3a7c95447f140a42609450d4fbcfbdb398aef5e2399d524d28d603e4d1d5e8d8

Analysis

max time kernel
154s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 15:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

28ca8ca83bb67295b58b77dbb80459b3.exe
Size

2.2MB
MD5

28ca8ca83bb67295b58b77dbb80459b3
SHA1

8b769a57086dfd7b8f200eabcc50ab2157d2069a
SHA256

3a7c95447f140a42609450d4fbcfbdb398aef5e2399d524d28d603e4d1d5e8d8
SHA512

95d54a7175a39ac3f7d35e7eefee35523c0032756016ae65dbb4149dffa4df96e07ef650af90c038570161af60c761f9408006bb148702ccf8c2216bc7336b99
SSDEEP

49152:L5Gsw9VgDQJ8L4gRUTdGh939Q8hGChOMn13djv/MEql:LJw9VLbgeTsHsChDdD/Ta

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	28ca8ca83bb67295b58b77dbb80459b3.exe

Executes dropped EXE 1 IoCs

pid	Process
1336	Protector-vhqp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-3-0x0000000000400000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/4104-4-0x0000000000400000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/4104-5-0x0000000000400000-0x000000000076A000-memory.dmp	upx
behavioral2/memory/4104-12-0x0000000000400000-0x000000000076A000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4104	28ca8ca83bb67295b58b77dbb80459b3.exe
Token: SeShutdownPrivilege	4104	28ca8ca83bb67295b58b77dbb80459b3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4104	28ca8ca83bb67295b58b77dbb80459b3.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1336	4104	28ca8ca83bb67295b58b77dbb80459b3.exe	92
PID 4104 wrote to memory of 1336	4104	28ca8ca83bb67295b58b77dbb80459b3.exe	92
PID 4104 wrote to memory of 1336	4104	28ca8ca83bb67295b58b77dbb80459b3.exe	92
PID 4104 wrote to memory of 4228	4104	28ca8ca83bb67295b58b77dbb80459b3.exe	93
PID 4104 wrote to memory of 4228	4104	28ca8ca83bb67295b58b77dbb80459b3.exe	93
PID 4104 wrote to memory of 4228	4104	28ca8ca83bb67295b58b77dbb80459b3.exe	93

C:\Users\Admin\AppData\Local\Temp\28ca8ca83bb67295b58b77dbb80459b3.exe
"C:\Users\Admin\AppData\Local\Temp\28ca8ca83bb67295b58b77dbb80459b3.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Roaming\Protector-vhqp.exe
  C:\Users\Admin\AppData\Roaming\Protector-vhqp.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\28CA8C~1.EXE" >> NUL
  2⤵
  PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-vhqp.exe

Filesize
364KB

MD5
1e723767a32cb6e35415f3904b233ba8

SHA1
2a3b9114927de8bd1bcbfedae07c55584b2f34a3

SHA256
dfaa6066fea5f050f004b3d6668eab73792ae26e7de3bd541374b64d3c3aeebb

SHA512
4f8803e77dc2cd0e3e2932e4b579d6606cace7b99bb9924bbd4f6cca19a1e7c37075497841ea56806f6407a9849094b71d737fa781f58ef9b54adab154c84478

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-vhqp.exe

Filesize
293KB

MD5
3d301efbf9796f645d9d1c22789253da

SHA1
961a8818ea3978ec06c930d76d606fadf4783c22

SHA256
dd653245e53c83affe3b22f668b5879d2849b2ad2256e28c824873ef92fbe7b1

SHA512
9950e8dbfb894c34cf011236eca6dad90c0f3bf16a7d3ba2a2182082bedd8fe9c812e029f7bd57ab13c983c9727e3fa060f3ead185a1e2dc39ba21e9d21df605

Download Submit
memory/1336-11-0x0000000075DE0000-0x0000000075ED0000-memory.dmp

Filesize
960KB

Download
memory/1336-10-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/1336-16-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/1336-18-0x0000000075DE0000-0x0000000075ED0000-memory.dmp

Filesize
960KB

Download
memory/4104-3-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/4104-4-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/4104-5-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/4104-2-0x00000000745E0000-0x0000000074673000-memory.dmp

Filesize
588KB

Download
memory/4104-1-0x0000000075DE0000-0x0000000075ED0000-memory.dmp

Filesize
960KB

Download
memory/4104-0-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/4104-12-0x0000000000400000-0x000000000076A000-memory.dmp

Filesize
3.4MB

Download
memory/4104-14-0x0000000075DE0000-0x0000000075ED0000-memory.dmp

Filesize
960KB

Download
memory/4104-15-0x00000000745E0000-0x0000000074673000-memory.dmp

Filesize
588KB

Download