331f71ed2acf50f2a8bea09fbc26589b715f9ce74fc72c5228414996e262400d

General

Target

04c5a4291c943a54b6121550a4fe2c37.exe
Size

68KB
MD5

04c5a4291c943a54b6121550a4fe2c37
SHA1

45b80619a4254e3351f0e9117572609b87e39783
SHA256

331f71ed2acf50f2a8bea09fbc26589b715f9ce74fc72c5228414996e262400d
SHA512

6df04936ab27a6b82dbd4495c36f9c319704c858b727337e36faaaeb50633506acda3bc19598dcaaccba280f0f08a7d704f50ddef72788aa1b543729f65c4458
SSDEEP

1536:1yMOY0N07sI1Wjw8df70MXcx3cLQzOJsWfKwrgpS9mESGE:AJY+07sIZ8dd83XCJTScuSMESF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2196	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	04c5a4291c943a54b6121550a4fe2c37.exe
2252	04c5a4291c943a54b6121550a4fe2c37.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x000c00000001224c-3.dat	upx
behavioral1/memory/2196-12-0x0000000000400000-0x0000000000466000-memory.dmp	upx
behavioral1/files/0x000c00000001224c-10.dat	upx
behavioral1/files/0x000c00000001224c-8.dat	upx
behavioral1/files/0x000c00000001224c-5.dat	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	04c5a4291c943a54b6121550a4fe2c37.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2196	2252	04c5a4291c943a54b6121550a4fe2c37.exe	18
PID 2252 wrote to memory of 2196	2252	04c5a4291c943a54b6121550a4fe2c37.exe	18
PID 2252 wrote to memory of 2196	2252	04c5a4291c943a54b6121550a4fe2c37.exe	18
PID 2252 wrote to memory of 2196	2252	04c5a4291c943a54b6121550a4fe2c37.exe	18

C:\Users\Admin\AppData\Local\Temp\04c5a4291c943a54b6121550a4fe2c37.exe
"C:\Users\Admin\AppData\Local\Temp\04c5a4291c943a54b6121550a4fe2c37.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Users\Admin\AppData\Roaming\netprotocol.exe
  C:\Users\Admin\AppData\Roaming\netprotocol.exe
  2⤵
  - Executes dropped EXE
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
64KB

MD5
77e416f411e08599b6e188ce7d3e3679

SHA1
0c427c70a9b48556064c72bac6ca68074266de8b

SHA256
29cde5f3c8393d95041604a94d086b20e921c86b50acb027c7734d6a91d9e8ff

SHA512
b20387ad8d3c86dee7096eaed8dfe09c9259afecac0f9615ed0bb7e5d515a438570d750c541e1b66923d5200ed14920a1f8ad13969db0fca93220ad461ea77b7

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
14KB

MD5
07ca0f37c6608219245bff53ac904739

SHA1
ea753b8a48afd9efd9923a26bf369e4d5a2661c1

SHA256
79cbc1e04c1fd5ae91fe2fe0e0eaba7678666713de0572e5ac4342aef9be2fdc

SHA512
43bfb0f7c297452fba23351ab9987182c5790334a159b6a509f792bb8836c4bbf7b2d860dd93317ae4755da74c04ca906c9cec78dbfff9764b0472599d0fe2e9

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
45KB

MD5
badfadc10e1ce7ccd79a1de2c3d22f92

SHA1
f544f179ac5c5402c65793760df67e832b41d076

SHA256
5e78d41011b86ff14cd49cc4e47403a31eaaea2395dce1a8fe5d982e965128ea

SHA512
9f3365a3f4fa030ad125fedd8c1e3d93369e7e479746eaf50aedfe6e4cd6fffad11603cc0ac5deaaa95087cdb504c672cd7ce6b5ca52fb6763420a3921835ab4

Download Submit
\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
63KB

MD5
d27b9976b33889f9247d3ba03273e123

SHA1
01f89d37612576c64cc9cddd325c77e2eaec966d

SHA256
02c985e4a2e5f040316e8230fd6e2e0cdd6de2ea7aba71d65d11b4d9351a1643

SHA512
cf11c0ce53f9678f3e31d3222e772b86052f68ca66c64beced1a11884d38328dc26d41152599654e1babc0b914d4cca5ec2b05fc0916613762d6adf1e23fa852

Download Submit
memory/2196-12-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2196-14-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2196-13-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2196-20-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2252-9-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2252-0-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2252-11-0x0000000000470000-0x00000000004D6000-memory.dmp

Filesize
408KB

Download
memory/2252-2-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download
memory/2252-15-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2252-17-0x0000000000240000-0x0000000000243000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads