5f966f19c143f27e90d08513ca56f8e10f40ff762779835aced1b3d28984501b

General

Target

cb96f4b88cc56af60b6cfef38075e032.exe
Size

1.8MB
MD5

cb96f4b88cc56af60b6cfef38075e032
SHA1

a15276ac8a89a07e2639830a929708ec9d5cc5be
SHA256

5f966f19c143f27e90d08513ca56f8e10f40ff762779835aced1b3d28984501b
SHA512

87144b929c35dd1619ee85f7dfe3ba79123415d2392f9807d1e47ebc7e0cece5e1aed026c8ee86df438cd7c7d4ad740aaf7f561f5bd2172d4ed0e87081560b8a
SSDEEP

49152:m+fm1tJMBMCo+M7VnDIa8Tjc04axAwCQsm6pW:mnI+z54TN3tfsm6pW

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	Protector-yiaf.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	cb96f4b88cc56af60b6cfef38075e032.exe
2240	cb96f4b88cc56af60b6cfef38075e032.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	cb96f4b88cc56af60b6cfef38075e032.exe
Token: SeShutdownPrivilege	2240	cb96f4b88cc56af60b6cfef38075e032.exe
Token: SeDebugPrivilege	2916	Protector-yiaf.exe
Token: SeShutdownPrivilege	2916	Protector-yiaf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2240	cb96f4b88cc56af60b6cfef38075e032.exe
2916	Protector-yiaf.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2916	2240	cb96f4b88cc56af60b6cfef38075e032.exe	28
PID 2240 wrote to memory of 2916	2240	cb96f4b88cc56af60b6cfef38075e032.exe	28
PID 2240 wrote to memory of 2916	2240	cb96f4b88cc56af60b6cfef38075e032.exe	28
PID 2240 wrote to memory of 2916	2240	cb96f4b88cc56af60b6cfef38075e032.exe	28
PID 2240 wrote to memory of 2636	2240	cb96f4b88cc56af60b6cfef38075e032.exe	29
PID 2240 wrote to memory of 2636	2240	cb96f4b88cc56af60b6cfef38075e032.exe	29
PID 2240 wrote to memory of 2636	2240	cb96f4b88cc56af60b6cfef38075e032.exe	29
PID 2240 wrote to memory of 2636	2240	cb96f4b88cc56af60b6cfef38075e032.exe	29

C:\Users\Admin\AppData\Local\Temp\cb96f4b88cc56af60b6cfef38075e032.exe
"C:\Users\Admin\AppData\Local\Temp\cb96f4b88cc56af60b6cfef38075e032.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\Protector-yiaf.exe
  C:\Users\Admin\AppData\Roaming\Protector-yiaf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\CB96F4~1.EXE" >> NUL
  2⤵
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-yiaf.exe

Filesize
1.1MB

MD5
597369813a307597019b5796bf2d2c2b

SHA1
2860ee072fab16232555132e1ab5777badb2c45d

SHA256
f0b29826079ba91a499fc5b388962973170d2f745a245826f2d7d76bd3900f71

SHA512
5d27682c9f85a2c18de05f07e257a47bb25a0e2edaa5fb27de3e5b3a0c713782a1cb682d308d927d65149b9074462b2ef8a26fcd0103cacbb37aa72e793212aa

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-yiaf.exe

Filesize
1.4MB

MD5
08454abce6359d77b3e51ce84feae7e3

SHA1
6902c49e239e1870895f4262b60fa9189552ef87

SHA256
3239fe9fc5e2caea3ccebaba9147b0067754e2e5caac221c861fe61903d04e61

SHA512
47534165ea5d5618cd26a5736f3daa86fcf6305a31dbf22f5dc0fd95cd57017e5edfa02f3375798734683cc65c76f49c3ef1f9a54fa90a6edc75168e23ec588d

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-yiaf.exe

Filesize
256KB

MD5
702d7916df6cd24a3f231f03501dabeb

SHA1
ca1310c7635a23d2c051bb4012c11da58d126c2c

SHA256
66e3c18fdd1b08399eeadaf0944ca980acbc55f2bddb3aeb8fd1edfe7ac35c2a

SHA512
126d3afb35ae3f0d0deed97d159523497bbba0204b4c552247bf8d9fd388a184f43fe83e181fef0192302c13c4902b987307e7df894468a87e246d28b200e1cc

Download Submit
\Users\Admin\AppData\Roaming\Protector-yiaf.exe

Filesize
1.8MB

MD5
cb96f4b88cc56af60b6cfef38075e032

SHA1
a15276ac8a89a07e2639830a929708ec9d5cc5be

SHA256
5f966f19c143f27e90d08513ca56f8e10f40ff762779835aced1b3d28984501b

SHA512
87144b929c35dd1619ee85f7dfe3ba79123415d2392f9807d1e47ebc7e0cece5e1aed026c8ee86df438cd7c7d4ad740aaf7f561f5bd2172d4ed0e87081560b8a

Download Submit
memory/2240-18-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x00000000002C0000-0x000000000031A000-memory.dmp

Filesize
360KB

Download
memory/2240-8-0x00000000033A0000-0x00000000033A3000-memory.dmp

Filesize
12KB

Download
memory/2240-7-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2240-6-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/2240-9-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/2240-10-0x0000000003390000-0x0000000003393000-memory.dmp

Filesize
12KB

Download
memory/2240-11-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/2240-13-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2240-14-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2240-15-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2240-12-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2240-16-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2240-17-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2240-0-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2240-4-0x0000000002170000-0x0000000002171000-memory.dmp

Filesize
4KB

Download
memory/2240-3-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2240-5-0x0000000002140000-0x0000000002141000-memory.dmp

Filesize
4KB

Download
memory/2240-27-0x0000000004190000-0x0000000004557000-memory.dmp

Filesize
3.8MB

Download
memory/2240-42-0x00000000002C0000-0x000000000031A000-memory.dmp

Filesize
360KB

Download
memory/2240-40-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2240-2-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/2240-38-0x0000000004190000-0x0000000004557000-memory.dmp

Filesize
3.8MB

Download
memory/2916-32-0x00000000033F0000-0x00000000033F1000-memory.dmp

Filesize
4KB

Download
memory/2916-33-0x0000000003400000-0x0000000003401000-memory.dmp

Filesize
4KB

Download
memory/2916-34-0x00000000033E0000-0x00000000033E1000-memory.dmp

Filesize
4KB

Download
memory/2916-35-0x00000000033D0000-0x00000000033D1000-memory.dmp

Filesize
4KB

Download
memory/2916-37-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2916-36-0x00000000033C0000-0x00000000033C1000-memory.dmp

Filesize
4KB

Download
memory/2916-29-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2916-39-0x0000000003630000-0x0000000003670000-memory.dmp

Filesize
256KB

Download
memory/2916-30-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/2916-41-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2916-28-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing