fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901

General

Target

fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe
Size

122KB
MD5

5d50bfe6624b199c654c789c0b72d9a9
SHA1

913ad68bc6076189a5cc37ff08cb5353d7e89e8b
SHA256

fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901
SHA512

099eef3e474c0ba8f8a4170084a3a09791341311e71fbe40d0e911e3511840d870b28a4115721efef0c5c40dddf0999ccb6ccb4b95399b3044dbd5968e6c578e
SSDEEP

1536:rzCD/Ftkipjh83tgpTo5aZ/KbxkWLndmOsIa9j++Zq/jXY0UqMim:IhKtgpM5O/KbdndmOh6UXY0Urr

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1608	netprotocol.exe
1712	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
1120	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe
1120	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 1608 set thread context of 1712	1608	netprotocol.exe	29

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 884 wrote to memory of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 884 wrote to memory of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 884 wrote to memory of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 884 wrote to memory of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 884 wrote to memory of 1120	884	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	27
PID 1120 wrote to memory of 1608	1120	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	28
PID 1120 wrote to memory of 1608	1120	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	28
PID 1120 wrote to memory of 1608	1120	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	28
PID 1120 wrote to memory of 1608	1120	fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe	28
PID 1608 wrote to memory of 1712	1608	netprotocol.exe	29
PID 1608 wrote to memory of 1712	1608	netprotocol.exe	29
PID 1608 wrote to memory of 1712	1608	netprotocol.exe	29
PID 1608 wrote to memory of 1712	1608	netprotocol.exe	29
PID 1608 wrote to memory of 1712	1608	netprotocol.exe	29
PID 1608 wrote to memory of 1712	1608	netprotocol.exe	29

C:\Users\Admin\AppData\Local\Temp\fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe
"C:\Users\Admin\AppData\Local\Temp\fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe
  C:\Users\Admin\AppData\Local\Temp\fd09c5d86630a2ba9fd423cf4d54463029a3825df432771c04fa5d8f8b005901.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
122KB

MD5
db20aa36762c5f26ebe6cf8395f9847f

SHA1
2b5758e110d160be870e5c4195ee17dcf8882d39

SHA256
7053dcefad74dee3d498b44058eb01a310d6f9d7c8a703842811c6e5c25e939b

SHA512
b6e2a527fffa2d36bd116ec6a0cb3f9b91d239e72afb69eb230b07bd9565b7767dd17103e40339d93b8c00940052b841df1667dfec644f64d7e505c010823d78

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
122KB

MD5
db20aa36762c5f26ebe6cf8395f9847f

SHA1
2b5758e110d160be870e5c4195ee17dcf8882d39

SHA256
7053dcefad74dee3d498b44058eb01a310d6f9d7c8a703842811c6e5c25e939b

SHA512
b6e2a527fffa2d36bd116ec6a0cb3f9b91d239e72afb69eb230b07bd9565b7767dd17103e40339d93b8c00940052b841df1667dfec644f64d7e505c010823d78

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
122KB

MD5
db20aa36762c5f26ebe6cf8395f9847f

SHA1
2b5758e110d160be870e5c4195ee17dcf8882d39

SHA256
7053dcefad74dee3d498b44058eb01a310d6f9d7c8a703842811c6e5c25e939b

SHA512
b6e2a527fffa2d36bd116ec6a0cb3f9b91d239e72afb69eb230b07bd9565b7767dd17103e40339d93b8c00940052b841df1667dfec644f64d7e505c010823d78

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
122KB

MD5
db20aa36762c5f26ebe6cf8395f9847f

SHA1
2b5758e110d160be870e5c4195ee17dcf8882d39

SHA256
7053dcefad74dee3d498b44058eb01a310d6f9d7c8a703842811c6e5c25e939b

SHA512
b6e2a527fffa2d36bd116ec6a0cb3f9b91d239e72afb69eb230b07bd9565b7767dd17103e40339d93b8c00940052b841df1667dfec644f64d7e505c010823d78

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
122KB

MD5
db20aa36762c5f26ebe6cf8395f9847f

SHA1
2b5758e110d160be870e5c4195ee17dcf8882d39

SHA256
7053dcefad74dee3d498b44058eb01a310d6f9d7c8a703842811c6e5c25e939b

SHA512
b6e2a527fffa2d36bd116ec6a0cb3f9b91d239e72afb69eb230b07bd9565b7767dd17103e40339d93b8c00940052b841df1667dfec644f64d7e505c010823d78

Download Submit
memory/1120-59-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1120-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1120-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1120-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1120-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1120-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1712-76-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing