d660674028ca3498f5b2ee5d6f97a789b9f9e71ea0e7e2a60f6f31c6a68123a1

General

Target

cfc46aab6c4f034ab974d9a5171b10a6.exe
Size

67KB
MD5

cfc46aab6c4f034ab974d9a5171b10a6
SHA1

c725efbae5d67af9f2e90424013ca110c3b8ebf5
SHA256

d660674028ca3498f5b2ee5d6f97a789b9f9e71ea0e7e2a60f6f31c6a68123a1
SHA512

b46465998d68e8ede8f7e4639ff620726b1c280390173763808fdfe531fcbf29ea4c9c567425963c01efbee9a7a23c4b4a5cebcff635a5f00ee2089a0c971db4
SSDEEP

1536:9z/igJA6OOeO4j61YZ4RiHGCIIEwm1PECDLN8v2jBy8ZO:97VGVOJYyRYTi71PECDLNy2jBJM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

netprotocol.exe

pid process

1408 netprotocol.exe
Loads dropped DLL 2 IoCs

Processes:

cfc46aab6c4f034ab974d9a5171b10a6.exe

pid process

2172 cfc46aab6c4f034ab974d9a5171b10a6.exe
2172 cfc46aab6c4f034ab974d9a5171b10a6.exe

pid	process
1408	netprotocol.exe

pid	process
2172	cfc46aab6c4f034ab974d9a5171b10a6.exe
2172	cfc46aab6c4f034ab974d9a5171b10a6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cfc46aab6c4f034ab974d9a5171b10a6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe"	cfc46aab6c4f034ab974d9a5171b10a6.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

netprotocol.execfc46aab6c4f034ab974d9a5171b10a6.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	netprotocol.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	netprotocol.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	netprotocol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	cfc46aab6c4f034ab974d9a5171b10a6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cfc46aab6c4f034ab974d9a5171b10a6.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

cfc46aab6c4f034ab974d9a5171b10a6.exenetprotocol.exe

pid process

2172 cfc46aab6c4f034ab974d9a5171b10a6.exe
1408 netprotocol.exe

pid	process
2172	cfc46aab6c4f034ab974d9a5171b10a6.exe
1408	netprotocol.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

cfc46aab6c4f034ab974d9a5171b10a6.exe

description	pid	process	target process
PID 2172 wrote to memory of 1408	2172	cfc46aab6c4f034ab974d9a5171b10a6.exe	netprotocol.exe
PID 2172 wrote to memory of 1408	2172	cfc46aab6c4f034ab974d9a5171b10a6.exe	netprotocol.exe
PID 2172 wrote to memory of 1408	2172	cfc46aab6c4f034ab974d9a5171b10a6.exe	netprotocol.exe
PID 2172 wrote to memory of 1408	2172	cfc46aab6c4f034ab974d9a5171b10a6.exe	netprotocol.exe

C:\Users\Admin\AppData\Local\Temp\cfc46aab6c4f034ab974d9a5171b10a6.exe
"C:\Users\Admin\AppData\Local\Temp\cfc46aab6c4f034ab974d9a5171b10a6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Roaming\netprotocol.exe
C:\Users\Admin\AppData\Roaming\netprotocol.exe
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
PID:1408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
1KB

MD5
a74f44e14f4813b6529a896d1feae696

SHA1
91075e8378e02506e2f392c8f560247eb0f0ec68

SHA256
88ffbcefde2c4018481fcb6737101f4f0a64e9c43b7c706402c9423064b1e243

SHA512
f99d3970f7e296eb536e9ebb5a12cc45b67dab72ad34c2b2739322541ff6e646a9313fae58e289fe7dbd072f6b9fc6456b0df44e503169249236d25973a9f17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
Filesize
408B

MD5
c3ddf6b8f7c66300d8eca320d743064d

SHA1
ddf3676fca507ad30783ade2d8898c53f15e1287

SHA256
e5ff5b502bae9e27b7c1cf2c74571efa995c2dfd8765b60d3fca49f22a47bdbd

SHA512
69c3b4ea3017273f457da52862147ad60121260d6fe9ed67110a6f4e4ed2c089f0162f40d5c6cfdc6a5355fdb6d792f4d3a2d626d3645b4a29ab3005b11dbdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cbba138c912c28d1cb7a2d351656ecf8

SHA1
23951f84807da881816b193b94cd02dd78486270

SHA256
641e729d3d9c6da0483216440fa78d8ac7e2d5f69e3b40061213391476b94182

SHA512
097888914d6cfb7dd2735f448b27ff5754d33f2f7fdd2ebef73e7522bf408e278d512aeeb64c02df786e593bda38f9ebbe578cfe8d8a1f67c217ced05cf7002e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7C87.tmp
Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JP7W2QNU.txt
Filesize
303B

MD5
62cf96b5c241f8ae06ed6a4239ec2d59

SHA1
6d03383a943b25f4dc8657af322288119ca4cad5

SHA256
cdeab872e713f8ad693c04f967cfd534632eaffa426b7234cfa6f470363df339

SHA512
75ba919da850adb73a5ab114938e3ce56b24b582839f6f7365e5b5f097467468ed6e867814526bd2991329d0b717e760e743ce4f785be238ed5bc94ad9db7f03

Download Submit
C:\Users\Admin\AppData\Roaming\netprotocol.exe
Filesize
67KB

MD5
7902d478bc82e230fa98a5277e6d2b5b

SHA1
c96db4edbf24968580fe8b49dfb70b05e96b92c7

SHA256
14a654f87cffc3986c51001fbffce652b8dd059a31b25031551a97e0496b1425

SHA512
7cac09f48e336697152a28a1d7ef003273ea2e8e82d9d6ada84758164fc449cfa2260f2b70ca82095d0785dbc1aa02a3a60daea7cb6de99e04ea4b54c2f65839

Download Submit
memory/1408-11-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1408-10-0x0000000000230000-0x0000000000256000-memory.dmp

Filesize
152KB

Download
memory/1408-82-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-1-0x0000000000230000-0x0000000000256000-memory.dmp

Filesize
152KB

Download
memory/2172-2-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2172-81-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads