88245fae9075139426c7e82da7384b45c4a34496fea98857bfe64ee11185633e

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd27958cc72a8ab623a620c9e1daef20.exe
Size

2.1MB
MD5

cd27958cc72a8ab623a620c9e1daef20
SHA1

6df82eef2321538a26f5f8d61fb9bf8f8c53a56a
SHA256

88245fae9075139426c7e82da7384b45c4a34496fea98857bfe64ee11185633e
SHA512

218f2146734f5fb8fcbab78aa2b0756658ffa74dd96138badcee93d12082f4e373fe59bc382b5ab29047a1966df5a415634773e6082bf2608eab359388c1784d
SSDEEP

49152:Dtq4kO7pDfJl9KPdTNYn4lOm219up+JKgy9urtNSnGoJRlYU8at:Dn7p1l9o3icOm219jJKHuZoBSat

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2024	2j26aeg419nvp0u.exe
2496	s1muvybur89c99g.exe
2640	Protector-hgje.exe

Loads dropped DLL 5 IoCs

pid	Process
2220	cd27958cc72a8ab623a620c9e1daef20.exe
2024	2j26aeg419nvp0u.exe
2024	2j26aeg419nvp0u.exe
2496	s1muvybur89c99g.exe
2496	s1muvybur89c99g.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	s1muvybur89c99g.exe
Token: SeShutdownPrivilege	2496	s1muvybur89c99g.exe
Token: SeDebugPrivilege	2640	Protector-hgje.exe
Token: SeShutdownPrivilege	2640	Protector-hgje.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2496	s1muvybur89c99g.exe
2640	Protector-hgje.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2220 wrote to memory of 2024	2220	cd27958cc72a8ab623a620c9e1daef20.exe	28
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2024 wrote to memory of 2496	2024	2j26aeg419nvp0u.exe	29
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2640	2496	s1muvybur89c99g.exe	30
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31
PID 2496 wrote to memory of 2520	2496	s1muvybur89c99g.exe	31

C:\Users\Admin\AppData\Local\Temp\cd27958cc72a8ab623a620c9e1daef20.exe
"C:\Users\Admin\AppData\Local\Temp\cd27958cc72a8ab623a620c9e1daef20.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe" -e -pnyy5i61api73n10
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Users\Admin\AppData\Roaming\Protector-hgje.exe
      C:\Users\Admin\AppData\Roaming\Protector-hgje.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\S1MUVY~1.EXE" >> NUL
      4⤵
      PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
487KB

MD5
150304410492da7b7d89e92ec40dc93d

SHA1
bb390ce842d405e31a04e8a8a4b3b1c801a74de9

SHA256
38cf572690bfb5e28591e123af3bb053e1b1087981d95424a0c7f0800c7172c0

SHA512
aa65892de1c662cf7e458b8ccb53402014c175c57b001b6dee9d5b02111788db876f5b70a793a60fa726a5439c95e5e3e4d8fce9301881cec7ae73e56882bbf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
2.0MB

MD5
0d54d1923f89a07541e497b5bdd2d388

SHA1
2144f9fbf6501a778f3a90193ec699bfab204051

SHA256
202721fa0ab7410f4d03e0b1279a97ea134f0e85f146ad78047fef8e1d51a2cd

SHA512
58905780a9e37a635816872c3f54495494d2e4b33ae55dd4b2057d8165b28abee738cf195248ceadfd29068e8aba9cc2a44ee313cad461fa928e5bd91a880ce7

Download Submit
C:\Users\Admin\AppData\Roaming\Protector-hgje.exe

Filesize
704KB

MD5
5675a41b612d19baf90f4a11cee0cf27

SHA1
4c42be29c9a025616a31a811cf7f2f49b31aa05b

SHA256
cf9b037ef1e1e6040c24e7d72a529ce3530dd974454593104dbbecafd0237de8

SHA512
c932624291ed3fcec1b3b53a25608aece70a528ab2f4f700365a3c7a0cfd494e13cda003a989e8fc26fbb0ed11d1072a3a2372106b2a6f653d7e6811ae67b96e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe

Filesize
2.0MB

MD5
e2d6de138d40f3d1cfb9386b96487ce1

SHA1
08d13c05ee0c68b410c857fb46bfe6fa9894142e

SHA256
0177c0496c01de493b550a7fe2a5df3e07560eb44b695e40c4fe41d8704ef6c0

SHA512
27f83e4cec3699905b6d444035e0347b39ee69526da542792c52cbd648ecd8c9d34c89962544d316f537e45115fd82638f4c61973e0abb99231f26d64d894c94

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
1.8MB

MD5
db8acbacb5413ff9f6c2f9710d928b4c

SHA1
9b9abf078c4e9152833ca5d1dc1b06a6a2817943

SHA256
239d72d6760d99959a3f3c01acb4235aa04d50ba00309695004e0b35d4d7e963

SHA512
8eec6261bdb0193742c9f3436cfa8a5ad4e6b408d2c23ceee1c6d56149e9283c7b5534ef95f71d93e2a0b83a979c26da4e19cdf73b7f4f6ae3a0b71a790000e2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
1.1MB

MD5
8e5547cc8852ad559a698b940dbaeaa9

SHA1
d2a62ac939085c0c1d6180c78f2b8d47f05a5f25

SHA256
8d7e74acca300e5cc88e9c8318e719b168255e077dfb59b3772be391960012f0

SHA512
820b396589e0af76764377fb2f2506d53a896014104502cf760e9d549a5f8d48bcfc57928b47cb24b40201d3dd947e0d5cc7faf62c254d36eeccea41f52a8aac

Download Submit
memory/2024-18-0x00000000030C0000-0x00000000034F1000-memory.dmp

Filesize
4.2MB

Download
memory/2024-45-0x00000000030C0000-0x000000000311D000-memory.dmp

Filesize
372KB

Download
memory/2496-25-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2496-36-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/2496-23-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-22-0x0000000003420000-0x0000000003423000-memory.dmp

Filesize
12KB

Download
memory/2496-21-0x0000000003430000-0x0000000003432000-memory.dmp

Filesize
8KB

Download
memory/2496-35-0x0000000004B40000-0x0000000004F71000-memory.dmp

Filesize
4.2MB

Download
memory/2496-19-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/2496-24-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2496-20-0x00000000002A0000-0x00000000002FA000-memory.dmp

Filesize
360KB

Download
memory/2496-44-0x00000000002A0000-0x00000000002FA000-memory.dmp

Filesize
360KB

Download
memory/2496-43-0x0000000004B40000-0x0000000004F71000-memory.dmp

Filesize
4.2MB

Download
memory/2640-41-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2640-39-0x00000000002C0000-0x000000000031A000-memory.dmp

Filesize
360KB

Download
memory/2640-42-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/2640-38-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/2640-37-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download