bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9

Analysis

max time kernel
190s
max time network
197s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe
Size

83KB
MD5

d6e2378844c8f109b5045be818773176
SHA1

b565ebda89fd78f4e0f8a9dcfe2ed119a4891c88
SHA256

bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9
SHA512

1cc76d2df019e318b4e57e97f6de2c0b5c85f8005f9dc316c0ed97321a936fdb568413523c1b1eb07d15fb8d88ef06de929e046f627ee1c752e46bfb2e7e4b4c
SSDEEP

1536:xnKm2NX0So6lOgMS+3MqGFdyayh45AmRGG4IZOKrX:lr2NX0t6l6SeQyayeZs1I84

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1316	netprotocol.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001483c-57.dat	upx
behavioral1/files/0x000800000001483c-58.dat	upx
behavioral1/files/0x000800000001483c-60.dat	upx

Loads dropped DLL 2 IoCs

pid	Process
1776	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe
1776	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1776 wrote to memory of 1316	1776	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe	27
PID 1776 wrote to memory of 1316	1776	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe	27
PID 1776 wrote to memory of 1316	1776	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe	27
PID 1776 wrote to memory of 1316	1776	bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe	27

C:\Users\Admin\AppData\Local\Temp\bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe
"C:\Users\Admin\AppData\Local\Temp\bdc58f50b9166adeac7f1ab1cff9d49dd5e961e9482ded0350de6108ff3aa4f9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Roaming\netprotocol.exe
  C:\Users\Admin\AppData\Roaming\netprotocol.exe
  2⤵
  - Executes dropped EXE
  PID:1316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
83KB

MD5
6bb0953acb1cd5faa3db92b0ab760719

SHA1
04bfc7707385a90abfe80ea0ee30065308908334

SHA256
37df25d22c7531872ab2bd437798b4e31f1c3439c8ce6b986a3aec24137159c1

SHA512
80f6a9a47544956972e8f08551726594ab48d03f43e97b1685206f0c765b21864f7f9994b58d3d036aab14d7205f07417457ce76a820c3cab8b1e340cb175be9

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
83KB

MD5
6bb0953acb1cd5faa3db92b0ab760719

SHA1
04bfc7707385a90abfe80ea0ee30065308908334

SHA256
37df25d22c7531872ab2bd437798b4e31f1c3439c8ce6b986a3aec24137159c1

SHA512
80f6a9a47544956972e8f08551726594ab48d03f43e97b1685206f0c765b21864f7f9994b58d3d036aab14d7205f07417457ce76a820c3cab8b1e340cb175be9

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
83KB

MD5
6bb0953acb1cd5faa3db92b0ab760719

SHA1
04bfc7707385a90abfe80ea0ee30065308908334

SHA256
37df25d22c7531872ab2bd437798b4e31f1c3439c8ce6b986a3aec24137159c1

SHA512
80f6a9a47544956972e8f08551726594ab48d03f43e97b1685206f0c765b21864f7f9994b58d3d036aab14d7205f07417457ce76a820c3cab8b1e340cb175be9

Download Submit
memory/1316-66-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1776-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1776-55-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1776-65-0x0000000000460000-0x0000000000498000-memory.dmp

Filesize
224KB

Download
memory/1776-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download