524744e6f78c782ab7381233104026b766d2d0fb237c6a8c7db759a0619a7fbd

General

Target

71c176fed5542c2ad71f6f4a99847912.exe
Size

2.2MB
MD5

71c176fed5542c2ad71f6f4a99847912
SHA1

d27a7538c572064ac6c3965420dcabc11140912b
SHA256

524744e6f78c782ab7381233104026b766d2d0fb237c6a8c7db759a0619a7fbd
SHA512

a9e74de5c04896ed6265d02b80b11d0cd31c4e764e50f8bcc17663ae34da6a548b12f4788158dba1b831ef6d943efe1e66fdebe2788bbc832b13dde62cff937b
SSDEEP

24576:0iJhD+39Ezy+JDLv34+twwpEAvWnHqkhoY2VDLJqcrMzwnpgdCMCjB0Jq6hC/L81:0iDDICzyG6QEnHqvVNadCKw+N6JOF2B8

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2688	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	Protector-bmad.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	71c176fed5542c2ad71f6f4a99847912.exe
2372	71c176fed5542c2ad71f6f4a99847912.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-3-0x0000000000400000-0x000000000076B000-memory.dmp	upx
behavioral1/memory/2372-4-0x0000000000400000-0x000000000076B000-memory.dmp	upx
behavioral1/memory/2372-15-0x0000000000400000-0x000000000076B000-memory.dmp	upx
behavioral1/memory/2916-22-0x0000000000400000-0x000000000076B000-memory.dmp	upx
behavioral1/memory/2916-21-0x0000000000400000-0x000000000076B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	71c176fed5542c2ad71f6f4a99847912.exe
Token: SeShutdownPrivilege	2372	71c176fed5542c2ad71f6f4a99847912.exe
Token: SeDebugPrivilege	2916	Protector-bmad.exe
Token: SeShutdownPrivilege	2916	Protector-bmad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2372	71c176fed5542c2ad71f6f4a99847912.exe
2916	Protector-bmad.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2916	2372	71c176fed5542c2ad71f6f4a99847912.exe	30
PID 2372 wrote to memory of 2916	2372	71c176fed5542c2ad71f6f4a99847912.exe	30
PID 2372 wrote to memory of 2916	2372	71c176fed5542c2ad71f6f4a99847912.exe	30
PID 2372 wrote to memory of 2916	2372	71c176fed5542c2ad71f6f4a99847912.exe	30
PID 2372 wrote to memory of 2688	2372	71c176fed5542c2ad71f6f4a99847912.exe	28
PID 2372 wrote to memory of 2688	2372	71c176fed5542c2ad71f6f4a99847912.exe	28
PID 2372 wrote to memory of 2688	2372	71c176fed5542c2ad71f6f4a99847912.exe	28
PID 2372 wrote to memory of 2688	2372	71c176fed5542c2ad71f6f4a99847912.exe	28

C:\Users\Admin\AppData\Local\Temp\71c176fed5542c2ad71f6f4a99847912.exe
"C:\Users\Admin\AppData\Local\Temp\71c176fed5542c2ad71f6f4a99847912.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\71C176~1.EXE" >> NUL
  2⤵
  - Deletes itself
  PID:2688
- C:\Users\Admin\AppData\Roaming\Protector-bmad.exe
  C:\Users\Admin\AppData\Roaming\Protector-bmad.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-bmad.exe

Filesize
508KB

MD5
29801343cf28b294be88e6191dd05f12

SHA1
81cc43f4b560ec4c60a97865804e5bda1051ca01

SHA256
66de49623455e2df775c9cfa77b6225379c7413b89bafbda7f31bbc6f1b111f3

SHA512
13491804d547803147bc260a642e9e503222ef361f04b5a1cfa4684c62a960d9963097e3b2fc5a739eacfd96bf72540ed334cd6a023b4203d11518e582ce0421

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-bmad.exe

Filesize
704KB

MD5
77777bf011943594fdbfb77fbfbab7cc

SHA1
5a12e6a60c89a8cfebe3344b81241f3a10957e58

SHA256
ba628b0df2f440f0993ddb10c458e2cc9a142845f81fa735ef8f53253dd36f7b

SHA512
33687ca84eda3d2c3419f625865f0ebe92cd243fa9b21235f631aed11d6d3d5c363a8d49c4d55c6f6b2f002af72275b82f5e3749659a85b14bbb404f086adaa1

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-bmad.exe

Filesize
489KB

MD5
24515f93bda471a157dfbfee5bc39046

SHA1
85856e30c2469749e6423329030bfbdd520aae78

SHA256
d840054c4d7ecf0f0e17564c931b8d42cebc36a3b5e0fea44c60a2acdab1be26

SHA512
d367db37c0d57dd05831f8d30af48082de2ee67c09281526d2a62f3e23bd8ae992d6f0c6e1b80b8eca6382d47d86444e824458f64679d9380b1b5d8ba4152aa7

Download Submit
\Users\Admin\AppData\Roaming\Protector-bmad.exe

Filesize
795KB

MD5
a93e033fcf16acff58c32dc127c3a4f1

SHA1
3906c3d31ea27ae3065e33e4d3337976e5348efc

SHA256
41657e37677bfb901590e766f6c5cc3f95bd37c895b61d80920c33752711b465

SHA512
cd12df3aa2cefe9e494dd18d5930f4cab01bc15cbb869084eb20e7ef18d885ce022425d67683bd03ca60e43e48571cfadb171299149ba26e2e3b245157c7b844

Download Submit
\Users\Admin\AppData\Roaming\Protector-bmad.exe

Filesize
839KB

MD5
68649b43210d9af7cdbc1c91c78c3d58

SHA1
a05a6a0c7e8a9d1a673f8d7fbde8345e4c38b8fb

SHA256
4668fffe78927536201d67ade8bb5476838d9367c9a1d453549406a84ecc90e7

SHA512
c71265c0bbfbced551d6bb928ef5330d4d5d508529772fec6f348720fa665bb871961d0f6c91f966bc3134e683749afbabb1b24d24fa5bcdab416d808db173b6

Download Submit
memory/2372-3-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/2372-5-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2372-4-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/2372-15-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/2372-20-0x00000000771F0000-0x0000000077300000-memory.dmp

Filesize
1.1MB

Download
memory/2372-0-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2372-17-0x0000000075010000-0x0000000075089000-memory.dmp

Filesize
484KB

Download
memory/2372-2-0x00000000771F0000-0x0000000077300000-memory.dmp

Filesize
1.1MB

Download
memory/2372-1-0x0000000075010000-0x0000000075089000-memory.dmp

Filesize
484KB

Download
memory/2916-22-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download
memory/2916-18-0x0000000000400000-0x00000000009B5000-memory.dmp

Filesize
5.7MB

Download
memory/2916-19-0x0000000075010000-0x0000000075089000-memory.dmp

Filesize
484KB

Download
memory/2916-23-0x0000000075010000-0x0000000075089000-memory.dmp

Filesize
484KB

Download
memory/2916-24-0x00000000771F0000-0x0000000077300000-memory.dmp

Filesize
1.1MB

Download
memory/2916-21-0x0000000000400000-0x000000000076B000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing