4ecb661e6a61c253f79e3c05f003145c4e2151f0f3d478ba7d28e6a37f25e4b3

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bba861e6ebf25feaaa1226f819ff62d.exe
Size

101KB
MD5

4bba861e6ebf25feaaa1226f819ff62d
SHA1

4735e8d0c953b9f99ac9db73d0df8be29d164f11
SHA256

4ecb661e6a61c253f79e3c05f003145c4e2151f0f3d478ba7d28e6a37f25e4b3
SHA512

c0a73f19ba429322d1c058b224ca665530679d1edcc1090a72e6891530cdeeb1a6cf6a6f8dc9db1d0bcfe8efbf222b398568d89ce86fc329a2146bf21af61bc7
SSDEEP

3072:s+hAZ9D9kxOHZOrvcmKWVegHc3fbOouv:hhAjlZOrkNWVd8jOoE

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2192	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
1872	4bba861e6ebf25feaaa1226f819ff62d.exe
1872	4bba861e6ebf25feaaa1226f819ff62d.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1872-0-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2192-13-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/files/0x000900000001447e-12.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	4bba861e6ebf25feaaa1226f819ff62d.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2192	1872	4bba861e6ebf25feaaa1226f819ff62d.exe	14
PID 1872 wrote to memory of 2192	1872	4bba861e6ebf25feaaa1226f819ff62d.exe	14
PID 1872 wrote to memory of 2192	1872	4bba861e6ebf25feaaa1226f819ff62d.exe	14
PID 1872 wrote to memory of 2192	1872	4bba861e6ebf25feaaa1226f819ff62d.exe	14

C:\Users\Admin\AppData\Roaming\netprotocol.exe
C:\Users\Admin\AppData\Roaming\netprotocol.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Users\Admin\AppData\Local\Temp\4bba861e6ebf25feaaa1226f819ff62d.exe
"C:\Users\Admin\AppData\Local\Temp\4bba861e6ebf25feaaa1226f819ff62d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
101KB

MD5
119ec370a7b05d61df8d37b427055aff

SHA1
ec479f8b82bd8789f11c50dfa29be446be47bfb1

SHA256
747396e1b0d330a1268602d7b2f3d1a4be7d3c0b5979f4649a97da3ffb9941c1

SHA512
726edb764b8d8e027d48ff8179ac9c2a54991edb2c29a0844b509c83cca526c5fc2fce10e37ca831767d677e57c13807bc58977cf72cbba5763f675bdebc4d89

Download Submit
memory/1872-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1872-11-0x0000000001BD0000-0x0000000001C1B000-memory.dmp

Filesize
300KB

Download
memory/1872-14-0x0000000001BD0000-0x0000000001C1B000-memory.dmp

Filesize
300KB

Download
memory/1872-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1872-1-0x00000000003C0000-0x00000000003D4000-memory.dmp

Filesize
80KB

Download
memory/1872-17-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2192-13-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2192-18-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads