4acbfded17e2d4e42eb6c2a52812770f839ea33519b96f0bd3dad20bf94b5cf4

General

Target

75af04d8fb78b273ecc61bef289f00a1.exe
Size

1.9MB
MD5

75af04d8fb78b273ecc61bef289f00a1
SHA1

f829c2465b4be7ad09b1f977eb65786b5886fe58
SHA256

4acbfded17e2d4e42eb6c2a52812770f839ea33519b96f0bd3dad20bf94b5cf4
SHA512

2b9a4867d49b24ad49527616929872a372b7d238bebfe7d2a997327dcc4098ba61bea42a3173b3e0b7cca4a8a82d7573f9be364bc570f7d2eac8ebe7aaa77028
SSDEEP

49152:G69N48Eb0jmrDLlyPCN1E4eYNWwPj2QnjLaPzKpZBiV:G69nEbYm/Wq1EEDPj2QjmrKpZBy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	75af04d8fb78b273ecc61bef289f00a1.exe

Executes dropped EXE 1 IoCs

pid	Process
5548	Protector-nail.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4124	75af04d8fb78b273ecc61bef289f00a1.exe
Token: SeShutdownPrivilege	4124	75af04d8fb78b273ecc61bef289f00a1.exe
Token: SeDebugPrivilege	5548	Protector-nail.exe
Token: SeShutdownPrivilege	5548	Protector-nail.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4124	75af04d8fb78b273ecc61bef289f00a1.exe
5548	Protector-nail.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 5548	4124	75af04d8fb78b273ecc61bef289f00a1.exe	87
PID 4124 wrote to memory of 5548	4124	75af04d8fb78b273ecc61bef289f00a1.exe	87
PID 4124 wrote to memory of 5548	4124	75af04d8fb78b273ecc61bef289f00a1.exe	87
PID 4124 wrote to memory of 4848	4124	75af04d8fb78b273ecc61bef289f00a1.exe	90
PID 4124 wrote to memory of 4848	4124	75af04d8fb78b273ecc61bef289f00a1.exe	90
PID 4124 wrote to memory of 4848	4124	75af04d8fb78b273ecc61bef289f00a1.exe	90

C:\Users\Admin\AppData\Local\Temp\75af04d8fb78b273ecc61bef289f00a1.exe
"C:\Users\Admin\AppData\Local\Temp\75af04d8fb78b273ecc61bef289f00a1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Users\Admin\AppData\Roaming\Protector-nail.exe
  C:\Users\Admin\AppData\Roaming\Protector-nail.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5548
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\75AF04~1.EXE" >> NUL
  2⤵
  PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-nail.exe

Filesize
507KB

MD5
98820d11b32babe2fe7f153b8b5afcbe

SHA1
69bc55edc4ea89418f95cc0e174d5fdc6b3c7ea7

SHA256
8c47923fcd5fea0f9d2291a09e4bc78fe9812f00b5151a5cf3d13d1928176649

SHA512
66b182f3e5f21e8654a29f7c452733f183efa7a14f878a5b050cf370c4ac15b27cf0d7e586d202eae51c59a66ea2e53ef3a76b4d1e759ed4c3cf23480c06752d

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-nail.exe

Filesize
431KB

MD5
337d2b58a11b8b5959a427c2d6ff37b3

SHA1
9e7855466dfc027089457bbc4863472462b5cc6d

SHA256
4e30267b341c77a13b1cfd7a9bb73267d374d45f3ab5692db70bbaee15939968

SHA512
3213d2719a3234fb654486e2f523e8f2aa6d504964c5b84dd9418c442286e4b07abdb08cffdca8434c2636e4153b4bbb0d2c6ec44fd6237becad6d42aca1c80b

Download Submit
memory/4124-7-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/4124-5-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/4124-16-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/4124-19-0x0000000002A10000-0x0000000002A11000-memory.dmp

Filesize
4KB

Download
memory/4124-18-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/4124-17-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/4124-15-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/4124-14-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/4124-13-0x00000000036F0000-0x00000000036F1000-memory.dmp

Filesize
4KB

Download
memory/4124-12-0x0000000003680000-0x0000000003682000-memory.dmp

Filesize
8KB

Download
memory/4124-11-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/4124-10-0x0000000003920000-0x0000000003921000-memory.dmp

Filesize
4KB

Download
memory/4124-9-0x0000000003690000-0x0000000003692000-memory.dmp

Filesize
8KB

Download
memory/4124-8-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/4124-3-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4124-0-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/4124-4-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/4124-2-0x0000000002820000-0x0000000002821000-memory.dmp

Filesize
4KB

Download
memory/4124-6-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4124-1-0x0000000000E50000-0x0000000000EAA000-memory.dmp

Filesize
360KB

Download
memory/4124-34-0x0000000000E50000-0x0000000000EAA000-memory.dmp

Filesize
360KB

Download
memory/4124-33-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/5548-25-0x0000000000D70000-0x0000000000DCA000-memory.dmp

Filesize
360KB

Download
memory/5548-29-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/5548-28-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/5548-30-0x0000000003540000-0x0000000003542000-memory.dmp

Filesize
8KB

Download
memory/5548-32-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/5548-31-0x0000000000D70000-0x0000000000DCA000-memory.dmp

Filesize
360KB

Download
memory/5548-27-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/5548-26-0x0000000003550000-0x00000000037E0000-memory.dmp

Filesize
2.6MB

Download
memory/5548-24-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing