622d580dc26dc81d0d9a4c0a396db513737e7237d166e2b6c1d9a66fa71821e9

General

Target

93af744fa95d6ead692424cbbab3e8e5.exe
Size

2.0MB
MD5

93af744fa95d6ead692424cbbab3e8e5
SHA1

286b3ddd319bd8d5e49db6675ff6dada73d86930
SHA256

622d580dc26dc81d0d9a4c0a396db513737e7237d166e2b6c1d9a66fa71821e9
SHA512

d4097194ffe68f31412756551c0f154f15ad6fdaa3e485a6b4815eb64f546bc0884541129f64ed5cb46e6bdefb724749c065f3bb7622799611adf111d9ebfdfc
SSDEEP

49152:r8cUfZsF6GWhsesortO2FAZ8mlQuR7Djfan3zIEUttrx7H2:r8XxxGWhDjWDQ+QoDx2

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93af744fa95d6ead692424cbbab3e8e5.exe5ke5w833eo7e9wm.exe6eqxwk49u166oll.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	93af744fa95d6ead692424cbbab3e8e5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	5ke5w833eo7e9wm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	6eqxwk49u166oll.exe

Executes dropped EXE 3 IoCs

Processes:

5ke5w833eo7e9wm.exe6eqxwk49u166oll.exeProtector-ruqc.exe

pid process

1756 5ke5w833eo7e9wm.exe
1256 6eqxwk49u166oll.exe
4064 Protector-ruqc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1756	5ke5w833eo7e9wm.exe
1256	6eqxwk49u166oll.exe
4064	Protector-ruqc.exe

Modifies registry class 33 IoCs

Processes:

6eqxwk49u166oll.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\ = "Otehe.Azebjov.Oqefoxon class"	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\ProgID\	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\Version\	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml3.dll"	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\0\win32	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\FLAGS\	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\HELPDIR\ = "%systemroot%\\SysWow64\\"	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\Version	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\HELPDIR	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\HELPDIR\	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\TypeLib	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\Version\ = "3.0"	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\ = "Search CoClasses Type Library"	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\0\win32\	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\0\win32\ = "%systemroot%\\SysWow64\\mssrch.dll"	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\FLAGS	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\VersionIndependentProgID\	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\VersionIndependentProgID\ = "Msxml2.SAXAttributes"	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\ProgID\ = "Msxml2.SAXAttributes"	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\0	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\TypeLib\	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\VersionIndependentProgID	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\InProcServer32	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\InProcServer32\	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\ProgID	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\0\	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\1.0\FLAGS\ = "0"	6eqxwk49u166oll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5098B36C-F8CE-41A0-F79C-5413D26D6DB2}\TypeLib\ = "{C31AB795-5611-D7E0-6E33-3C07844D8F21}"	6eqxwk49u166oll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C31AB795-5611-D7E0-6E33-3C07844D8F21}\	6eqxwk49u166oll.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

6eqxwk49u166oll.exe

description pid process

Token: SeDebugPrivilege 1256 6eqxwk49u166oll.exe
Token: SeShutdownPrivilege 1256 6eqxwk49u166oll.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

6eqxwk49u166oll.exeProtector-ruqc.exe

pid process

1256 6eqxwk49u166oll.exe
4064 Protector-ruqc.exe

description	pid	process
Token: SeDebugPrivilege	1256	6eqxwk49u166oll.exe
Token: SeShutdownPrivilege	1256	6eqxwk49u166oll.exe

pid	process
1256	6eqxwk49u166oll.exe
4064	Protector-ruqc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

93af744fa95d6ead692424cbbab3e8e5.exe5ke5w833eo7e9wm.exe6eqxwk49u166oll.exe

description	pid	process	target process
PID 4080 wrote to memory of 1756	4080	93af744fa95d6ead692424cbbab3e8e5.exe	5ke5w833eo7e9wm.exe
PID 4080 wrote to memory of 1756	4080	93af744fa95d6ead692424cbbab3e8e5.exe	5ke5w833eo7e9wm.exe
PID 4080 wrote to memory of 1756	4080	93af744fa95d6ead692424cbbab3e8e5.exe	5ke5w833eo7e9wm.exe
PID 1756 wrote to memory of 1256	1756	5ke5w833eo7e9wm.exe	6eqxwk49u166oll.exe
PID 1756 wrote to memory of 1256	1756	5ke5w833eo7e9wm.exe	6eqxwk49u166oll.exe
PID 1756 wrote to memory of 1256	1756	5ke5w833eo7e9wm.exe	6eqxwk49u166oll.exe
PID 1256 wrote to memory of 4064	1256	6eqxwk49u166oll.exe	Protector-ruqc.exe
PID 1256 wrote to memory of 4064	1256	6eqxwk49u166oll.exe	Protector-ruqc.exe
PID 1256 wrote to memory of 4064	1256	6eqxwk49u166oll.exe	Protector-ruqc.exe
PID 1256 wrote to memory of 4424	1256	6eqxwk49u166oll.exe	cmd.exe
PID 1256 wrote to memory of 4424	1256	6eqxwk49u166oll.exe	cmd.exe
PID 1256 wrote to memory of 4424	1256	6eqxwk49u166oll.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\93af744fa95d6ead692424cbbab3e8e5.exe
"C:\Users\Admin\AppData\Local\Temp\93af744fa95d6ead692424cbbab3e8e5.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4080

C:\Users\Admin\AppData\Local\Temp\RarSFX0\5ke5w833eo7e9wm.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\5ke5w833eo7e9wm.exe" -e -pe17js56fq1jh4vq
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\RarSFX1\6eqxwk49u166oll.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\6eqxwk49u166oll.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Roaming\Protector-ruqc.exe
C:\Users\Admin\AppData\Roaming\Protector-ruqc.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\6EQXWK~1.EXE" >> NUL
4⤵
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\5ke5w833eo7e9wm.exe
Filesize
1.9MB

MD5
8666dfab99a3fce2ea7a918b066e65aa

SHA1
543bc086ecd3385f1fc318d9b0ee0e25826b9461

SHA256
5a006ca284cfcc4943936eed87e8a3bf4c7c88f62ca0fa0886f668ab334dbfa5

SHA512
a3b286394b2c752e67a7f68b56c3e9d00fccba2c97940a9c3dafd480a30f2129cf6936ed18ef51ca692aa025481fff94e46f983bc2351023f0b1b1495604fa8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\6eqxwk49u166oll.exe
Filesize
1.8MB

MD5
136ab618780fb3403e2dcc821304df9f

SHA1
02d6c8f4666ec537e5b3a18e9b6524b352aff7c2

SHA256
854970158c1514690772a753fdaed4662ece99019f83c2cb6139765b8b02fd7e

SHA512
889825d9ec2906b067f20a8194863e3f88ebaf7a65462b0deecee52fba4ae786677403e3cf4d685775437960114a449ed9d57a180b0e96cdbfe25b0466c9eeb8

Download Submit
memory/1256-35-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1256-32-0x00000000035F0000-0x00000000035F2000-memory.dmp

Filesize
8KB

Download
memory/1256-21-0x0000000000400000-0x00000000007D9000-memory.dmp

Filesize
3.8MB

Download
memory/1256-26-0x00000000027D0000-0x00000000027D1000-memory.dmp

Filesize
4KB

Download
memory/1256-27-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/1256-24-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1256-28-0x00000000027F0000-0x00000000027F1000-memory.dmp

Filesize
4KB

Download
memory/1256-29-0x0000000003610000-0x0000000003611000-memory.dmp

Filesize
4KB

Download
memory/1256-30-0x0000000003600000-0x0000000003602000-memory.dmp

Filesize
8KB

Download
memory/1256-23-0x0000000002780000-0x0000000002781000-memory.dmp

Filesize
4KB

Download
memory/1256-31-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/1256-49-0x0000000000400000-0x00000000007D9000-memory.dmp

Filesize
3.8MB

Download
memory/1256-33-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/1256-34-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1256-25-0x0000000002760000-0x0000000002761000-memory.dmp

Filesize
4KB

Download
memory/1256-37-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download
memory/1256-22-0x0000000000A00000-0x0000000000A5A000-memory.dmp

Filesize
360KB

Download
memory/1256-38-0x0000000003630000-0x0000000003631000-memory.dmp

Filesize
4KB

Download
memory/1256-39-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/1256-36-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/1256-53-0x0000000000A00000-0x0000000000A5A000-memory.dmp

Filesize
360KB

Download
memory/1256-46-0x0000000000400000-0x00000000007D9000-memory.dmp

Filesize
3.8MB

Download
memory/4064-52-0x00000000034F0000-0x00000000034F2000-memory.dmp

Filesize
8KB

Download
memory/4064-48-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/4064-47-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/4064-50-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/4064-51-0x0000000000400000-0x00000000007D9000-memory.dmp

Filesize
3.8MB

Download
memory/4064-54-0x0000000002320000-0x000000000237A000-memory.dmp

Filesize
360KB

Download
memory/4064-55-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/4064-45-0x0000000002320000-0x000000000237A000-memory.dmp

Filesize
360KB

Download
memory/4064-44-0x0000000000400000-0x00000000007D9000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads