5f966f19c143f27e90d08513ca56f8e10f40ff762779835aced1b3d28984501b

General

Target

cb96f4b88cc56af60b6cfef38075e032.exe
Size

1.8MB
MD5

cb96f4b88cc56af60b6cfef38075e032
SHA1

a15276ac8a89a07e2639830a929708ec9d5cc5be
SHA256

5f966f19c143f27e90d08513ca56f8e10f40ff762779835aced1b3d28984501b
SHA512

87144b929c35dd1619ee85f7dfe3ba79123415d2392f9807d1e47ebc7e0cece5e1aed026c8ee86df438cd7c7d4ad740aaf7f561f5bd2172d4ed0e87081560b8a
SSDEEP

49152:m+fm1tJMBMCo+M7VnDIa8Tjc04axAwCQsm6pW:mnI+z54TN3tfsm6pW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cb96f4b88cc56af60b6cfef38075e032.exe

Executes dropped EXE 1 IoCs

pid	Process
3180	Protector-whxf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	cb96f4b88cc56af60b6cfef38075e032.exe
Token: SeShutdownPrivilege	2800	cb96f4b88cc56af60b6cfef38075e032.exe
Token: SeDebugPrivilege	3180	Protector-whxf.exe
Token: SeShutdownPrivilege	3180	Protector-whxf.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	cb96f4b88cc56af60b6cfef38075e032.exe
3180	Protector-whxf.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 3180	2800	cb96f4b88cc56af60b6cfef38075e032.exe	100
PID 2800 wrote to memory of 3180	2800	cb96f4b88cc56af60b6cfef38075e032.exe	100
PID 2800 wrote to memory of 3180	2800	cb96f4b88cc56af60b6cfef38075e032.exe	100
PID 2800 wrote to memory of 964	2800	cb96f4b88cc56af60b6cfef38075e032.exe	102
PID 2800 wrote to memory of 964	2800	cb96f4b88cc56af60b6cfef38075e032.exe	102
PID 2800 wrote to memory of 964	2800	cb96f4b88cc56af60b6cfef38075e032.exe	102

C:\Users\Admin\AppData\Local\Temp\cb96f4b88cc56af60b6cfef38075e032.exe
"C:\Users\Admin\AppData\Local\Temp\cb96f4b88cc56af60b6cfef38075e032.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\AppData\Roaming\Protector-whxf.exe
  C:\Users\Admin\AppData\Roaming\Protector-whxf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3180
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\CB96F4~1.EXE" >> NUL
  2⤵
  PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Protector-whxf.exe

Filesize
1.7MB

MD5
04e910683f77386f8d05be7457e3df9f

SHA1
917307c6b011716ff8991f2dc81696b7588197ff

SHA256
efca4e2a03e5e685740624207c269597a83ceb7a090eed6adcefb3b864125d04

SHA512
27f61db2e745582b48deeff4090ef79e83805305eaf8f18b97ddbe2812bd6949c46ea815afeac95fa3a49c8f351f813d3d1d9ab1bcbcfe2b13bddb36bfe3945c

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-whxf.exe

Filesize
723KB

MD5
7d40955ecb5bade6868ae85586894837

SHA1
517923ee5d3722584a6612e3ae889e9bbac37759

SHA256
f25994e9ddc92959646f8b6c5d6fe4d4eb0fef492f2e2dd0ce724e9d716cdebe

SHA512
3f103631ac84e67762f308212149aee4afd67f5474fb180e36f14747baa9bdfae4754785ed041b799ca9bf53b2b1ac10701553e44d07c30c5aa8db5d8e660a29

Download Submit
memory/2800-18-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/2800-3-0x00000000027B0000-0x00000000027B1000-memory.dmp

Filesize
4KB

Download
memory/2800-4-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/2800-5-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/2800-6-0x00000000027E0000-0x00000000027E1000-memory.dmp

Filesize
4KB

Download
memory/2800-7-0x0000000002830000-0x0000000002831000-memory.dmp

Filesize
4KB

Download
memory/2800-8-0x0000000003640000-0x0000000003641000-memory.dmp

Filesize
4KB

Download
memory/2800-9-0x0000000003630000-0x0000000003633000-memory.dmp

Filesize
12KB

Download
memory/2800-10-0x0000000003680000-0x0000000003681000-memory.dmp

Filesize
4KB

Download
memory/2800-11-0x0000000003620000-0x0000000003623000-memory.dmp

Filesize
12KB

Download
memory/2800-13-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2800-14-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2800-12-0x0000000003690000-0x0000000003691000-memory.dmp

Filesize
4KB

Download
memory/2800-15-0x0000000003670000-0x0000000003671000-memory.dmp

Filesize
4KB

Download
memory/2800-16-0x0000000003660000-0x0000000003661000-memory.dmp

Filesize
4KB

Download
memory/2800-17-0x0000000003650000-0x0000000003651000-memory.dmp

Filesize
4KB

Download
memory/2800-2-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/2800-0-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/2800-1-0x0000000000E30000-0x0000000000E8A000-memory.dmp

Filesize
360KB

Download
memory/2800-38-0x0000000000E30000-0x0000000000E8A000-memory.dmp

Filesize
360KB

Download
memory/2800-37-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/3180-34-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download
memory/3180-24-0x0000000002340000-0x000000000239A000-memory.dmp

Filesize
360KB

Download
memory/3180-27-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/3180-29-0x00000000034E0000-0x00000000034E3000-memory.dmp

Filesize
12KB

Download
memory/3180-28-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3180-25-0x00000000034F0000-0x0000000003780000-memory.dmp

Filesize
2.6MB

Download
memory/3180-33-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/3180-32-0x0000000003520000-0x0000000003521000-memory.dmp

Filesize
4KB

Download
memory/3180-26-0x00000000034F0000-0x0000000003780000-memory.dmp

Filesize
2.6MB

Download
memory/3180-31-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3180-35-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/3180-36-0x0000000002340000-0x000000000239A000-memory.dmp

Filesize
360KB

Download
memory/3180-30-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3180-23-0x0000000000400000-0x00000000007C7000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing