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/4756-177-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/5016-132-0x0000000000AD0000-0x0000000000B66000-memory.dmp

Filesize
600KB

Download
memory/5016-139-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/5016-133-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/5088-140-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/5088-171-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/5088-137-0x0000000000580000-0x000000000059A000-memory.dmp

Filesize
104KB

Download
memory/5096-185-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download
memory/5096-167-0x00007FFF6F780000-0x00007FFF70241000-memory.dmp

Filesize
10.8MB

Download