41d204d81c681ada925d70f7bd6b48d31aad34be9406eceafcaa342cd80fd7ad

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51e75865fcf5957c4c0c317c3228c7f0.exe
Size

156KB
MD5

51e75865fcf5957c4c0c317c3228c7f0
SHA1

e1eb324f42021a8f9952bca97c0d5937a8b8c0f7
SHA256

41d204d81c681ada925d70f7bd6b48d31aad34be9406eceafcaa342cd80fd7ad
SHA512

26707c4470e515adf8c35ea105dd3f7b8e3e9e4ec29fef84a6b5965e65c9b235b10627f31f3e9677632450d3b28d20ebb129c8bff0b5757ef40046fedef3b09e
SSDEEP

3072:sqbEmRuVotc4zmpwRIZB3JPEL/oc7mBGAyjIuoJ98:sqbI4zcGInZVc7Hh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2104	netprotocol.exe
3000	netprotocol.exe

Loads dropped DLL 3 IoCs

pid	Process
1872	51e75865fcf5957c4c0c317c3228c7f0.exe
1872	51e75865fcf5957c4c0c317c3228c7f0.exe
2104	netprotocol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	51e75865fcf5957c4c0c317c3228c7f0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 2104 set thread context of 3000	2104	netprotocol.exe	30

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 2296 wrote to memory of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 2296 wrote to memory of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 2296 wrote to memory of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 2296 wrote to memory of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 2296 wrote to memory of 1872	2296	51e75865fcf5957c4c0c317c3228c7f0.exe	28
PID 1872 wrote to memory of 2104	1872	51e75865fcf5957c4c0c317c3228c7f0.exe	29
PID 1872 wrote to memory of 2104	1872	51e75865fcf5957c4c0c317c3228c7f0.exe	29
PID 1872 wrote to memory of 2104	1872	51e75865fcf5957c4c0c317c3228c7f0.exe	29
PID 1872 wrote to memory of 2104	1872	51e75865fcf5957c4c0c317c3228c7f0.exe	29
PID 2104 wrote to memory of 3000	2104	netprotocol.exe	30
PID 2104 wrote to memory of 3000	2104	netprotocol.exe	30
PID 2104 wrote to memory of 3000	2104	netprotocol.exe	30
PID 2104 wrote to memory of 3000	2104	netprotocol.exe	30
PID 2104 wrote to memory of 3000	2104	netprotocol.exe	30
PID 2104 wrote to memory of 3000	2104	netprotocol.exe	30

C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
"C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
  C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
156KB

MD5
c178c7461dffc068666fa84b1b6099db

SHA1
bc6d5efad7a080b05075ac78d4e43d570a2bc8f9

SHA256
c327079b1807bd40a8d8531205f9f4e7dbfc4e30d789dd6bf0a8dac0858bdfb3

SHA512
572cfabdf3414d33bc8297ddfc2aa911639991258eaed02bc9cf1912bb078681d5887b6bd67cb70a4645373510d91eb25def66bdb7c13e40f29671a2d380f1a5

Download Submit
memory/1872-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1872-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1872-4-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1872-6-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1872-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1872-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3000-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads