4078372727c8bfbd18c75bdeb5bc81c3f66db1cadd98256d4493cc5dad50a905

Analysis

max time kernel
201s
max time network
212s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
06/01/2024, 00:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

44d00209a92363c5be592e89db83504f.exe
Size

54KB
MD5

44d00209a92363c5be592e89db83504f
SHA1

25c18a4d0bffa85c77f4482c2958b3a82f1e9eac
SHA256

4078372727c8bfbd18c75bdeb5bc81c3f66db1cadd98256d4493cc5dad50a905
SHA512

644555edd8f83b05533f9bd5c59ca18e773fdedd8f3e4c178af478eb285210bcd80afe0577b11aaa319fa9a6765fb498f573a391aba39f3cbbe4a0158bc29019
SSDEEP

1536:T5JaAgBMHzQaNYWUgXBQLnfQRY3MDQLm9wN:TX/gBMTQaNYWJQbNumF

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2832	netprotocol.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	44d00209a92363c5be592e89db83504f.exe
2716	44d00209a92363c5be592e89db83504f.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2716-0-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2716-2-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/files/0x0004000000004ed7-7.dat	upx
behavioral1/memory/2832-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	44d00209a92363c5be592e89db83504f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2832	2716	44d00209a92363c5be592e89db83504f.exe	29
PID 2716 wrote to memory of 2832	2716	44d00209a92363c5be592e89db83504f.exe	29
PID 2716 wrote to memory of 2832	2716	44d00209a92363c5be592e89db83504f.exe	29
PID 2716 wrote to memory of 2832	2716	44d00209a92363c5be592e89db83504f.exe	29

C:\Users\Admin\AppData\Local\Temp\44d00209a92363c5be592e89db83504f.exe
"C:\Users\Admin\AppData\Local\Temp\44d00209a92363c5be592e89db83504f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Roaming\netprotocol.exe
  C:\Users\Admin\AppData\Roaming\netprotocol.exe
  2⤵
  - Executes dropped EXE
  PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
54KB

MD5
6903be6c4b7338e13f3f41f982d7c395

SHA1
46e9474b138fc1c0fbb5aa6ec0a7a98ba8a1923d

SHA256
f5be50bda677364617adaf30bc1e98e6a3cddd4c6c2cfa04b06f8ad5bca31592

SHA512
45a2591f3a3aa21a364c799fd53e6edd8367f0335105b0a38cba19cbcbf4a884c10f285c1d1061622afc0208cb0cc3de8d9a0494b542ccd52142cd7ce79c92d5

Download Submit
memory/2716-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-1-0x0000000000230000-0x0000000000233000-memory.dmp

Filesize
12KB

Download
memory/2716-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-14-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/2716-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2716-22-0x0000000000290000-0x00000000002BE000-memory.dmp

Filesize
184KB

Download
memory/2832-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2832-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2832-18-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads