Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2024, 23:22
Static task
static1
Behavioral task
behavioral1
Sample
51e75865fcf5957c4c0c317c3228c7f0.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
51e75865fcf5957c4c0c317c3228c7f0.exe
Resource
win10v2004-20231215-en
General
-
Target
51e75865fcf5957c4c0c317c3228c7f0.exe
-
Size
156KB
-
MD5
51e75865fcf5957c4c0c317c3228c7f0
-
SHA1
e1eb324f42021a8f9952bca97c0d5937a8b8c0f7
-
SHA256
41d204d81c681ada925d70f7bd6b48d31aad34be9406eceafcaa342cd80fd7ad
-
SHA512
26707c4470e515adf8c35ea105dd3f7b8e3e9e4ec29fef84a6b5965e65c9b235b10627f31f3e9677632450d3b28d20ebb129c8bff0b5757ef40046fedef3b09e
-
SSDEEP
3072:sqbEmRuVotc4zmpwRIZB3JPEL/oc7mBGAyjIuoJ98:sqbI4zcGInZVc7Hh
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 6096 netprotocol.exe 1272 netprotocol.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe" 51e75865fcf5957c4c0c317c3228c7f0.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 880 set thread context of 1416 880 51e75865fcf5957c4c0c317c3228c7f0.exe 92 PID 6096 set thread context of 1272 6096 netprotocol.exe 103 -
Program crash 4 IoCs
pid pid_target Process procid_target 4056 880 WerFault.exe 87 2488 880 WerFault.exe 87 6040 6096 WerFault.exe 95 2172 6096 WerFault.exe 95 -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 880 wrote to memory of 1416 880 51e75865fcf5957c4c0c317c3228c7f0.exe 92 PID 880 wrote to memory of 1416 880 51e75865fcf5957c4c0c317c3228c7f0.exe 92 PID 880 wrote to memory of 1416 880 51e75865fcf5957c4c0c317c3228c7f0.exe 92 PID 880 wrote to memory of 1416 880 51e75865fcf5957c4c0c317c3228c7f0.exe 92 PID 880 wrote to memory of 1416 880 51e75865fcf5957c4c0c317c3228c7f0.exe 92 PID 1416 wrote to memory of 6096 1416 51e75865fcf5957c4c0c317c3228c7f0.exe 95 PID 1416 wrote to memory of 6096 1416 51e75865fcf5957c4c0c317c3228c7f0.exe 95 PID 1416 wrote to memory of 6096 1416 51e75865fcf5957c4c0c317c3228c7f0.exe 95 PID 6096 wrote to memory of 1272 6096 netprotocol.exe 103 PID 6096 wrote to memory of 1272 6096 netprotocol.exe 103 PID 6096 wrote to memory of 1272 6096 netprotocol.exe 103 PID 6096 wrote to memory of 1272 6096 netprotocol.exe 103 PID 6096 wrote to memory of 1272 6096 netprotocol.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe"C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exeC:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Users\Admin\AppData\Roaming\netprotocol.exeC:\Users\Admin\AppData\Roaming\netprotocol.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6096 -
C:\Users\Admin\AppData\Roaming\netprotocol.exeC:\Users\Admin\AppData\Roaming\netprotocol.exe4⤵
- Executes dropped EXE
PID:1272
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 4524⤵
- Program crash
PID:6040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 4524⤵
- Program crash
PID:2172
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 4402⤵
- Program crash
PID:4056
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 4402⤵
- Program crash
PID:2488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 880 -ip 8801⤵PID:2160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 880 -ip 8801⤵PID:3160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6096 -ip 60961⤵PID:3092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6096 -ip 60961⤵PID:5956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5c178c7461dffc068666fa84b1b6099db
SHA1bc6d5efad7a080b05075ac78d4e43d570a2bc8f9
SHA256c327079b1807bd40a8d8531205f9f4e7dbfc4e30d789dd6bf0a8dac0858bdfb3
SHA512572cfabdf3414d33bc8297ddfc2aa911639991258eaed02bc9cf1912bb078681d5887b6bd67cb70a4645373510d91eb25def66bdb7c13e40f29671a2d380f1a5
-
Filesize
57KB
MD5348ce5af0a70d17f4b5c4330fa2319ad
SHA13b482db110d1c4bc30248068d56948a00998a43c
SHA256c4ea55161f409d4133ca4410956cd7b28acb41ec96f6e4eb7ef7914cbd17bdcf
SHA512649b159127c78a4ed74e30898c1593aea556cf515449788e5b22558a2803daef4d6a5b2dd6b177b896659f6b3add7ad2e140c197a3ab21e4d1e28150219b799a