88245fae9075139426c7e82da7384b45c4a34496fea98857bfe64ee11185633e

General

Target

cd27958cc72a8ab623a620c9e1daef20.exe
Size

2.1MB
MD5

cd27958cc72a8ab623a620c9e1daef20
SHA1

6df82eef2321538a26f5f8d61fb9bf8f8c53a56a
SHA256

88245fae9075139426c7e82da7384b45c4a34496fea98857bfe64ee11185633e
SHA512

218f2146734f5fb8fcbab78aa2b0756658ffa74dd96138badcee93d12082f4e373fe59bc382b5ab29047a1966df5a415634773e6082bf2608eab359388c1784d
SSDEEP

49152:Dtq4kO7pDfJl9KPdTNYn4lOm219up+JKgy9urtNSnGoJRlYU8at:Dn7p1l9o3icOm219jJKHuZoBSat

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cd27958cc72a8ab623a620c9e1daef20.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2j26aeg419nvp0u.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	s1muvybur89c99g.exe

Executes dropped EXE 3 IoCs

pid	Process
3732	2j26aeg419nvp0u.exe
3364	s1muvybur89c99g.exe
1608	Protector-uehx.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	s1muvybur89c99g.exe
Token: SeShutdownPrivilege	3364	s1muvybur89c99g.exe
Token: SeDebugPrivilege	1608	Protector-uehx.exe
Token: SeShutdownPrivilege	1608	Protector-uehx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3364	s1muvybur89c99g.exe
1608	Protector-uehx.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 968 wrote to memory of 3732	968	cd27958cc72a8ab623a620c9e1daef20.exe	90
PID 968 wrote to memory of 3732	968	cd27958cc72a8ab623a620c9e1daef20.exe	90
PID 968 wrote to memory of 3732	968	cd27958cc72a8ab623a620c9e1daef20.exe	90
PID 3732 wrote to memory of 3364	3732	2j26aeg419nvp0u.exe	92
PID 3732 wrote to memory of 3364	3732	2j26aeg419nvp0u.exe	92
PID 3732 wrote to memory of 3364	3732	2j26aeg419nvp0u.exe	92
PID 3364 wrote to memory of 1608	3364	s1muvybur89c99g.exe	94
PID 3364 wrote to memory of 1608	3364	s1muvybur89c99g.exe	94
PID 3364 wrote to memory of 1608	3364	s1muvybur89c99g.exe	94
PID 3364 wrote to memory of 3872	3364	s1muvybur89c99g.exe	95
PID 3364 wrote to memory of 3872	3364	s1muvybur89c99g.exe	95
PID 3364 wrote to memory of 3872	3364	s1muvybur89c99g.exe	95

C:\Users\Admin\AppData\Local\Temp\cd27958cc72a8ab623a620c9e1daef20.exe
"C:\Users\Admin\AppData\Local\Temp\cd27958cc72a8ab623a620c9e1daef20.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe" -e -pnyy5i61api73n10
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3364
  - - C:\Users\Admin\AppData\Roaming\Protector-uehx.exe
      C:\Users\Admin\AppData\Roaming\Protector-uehx.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\S1MUVY~1.EXE" >> NUL
      4⤵
      PID:3872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe

Filesize
2.0MB

MD5
e2d6de138d40f3d1cfb9386b96487ce1

SHA1
08d13c05ee0c68b410c857fb46bfe6fa9894142e

SHA256
0177c0496c01de493b550a7fe2a5df3e07560eb44b695e40c4fe41d8704ef6c0

SHA512
27f83e4cec3699905b6d444035e0347b39ee69526da542792c52cbd648ecd8c9d34c89962544d316f537e45115fd82638f4c61973e0abb99231f26d64d894c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe

Filesize
1.7MB

MD5
760dbc2c90bc4abb80f7c4e7418581f1

SHA1
b556171904789bab6b1c233907340786b2bdc52a

SHA256
aed129fd13ee87e6e93859722d36e96d0001eed6f28268a38b4bd6824734e4d8

SHA512
f193fb295c808e527657c66bf5cf7cbe5a8832a6e841ed49e61210504e258cebf7c8beb9b8b42ae92c9fe74e68ffebe39ed8cf00061a86b2b3170862993726b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2j26aeg419nvp0u.exe

Filesize
1.3MB

MD5
b35e106850d7212acafc873d6be6cff6

SHA1
7b5ca87d1be37b76a02796d6e9834f4b5fbf77f2

SHA256
82bfac2206e5addffc92fd49f2d3cf07e0a5d17249a21f2125edb479f3828a20

SHA512
661007da799f6eabe656b7cf93f68d6bc8f5ffc834f798d4ae7b5c6e2e00ab1398e8e08a8c9a910aab91d1f44699f16ec9a179b8c5197a06b1d86e2a8095e6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
152KB

MD5
0037c4fd51d1209c8d9bfb736c7c32e2

SHA1
00b5a6460d39a34f1145a4bd6820faad5a6de4b9

SHA256
c5a9bd8e552c2d939e381a84a75aaff5063a432496941f9d04964bc6b356b634

SHA512
6ee377a6b4d07083247535952f41f84b0f5ab8784ee23c6800d55b6c6b8a4e056a3f010bacbdda0110408e0cc75bac4a3a6ca0eae18779163e876be18016b251

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
71KB

MD5
3d7e119b592e07e9fffa7810e21bd1ac

SHA1
d7d5c3162a1c6b617730e72090ab9a7f17347da9

SHA256
3be94dcbd046d755848c4893e4f5d7485bed38d206da2c80f2fbd94b936bf0b8

SHA512
26c7b224940580ebbd50877489e7078a26d9d1aa7ea0f9e392069db9bb2ba97373f647e00e5b24a217d6c055802a3f1390c12b6cfd640ad6dbf915e8c869bb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\s1muvybur89c99g.exe

Filesize
2.0MB

MD5
0d54d1923f89a07541e497b5bdd2d388

SHA1
2144f9fbf6501a778f3a90193ec699bfab204051

SHA256
202721fa0ab7410f4d03e0b1279a97ea134f0e85f146ad78047fef8e1d51a2cd

SHA512
58905780a9e37a635816872c3f54495494d2e4b33ae55dd4b2057d8165b28abee738cf195248ceadfd29068e8aba9cc2a44ee313cad461fa928e5bd91a880ce7

Download Submit
memory/1608-45-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/1608-49-0x00000000035B0000-0x00000000035B1000-memory.dmp

Filesize
4KB

Download
memory/1608-55-0x00000000023A0000-0x00000000023FA000-memory.dmp

Filesize
360KB

Download
memory/1608-46-0x00000000023A0000-0x00000000023FA000-memory.dmp

Filesize
360KB

Download
memory/1608-54-0x00000000035A0000-0x00000000035A1000-memory.dmp

Filesize
4KB

Download
memory/1608-53-0x00000000035C0000-0x00000000035C1000-memory.dmp

Filesize
4KB

Download
memory/1608-52-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/1608-51-0x0000000003550000-0x0000000003553000-memory.dmp

Filesize
12KB

Download
memory/1608-48-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3364-24-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/3364-29-0x0000000003530000-0x0000000003531000-memory.dmp

Filesize
4KB

Download
memory/3364-39-0x0000000003540000-0x0000000003541000-memory.dmp

Filesize
4KB

Download
memory/3364-38-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/3364-37-0x0000000003560000-0x0000000003561000-memory.dmp

Filesize
4KB

Download
memory/3364-36-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3364-35-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3364-34-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3364-33-0x0000000003510000-0x0000000003513000-memory.dmp

Filesize
12KB

Download
memory/3364-32-0x0000000003570000-0x0000000003571000-memory.dmp

Filesize
4KB

Download
memory/3364-31-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/3364-40-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3364-30-0x0000000003520000-0x0000000003522000-memory.dmp

Filesize
8KB

Download
memory/3364-47-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download
memory/3364-28-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/3364-27-0x00000000026D0000-0x00000000026D1000-memory.dmp

Filesize
4KB

Download
memory/3364-25-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/3364-50-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/3364-26-0x0000000002700000-0x0000000002701000-memory.dmp

Filesize
4KB

Download
memory/3364-23-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/3364-22-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/3364-21-0x0000000000400000-0x0000000000831000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing