c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133

General

Target

c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe
Size

2.0MB
MD5

eb138226444409b6a8ba86a7ad6bb461
SHA1

d0e3a9632086aec8ade7cfe10dcb132d55fa898e
SHA256

c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133
SHA512

6d5ab6ba75d3bbbb4a3af1d75b6381bfd5b3faa07a1b24135161dbb6ff3e8ff8847e7a1d1f2b9013a574cbedbf6af014d7406b08c297ad8605234d9739249d21
SSDEEP

49152:DgqArt0gboSKkDpTyooUxSc/KFFC3GbefBAudiBXlOBy:DwtuSKk9ydUxpOMAuY

Score

7^/10

defense_evasion discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	r80h930r8b9ayi8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	hcij6m4v313l720.exe

Executes dropped EXE 3 IoCs

pid	Process
3652	r80h930r8b9ayi8.exe
4048	hcij6m4v313l720.exe
5084	Protector-wvjw.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r80h930r8b9ayi8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcij6m4v313l720.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Protector-wvjw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4048	hcij6m4v313l720.exe
Token: SeShutdownPrivilege	4048	hcij6m4v313l720.exe
Token: SeDebugPrivilege	5084	Protector-wvjw.exe
Token: SeShutdownPrivilege	5084	Protector-wvjw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4048	hcij6m4v313l720.exe
5084	Protector-wvjw.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 3652	1408	c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe	82
PID 1408 wrote to memory of 3652	1408	c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe	82
PID 1408 wrote to memory of 3652	1408	c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe	82
PID 3652 wrote to memory of 4048	3652	r80h930r8b9ayi8.exe	83
PID 3652 wrote to memory of 4048	3652	r80h930r8b9ayi8.exe	83
PID 3652 wrote to memory of 4048	3652	r80h930r8b9ayi8.exe	83
PID 4048 wrote to memory of 5084	4048	hcij6m4v313l720.exe	84
PID 4048 wrote to memory of 5084	4048	hcij6m4v313l720.exe	84
PID 4048 wrote to memory of 5084	4048	hcij6m4v313l720.exe	84
PID 4048 wrote to memory of 3232	4048	hcij6m4v313l720.exe	85
PID 4048 wrote to memory of 3232	4048	hcij6m4v313l720.exe	85
PID 4048 wrote to memory of 3232	4048	hcij6m4v313l720.exe	85

C:\Users\Admin\AppData\Local\Temp\c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe
"C:\Users\Admin\AppData\Local\Temp\c0a66e3e34835fcc8c1a473876e763b34176a3b867d5d83c02c3f160db12b133.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\r80h930r8b9ayi8.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\r80h930r8b9ayi8.exe" -e -pq6wi1eji0k7u7m6
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\hcij6m4v313l720.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hcij6m4v313l720.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Users\Admin\AppData\Roaming\Protector-wvjw.exe
      C:\Users\Admin\AppData\Roaming\Protector-wvjw.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\HCIJ6M~1.EXE" >> NUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\r80h930r8b9ayi8.exe

Filesize
2.0MB

MD5
bca91cf91c5dc6f235d6358211226668

SHA1
5019501b7e3a48c9155c4ab407a81680de1fe6f4

SHA256
9a2d713cdae9daafbda407c5be48c98702bd3dd7675c4f54c50c76ad25dff734

SHA512
8624b7a4d34fd93486fe4bab99b7a0d7dc1a8f0b3f6b1939450bfbd09e8a12fb6e5fd60c5109aefc6ca014f0caf5012250e8dc4ee9cba6531516ebbf5fd671f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hcij6m4v313l720.exe

Filesize
1.9MB

MD5
c94023f64598bd1873ff8c45d3862a53

SHA1
03e077477a9fc4d51f59ffef4849093b2820b338

SHA256
81cbd611a37134c2ee077fd57c0526f82684cfe7139d1b7e050e21284b6a4026

SHA512
bc5a819f986c6444ee7672becdc717fa97ecabe4b91c664543765e445d28ffa32fe07b2f1855047473aad8c3936cb0fbd6f18e79f6577f60c342cf9fe7113c5a

Download Submit
memory/4048-18-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/4048-23-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/5084-25-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing