41d204d81c681ada925d70f7bd6b48d31aad34be9406eceafcaa342cd80fd7ad

General

Target

51e75865fcf5957c4c0c317c3228c7f0.exe
Size

156KB
MD5

51e75865fcf5957c4c0c317c3228c7f0
SHA1

e1eb324f42021a8f9952bca97c0d5937a8b8c0f7
SHA256

41d204d81c681ada925d70f7bd6b48d31aad34be9406eceafcaa342cd80fd7ad
SHA512

26707c4470e515adf8c35ea105dd3f7b8e3e9e4ec29fef84a6b5965e65c9b235b10627f31f3e9677632450d3b28d20ebb129c8bff0b5757ef40046fedef3b09e
SSDEEP

3072:sqbEmRuVotc4zmpwRIZB3JPEL/oc7mBGAyjIuoJ98:sqbI4zcGInZVc7Hh

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
6096	netprotocol.exe
1272	netprotocol.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	51e75865fcf5957c4c0c317c3228c7f0.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 880 set thread context of 1416	880	51e75865fcf5957c4c0c317c3228c7f0.exe	92
PID 6096 set thread context of 1272	6096	netprotocol.exe	103

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4056	880	WerFault.exe	87
2488	880	WerFault.exe	87
6040	6096	WerFault.exe	95
2172	6096	WerFault.exe	95

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 1416	880	51e75865fcf5957c4c0c317c3228c7f0.exe	92
PID 880 wrote to memory of 1416	880	51e75865fcf5957c4c0c317c3228c7f0.exe	92
PID 880 wrote to memory of 1416	880	51e75865fcf5957c4c0c317c3228c7f0.exe	92
PID 880 wrote to memory of 1416	880	51e75865fcf5957c4c0c317c3228c7f0.exe	92
PID 880 wrote to memory of 1416	880	51e75865fcf5957c4c0c317c3228c7f0.exe	92
PID 1416 wrote to memory of 6096	1416	51e75865fcf5957c4c0c317c3228c7f0.exe	95
PID 1416 wrote to memory of 6096	1416	51e75865fcf5957c4c0c317c3228c7f0.exe	95
PID 1416 wrote to memory of 6096	1416	51e75865fcf5957c4c0c317c3228c7f0.exe	95
PID 6096 wrote to memory of 1272	6096	netprotocol.exe	103
PID 6096 wrote to memory of 1272	6096	netprotocol.exe	103
PID 6096 wrote to memory of 1272	6096	netprotocol.exe	103
PID 6096 wrote to memory of 1272	6096	netprotocol.exe	103
PID 6096 wrote to memory of 1272	6096	netprotocol.exe	103

C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
"C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:880
- C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
  C:\Users\Admin\AppData\Local\Temp\51e75865fcf5957c4c0c317c3228c7f0.exe
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Users\Admin\AppData\Roaming\netprotocol.exe
    C:\Users\Admin\AppData\Roaming\netprotocol.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:6096
  - - C:\Users\Admin\AppData\Roaming\netprotocol.exe
      C:\Users\Admin\AppData\Roaming\netprotocol.exe
      4⤵
      Executes dropped EXE
      PID:1272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 452
      4⤵
      Program crash
      PID:6040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 6096 -s 452
      4⤵
      Program crash
      PID:2172
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 440
  2⤵
  - Program crash
  PID:4056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 440
  2⤵
  - Program crash
  PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 880 -ip 880
1⤵
PID:2160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 880 -ip 880
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6096 -ip 6096
1⤵
PID:3092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 6096 -ip 6096
1⤵
PID:5956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
156KB

MD5
c178c7461dffc068666fa84b1b6099db

SHA1
bc6d5efad7a080b05075ac78d4e43d570a2bc8f9

SHA256
c327079b1807bd40a8d8531205f9f4e7dbfc4e30d789dd6bf0a8dac0858bdfb3

SHA512
572cfabdf3414d33bc8297ddfc2aa911639991258eaed02bc9cf1912bb078681d5887b6bd67cb70a4645373510d91eb25def66bdb7c13e40f29671a2d380f1a5

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe

Filesize
57KB

MD5
348ce5af0a70d17f4b5c4330fa2319ad

SHA1
3b482db110d1c4bc30248068d56948a00998a43c

SHA256
c4ea55161f409d4133ca4410956cd7b28acb41ec96f6e4eb7ef7914cbd17bdcf

SHA512
649b159127c78a4ed74e30898c1593aea556cf515449788e5b22558a2803daef4d6a5b2dd6b177b896659f6b3add7ad2e140c197a3ab21e4d1e28150219b799a

Download Submit
memory/1272-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1272-11-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1272-13-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1416-12-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads