d58642ba8acce1a1772334a99ec77a9480d8df8aceb1da121eaa2e4f9eafffa2

General

Target

78e097912f7d18dc19b716f35a2b58dd.exe
Size

2.0MB
MD5

78e097912f7d18dc19b716f35a2b58dd
SHA1

75cfd8eba27caf189bdc668f5be16d936df954ce
SHA256

d58642ba8acce1a1772334a99ec77a9480d8df8aceb1da121eaa2e4f9eafffa2
SHA512

c9ad6fbb86c4b4c4ad4b6d754687e6c8d008054283859c5b9337c520d7ba7d5b7c120f53c211c77a8990aa330986e66d7804895c51f7a222d47a83c6be737fa9
SSDEEP

49152:rTcKtjmfpQzizFagOIX+MJnrDoqJWB2te8RI6ZwjMy:rTdmRQGzMcXlIqU048RpZwj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

78e097912f7d18dc19b716f35a2b58dd.exehz9o49kv79r33ht.exene294ytn6xi1q09.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	78e097912f7d18dc19b716f35a2b58dd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	hz9o49kv79r33ht.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	ne294ytn6xi1q09.exe

Executes dropped EXE 3 IoCs

Processes:

hz9o49kv79r33ht.exene294ytn6xi1q09.exeProtector-kaqv.exe

pid process

792 hz9o49kv79r33ht.exe
2948 ne294ytn6xi1q09.exe
2232 Protector-kaqv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
792	hz9o49kv79r33ht.exe
2948	ne294ytn6xi1q09.exe
2232	Protector-kaqv.exe

Modifies registry class 30 IoCs

Processes:

ne294ytn6xi1q09.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\FLAGS	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\FLAGS\ = "0"	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\ProgID\	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\0\win32	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\InProcServer32	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\InProcServer32\	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\0\win32\	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\sdchange.exe"	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\Version\	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml3.dll"	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\VersionIndependentProgID\	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\TypeLib\ = "{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}"	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\VersionIndependentProgID\ = "Msxml2.XMLSchemaCache"	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\ProgID	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\0\	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\VersionIndependentProgID	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\FLAGS\	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\TypeLib	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\ = "Otoviti Axectod object"	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\ProgID\ = "Msxml2.XMLSchemaCache"	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\ = "sdchange 1.0 Type Library"	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F1217B78-BD02-E2B8-9F51-D876AB0EAA3B}\1.0\0	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\TypeLib\	ne294ytn6xi1q09.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\Version	ne294ytn6xi1q09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{924F920A-672D-41A9-0498-760AF043F10D}\Version\ = "3.0"	ne294ytn6xi1q09.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ne294ytn6xi1q09.exeProtector-kaqv.exe

description	pid	process
Token: SeDebugPrivilege	2948	ne294ytn6xi1q09.exe
Token: SeShutdownPrivilege	2948	ne294ytn6xi1q09.exe
Token: SeDebugPrivilege	2232	Protector-kaqv.exe
Token: SeShutdownPrivilege	2232	Protector-kaqv.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ne294ytn6xi1q09.exeProtector-kaqv.exe

pid process

2948 ne294ytn6xi1q09.exe
2232 Protector-kaqv.exe

pid	process
2948	ne294ytn6xi1q09.exe
2232	Protector-kaqv.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

78e097912f7d18dc19b716f35a2b58dd.exehz9o49kv79r33ht.exene294ytn6xi1q09.exe

description	pid	process	target process
PID 4520 wrote to memory of 792	4520	78e097912f7d18dc19b716f35a2b58dd.exe	hz9o49kv79r33ht.exe
PID 4520 wrote to memory of 792	4520	78e097912f7d18dc19b716f35a2b58dd.exe	hz9o49kv79r33ht.exe
PID 4520 wrote to memory of 792	4520	78e097912f7d18dc19b716f35a2b58dd.exe	hz9o49kv79r33ht.exe
PID 792 wrote to memory of 2948	792	hz9o49kv79r33ht.exe	ne294ytn6xi1q09.exe
PID 792 wrote to memory of 2948	792	hz9o49kv79r33ht.exe	ne294ytn6xi1q09.exe
PID 792 wrote to memory of 2948	792	hz9o49kv79r33ht.exe	ne294ytn6xi1q09.exe
PID 2948 wrote to memory of 2232	2948	ne294ytn6xi1q09.exe	Protector-kaqv.exe
PID 2948 wrote to memory of 2232	2948	ne294ytn6xi1q09.exe	Protector-kaqv.exe
PID 2948 wrote to memory of 2232	2948	ne294ytn6xi1q09.exe	Protector-kaqv.exe
PID 2948 wrote to memory of 756	2948	ne294ytn6xi1q09.exe	cmd.exe
PID 2948 wrote to memory of 756	2948	ne294ytn6xi1q09.exe	cmd.exe
PID 2948 wrote to memory of 756	2948	ne294ytn6xi1q09.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\78e097912f7d18dc19b716f35a2b58dd.exe
"C:\Users\Admin\AppData\Local\Temp\78e097912f7d18dc19b716f35a2b58dd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4520

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hz9o49kv79r33ht.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hz9o49kv79r33ht.exe" -e -p89u2mi694d15151
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:792

C:\Users\Admin\AppData\Local\Temp\RarSFX1\ne294ytn6xi1q09.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\ne294ytn6xi1q09.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2948

C:\Users\Admin\AppData\Roaming\Protector-kaqv.exe
C:\Users\Admin\AppData\Roaming\Protector-kaqv.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\NE294Y~1.EXE" >> NUL
4⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\hz9o49kv79r33ht.exe
Filesize
339KB

MD5
568534902be8bf3a94c5b17471000194

SHA1
8a4727d035946c10d788d1496f4705f342a52680

SHA256
07caf9aa0b155792b97c2ab96e8daa58d65a7e0e5ddc4c283ed51f6efc68af4d

SHA512
eb21d2f4cba160dfcef652e3d621f25f06dfa41218c605b9ee52c93df8d511805b42f31f60044566545536fd8376c99a30873e9fb181fba74372da0d9d13309b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hz9o49kv79r33ht.exe
Filesize
233KB

MD5
5f276fb811404c5a3632da0e9de1c239

SHA1
1d24ee37f4c4eb3fad458e2539076bcb5486606a

SHA256
1a7a90efd1946eeadee5968efacb95eb4a96710dcd37459ac981f2964d3edbc0

SHA512
b8abe29386fe79f1afaa69d80aa984bcf6655c15c92898f4e29eefe55a3b0ec19d4c039352ebb806498ba7ed5e832dbc04b0e84fb66a0496b9ebb47517c76450

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hz9o49kv79r33ht.exe
Filesize
169KB

MD5
6730b7bfdbbf89125f3c7b6409040a40

SHA1
c32c0c7719939aa20ee7707cbe04e7ee1d3a95af

SHA256
d3797f5b01919e56547ffa267535e598fe8ac49bde23dbb0a38607f485e02de4

SHA512
62222a1a5fa19e770ab427b7d10a5fc3af5bea9f5d7947fc807a420c3c4df775cdab6bbffe46bd672c7f4d808e30bf93f4fbf678f77e5c004e7fe1ec21b04c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ne294ytn6xi1q09.exe
Filesize
882KB

MD5
88b9608adefba84f88a26fc5ba975ad7

SHA1
b2c281e1cb8b11ae393557a3ee3773dd94ebd758

SHA256
f2b1eaaf4206dba311bbc194b3b9119fe6bdd7a53d7abf4fda5770d04d673cd5

SHA512
593707e2796301ceb62b44f8ae126049ffdb828ba4fb517e5fb4b7c9a14863bce9b84c3abf442d486e38779d9f64887e5ea8c2edd7fae4ad2024587eb2de05b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ne294ytn6xi1q09.exe
Filesize
1.0MB

MD5
c3b25dda1421484c8fcc22a9eb7f9883

SHA1
267f63ba3c98462cdda3c7b4df73948ac8225d1e

SHA256
c0d1788524e41f75cd17cc3a6b1fe4c7967d34dcfed9f6b9adf432e044db7dd7

SHA512
e826c243c766137e65aade1a8230edb437150f7ef3cdce7ed209ff0b052e8d825bd26b7d52279377b028a937b92cc381b113b0aec9c5a786eda121fceaf7e4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ne294ytn6xi1q09.exe
Filesize
1.1MB

MD5
5377d4724cc8ececa274d9c434317a2f

SHA1
4971f9b4b42176b5a50e859a4c8f3f9658fb07fe

SHA256
4407d743f34394d8b833afa8d27666fb386dcf2308c5512da535ed4c3cc855a6

SHA512
d1d1d499a61ecc4dddfad83e9c86b95d0ac81f2f31687f35e416189f533f40f5e33c219331d76f83cfa3b57b6330625598b5957d76d9976e0a82e4fa263969d1

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-kaqv.exe
Filesize
225KB

MD5
84ac70ae5b574c6770e2db7a09f8fcb5

SHA1
c9c4bfd7197f5540b904d5379bb1c8a4f6a0bcde

SHA256
d40c2982353882d91c1dda06bd188f40b3d88c1e649c5b95eb144244580cbd88

SHA512
c5142ee367b18197f5eda95f767b096d4040b12db6e7acd28008a97ff71882bfa978af1d9aa6738b4d344a49cc7ee4e7f06b565431615b544d5ecd1ea35f03f0

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-kaqv.exe
Filesize
124KB

MD5
e4767629673363a5d0eb8af618e64ae2

SHA1
c4b5074f8f53f3583e08ab6e134a11638156198b

SHA256
c27e8d3107915f4b73afa28ad68980dec04a7445cf0e9b8e41f95eed4878746a

SHA512
5d40daad819209ce61c44edfb47d2a8e41b54990f9274b9689600628654c61fea15285d5144f08a393ab52cd38dd2dca8f3bc51eee255facc7d297c8de9640ae

Download Submit
memory/2232-49-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/2232-51-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/2232-47-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/2232-54-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

Filesize
360KB

Download
memory/2232-55-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/2232-53-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/2232-50-0x00000000034F0000-0x00000000034F2000-memory.dmp

Filesize
8KB

Download
memory/2232-48-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/2232-46-0x0000000003500000-0x0000000003770000-memory.dmp

Filesize
2.4MB

Download
memory/2232-45-0x0000000000AF0000-0x0000000000B4A000-memory.dmp

Filesize
360KB

Download
memory/2232-44-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/2948-25-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/2948-29-0x0000000003600000-0x0000000003603000-memory.dmp

Filesize
12KB

Download
memory/2948-34-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/2948-33-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2948-32-0x00000000035F0000-0x00000000035F2000-memory.dmp

Filesize
8KB

Download
memory/2948-31-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2948-38-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/2948-39-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/2948-37-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/2948-36-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2948-30-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/2948-35-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/2948-52-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download
memory/2948-27-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2948-28-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/2948-56-0x00000000025F0000-0x000000000264A000-memory.dmp

Filesize
360KB

Download
memory/2948-26-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/2948-24-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2948-23-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/2948-22-0x00000000025F0000-0x000000000264A000-memory.dmp

Filesize
360KB

Download
memory/2948-21-0x0000000000400000-0x00000000007DA000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads