15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64

General

Target

15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe
Size

119KB
MD5

381cc3935440884e725035115aa1522c
SHA1

3fb5c294dcafe47a570d4c1056d8d8ff033caf4a
SHA256

15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64
SHA512

30896db04107b673f8a74984f150458461b171931f8851a5995c3205fbfd218c64c0d2d7a7770ef9bd44e1325e5cf3377b2ff8cc658e050996114c91db9639fb
SSDEEP

1536:sRAZ0skUnL3xgtxHEOwtHDQ4A4X0S549xKwWQwEzoYp8rBBGtGYICJJHSoO0:jytxHctjQcEf7zFwEH8rBBGgYO0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1388	netprotocol.exe
1684	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
908	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe
908	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 1388 set thread context of 1684	1388	netprotocol.exe	30

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 1808 wrote to memory of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 1808 wrote to memory of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 1808 wrote to memory of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 1808 wrote to memory of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 1808 wrote to memory of 908	1808	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	28
PID 908 wrote to memory of 1388	908	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	29
PID 908 wrote to memory of 1388	908	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	29
PID 908 wrote to memory of 1388	908	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	29
PID 908 wrote to memory of 1388	908	15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe	29
PID 1388 wrote to memory of 1684	1388	netprotocol.exe	30
PID 1388 wrote to memory of 1684	1388	netprotocol.exe	30
PID 1388 wrote to memory of 1684	1388	netprotocol.exe	30
PID 1388 wrote to memory of 1684	1388	netprotocol.exe	30
PID 1388 wrote to memory of 1684	1388	netprotocol.exe	30
PID 1388 wrote to memory of 1684	1388	netprotocol.exe	30

C:\Users\Admin\AppData\Local\Temp\15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe
"C:\Users\Admin\AppData\Local\Temp\15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe
  C:\Users\Admin\AppData\Local\Temp\15c9a40a73224b6f29fb030e63379da83c419b67fdcbd0ade148cb12ed2cfc64.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
119KB

MD5
7f8fd4e48923a0f0393ab057567d5949

SHA1
3c31ad345a6107c391e74800b0983c493fb2ff5e

SHA256
e1e0529e5277e9c76e9b4ea929aefa6d854daa9090cd3c1c10de8dcf44ef41ab

SHA512
0f14f9bdb331dc327ad6f8f94e0f02c90dede67477fa1fedfd08a7c8a2395360ba891ee676f8e4f7044038691615bebf61a69a266473b73c244054c5438bbdf1

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
119KB

MD5
7f8fd4e48923a0f0393ab057567d5949

SHA1
3c31ad345a6107c391e74800b0983c493fb2ff5e

SHA256
e1e0529e5277e9c76e9b4ea929aefa6d854daa9090cd3c1c10de8dcf44ef41ab

SHA512
0f14f9bdb331dc327ad6f8f94e0f02c90dede67477fa1fedfd08a7c8a2395360ba891ee676f8e4f7044038691615bebf61a69a266473b73c244054c5438bbdf1

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
119KB

MD5
7f8fd4e48923a0f0393ab057567d5949

SHA1
3c31ad345a6107c391e74800b0983c493fb2ff5e

SHA256
e1e0529e5277e9c76e9b4ea929aefa6d854daa9090cd3c1c10de8dcf44ef41ab

SHA512
0f14f9bdb331dc327ad6f8f94e0f02c90dede67477fa1fedfd08a7c8a2395360ba891ee676f8e4f7044038691615bebf61a69a266473b73c244054c5438bbdf1

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
119KB

MD5
7f8fd4e48923a0f0393ab057567d5949

SHA1
3c31ad345a6107c391e74800b0983c493fb2ff5e

SHA256
e1e0529e5277e9c76e9b4ea929aefa6d854daa9090cd3c1c10de8dcf44ef41ab

SHA512
0f14f9bdb331dc327ad6f8f94e0f02c90dede67477fa1fedfd08a7c8a2395360ba891ee676f8e4f7044038691615bebf61a69a266473b73c244054c5438bbdf1

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
119KB

MD5
7f8fd4e48923a0f0393ab057567d5949

SHA1
3c31ad345a6107c391e74800b0983c493fb2ff5e

SHA256
e1e0529e5277e9c76e9b4ea929aefa6d854daa9090cd3c1c10de8dcf44ef41ab

SHA512
0f14f9bdb331dc327ad6f8f94e0f02c90dede67477fa1fedfd08a7c8a2395360ba891ee676f8e4f7044038691615bebf61a69a266473b73c244054c5438bbdf1

Download Submit
memory/908-59-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/908-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/908-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/908-56-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/908-74-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1684-75-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing