Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 03:45
Behavioral task
behavioral1
Sample
6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe
Resource
win10v2004-20220812-en
General
-
Target
6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe
-
Size
93KB
-
MD5
b4d0e0c188c50d007ad0fa9270632d23
-
SHA1
d9f490ce9247e88f3495cdbc3006243563be4ea7
-
SHA256
6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208
-
SHA512
99d419f57e464072a63360e2541215cc852b55a36139bccc54c867bc5c754fbfe8e6a4b17127a2fe5ea7f188eab22d1530c9a895a381daf200dabe26049579ce
-
SSDEEP
1536:Gpe+K4ZOuXTw1Z0NU8iDCvfDeiMS7hXLd+zXeo9Cwk0dJvZ7yyHzqTA:GsO0j7qDeij7qzOo9CidJvZGr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 968 netprotocol.exe -
resource yara_rule behavioral1/memory/1672-54-0x0000000000400000-0x0000000000433000-memory.dmp upx behavioral1/files/0x0007000000005c50-58.dat upx behavioral1/files/0x0007000000005c50-59.dat upx behavioral1/files/0x0007000000005c50-61.dat upx -
Loads dropped DLL 2 IoCs
pid Process 1672 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe 1672 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe" 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1672 wrote to memory of 968 1672 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe 27 PID 1672 wrote to memory of 968 1672 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe 27 PID 1672 wrote to memory of 968 1672 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe 27 PID 1672 wrote to memory of 968 1672 6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe"C:\Users\Admin\AppData\Local\Temp\6f2992dad105a0be8c4568bb50cba34f2395f5babf32fb4b6c378f2ff375a208.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Roaming\netprotocol.exeC:\Users\Admin\AppData\Roaming\netprotocol.exe2⤵
- Executes dropped EXE
PID:968
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD5e8bfdd516529d589ba107a61ec5265e7
SHA158d3b4ce0f3853a8da28811dcee9735ccb9cc175
SHA256e4c8f098c793804a7299f8a661d1402dae88bf059b0a888921e3fcca953c39f7
SHA512e31c079ec32a8cff79665b1c70c2be241baf2b119ae0578bb1b2200f6ebdfb5c5e72dd95ecbd41e41a3b8b1daa5a6c2a3b69f99c0af0c047bad79a117e8464be
-
Filesize
93KB
MD5e8bfdd516529d589ba107a61ec5265e7
SHA158d3b4ce0f3853a8da28811dcee9735ccb9cc175
SHA256e4c8f098c793804a7299f8a661d1402dae88bf059b0a888921e3fcca953c39f7
SHA512e31c079ec32a8cff79665b1c70c2be241baf2b119ae0578bb1b2200f6ebdfb5c5e72dd95ecbd41e41a3b8b1daa5a6c2a3b69f99c0af0c047bad79a117e8464be
-
Filesize
93KB
MD5e8bfdd516529d589ba107a61ec5265e7
SHA158d3b4ce0f3853a8da28811dcee9735ccb9cc175
SHA256e4c8f098c793804a7299f8a661d1402dae88bf059b0a888921e3fcca953c39f7
SHA512e31c079ec32a8cff79665b1c70c2be241baf2b119ae0578bb1b2200f6ebdfb5c5e72dd95ecbd41e41a3b8b1daa5a6c2a3b69f99c0af0c047bad79a117e8464be