bd51320e5b89f8e0b15635d394c415e86148caeb4230abe8c82716ce35eff5cc

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a14cad3cef7929ef0e9b2c30c57a67a.exe
Size

2.0MB
MD5

9a14cad3cef7929ef0e9b2c30c57a67a
SHA1

43f9374bbe5079d6f1aed792f4b25cd8e2642a7b
SHA256

bd51320e5b89f8e0b15635d394c415e86148caeb4230abe8c82716ce35eff5cc
SHA512

50017688bddc1d7f4b9c34f7f217ccd36a864088dbc223ec494f1b7bc5edea2eff45cd380f6ddce7e2d14ba4abbf19231713cf58d193701c2d7d22c24a8060cb
SSDEEP

49152:e5qJWxgUEmUPLmPn49QB3j7QfBu4e+EF+jQzbMqp/7DvJsf:eMWxgUGmUc7QJnVjQ8qtfQ

Score

8^/10

evasion

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

filesystemscan.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	filesystemscan.exe

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

9a14cad3cef7929ef0e9b2c30c57a67a.exetemp.exefilesystemscan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	9a14cad3cef7929ef0e9b2c30c57a67a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	temp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	filesystemscan.exe

Executes dropped EXE 3 IoCs

Processes:

temp.exefilesystemscan.exeProtector-xvp.exe

pid process

1084 temp.exe
1192 filesystemscan.exe
1492 Protector-xvp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

filesystemscan.exeProtector-xvp.exe

pid process

1192 filesystemscan.exe
1492 Protector-xvp.exe

pid	process
1084	temp.exe
1192	filesystemscan.exe
1492	Protector-xvp.exe

pid	process
1192	filesystemscan.exe
1492	Protector-xvp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

9a14cad3cef7929ef0e9b2c30c57a67a.exetemp.exefilesystemscan.exe

description	pid	process	target process
PID 1440 wrote to memory of 1084	1440	9a14cad3cef7929ef0e9b2c30c57a67a.exe	temp.exe
PID 1440 wrote to memory of 1084	1440	9a14cad3cef7929ef0e9b2c30c57a67a.exe	temp.exe
PID 1440 wrote to memory of 1084	1440	9a14cad3cef7929ef0e9b2c30c57a67a.exe	temp.exe
PID 1084 wrote to memory of 1192	1084	temp.exe	filesystemscan.exe
PID 1084 wrote to memory of 1192	1084	temp.exe	filesystemscan.exe
PID 1084 wrote to memory of 1192	1084	temp.exe	filesystemscan.exe
PID 1192 wrote to memory of 1492	1192	filesystemscan.exe	Protector-xvp.exe
PID 1192 wrote to memory of 1492	1192	filesystemscan.exe	Protector-xvp.exe
PID 1192 wrote to memory of 1492	1192	filesystemscan.exe	Protector-xvp.exe
PID 1192 wrote to memory of 1716	1192	filesystemscan.exe	cmd.exe
PID 1192 wrote to memory of 1716	1192	filesystemscan.exe	cmd.exe
PID 1192 wrote to memory of 1716	1192	filesystemscan.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9a14cad3cef7929ef0e9b2c30c57a67a.exe
"C:\Users\Admin\AppData\Local\Temp\9a14cad3cef7929ef0e9b2c30c57a67a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1440

C:\Users\Admin\AppData\Local\Temp\temp.exe
"C:\Users\Admin\AppData\Local\Temp\temp.exe" -e -p1329559461
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\filesystemscan.exe
"C:\Users\Admin\AppData\Local\Temp\filesystemscan.exe"
3⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Roaming\Protector-xvp.exe
C:\Users\Admin\AppData\Roaming\Protector-xvp.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\FILESY~1.EXE" >> NUL
4⤵
PID:1716

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\filesystemscan.exe
Filesize
1.9MB

MD5
c6200cf2220feb8fef9e2112496d1378

SHA1
b8600384b6f06fd64b73910f92509b0b8a04f9cc

SHA256
199d57e73012d2870a6b90188ded59d416162f72602d881a5b61c384d5b73164

SHA512
9e2332838eb97c593e1b5525cc0092da63c9c016ea5e4033d16b200175e20a059cc6ea86c7bf9e51808fb63fc57e8b6ae8b8401656fe30d6a4ca9f1021a3427c

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe
Filesize
2.0MB

MD5
5d50bccfb3331af8a6e39de5e84d1da3

SHA1
1b42c1a6fe8bbe01803eb6025f18db46875ea11a

SHA256
fd41d663d34c403e50c2a186cedd8309c43d8896a8d6d87297024d800dd22064

SHA512
a0e4e17bbb7ebf2b50827496904daf72d2e8e32048009a44febf85eb4277fb7bd815944e1b45159eca0ebed610ec50dcf6da6b25ac4748d2462bf0d8d4a965a3

Download Submit
memory/1192-21-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1192-22-0x00000000024D0000-0x000000000252A000-memory.dmp

Filesize
360KB

Download
memory/1192-23-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/1192-24-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1192-26-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/1192-25-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1192-28-0x0000000002720000-0x0000000002721000-memory.dmp

Filesize
4KB

Download
memory/1192-27-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/1192-29-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/1192-31-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/1192-30-0x0000000003510000-0x0000000003513000-memory.dmp

Filesize
12KB

Download
memory/1192-32-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/1192-33-0x0000000003500000-0x0000000003502000-memory.dmp

Filesize
8KB

Download
memory/1192-34-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/1192-35-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1192-36-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1192-38-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/1192-37-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/1192-39-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/1192-40-0x0000000002890000-0x0000000002891000-memory.dmp

Filesize
4KB

Download
memory/1192-41-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/1192-42-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/1192-43-0x0000000002940000-0x0000000002941000-memory.dmp

Filesize
4KB

Download
memory/1192-44-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/1192-46-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1192-45-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/1192-48-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1192-47-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/1192-50-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1192-49-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/1192-51-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/1192-52-0x0000000003760000-0x0000000003761000-memory.dmp

Filesize
4KB

Download
memory/1192-53-0x0000000003750000-0x0000000003751000-memory.dmp

Filesize
4KB

Download
memory/1192-55-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1192-54-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/1192-56-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1192-57-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/1192-58-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1192-59-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1192-60-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/1192-61-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/1192-62-0x00000000037F0000-0x00000000037F1000-memory.dmp

Filesize
4KB

Download
memory/1192-64-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/1192-63-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/1192-65-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/1192-66-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/1192-67-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

Filesize
4KB

Download
memory/1192-68-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/1192-69-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/1192-70-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/1192-72-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1192-71-0x0000000003D10000-0x0000000003D11000-memory.dmp

Filesize
4KB

Download
memory/1192-74-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/1192-73-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/1192-75-0x0000000003D30000-0x0000000003D31000-memory.dmp

Filesize
4KB

Download
memory/1192-77-0x0000000004230000-0x0000000004231000-memory.dmp

Filesize
4KB

Download
memory/1192-76-0x0000000004240000-0x0000000004241000-memory.dmp

Filesize
4KB

Download
memory/1192-78-0x0000000004260000-0x0000000004261000-memory.dmp

Filesize
4KB

Download
memory/1192-79-0x0000000004250000-0x0000000004251000-memory.dmp

Filesize
4KB

Download
memory/1192-81-0x0000000004270000-0x0000000004271000-memory.dmp

Filesize
4KB

Download
memory/1192-80-0x0000000004280000-0x0000000004281000-memory.dmp

Filesize
4KB

Download
memory/1192-83-0x00000000042A0000-0x00000000042A1000-memory.dmp

Filesize
4KB

Download
memory/1192-82-0x00000000042B0000-0x00000000042B1000-memory.dmp

Filesize
4KB

Download
memory/1192-84-0x00000000042D0000-0x00000000042D1000-memory.dmp

Filesize
4KB

Download
memory/1192-118-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download
memory/1492-119-0x0000000000400000-0x00000000007E6000-memory.dmp

Filesize
3.9MB

Download