Analysis
-
max time kernel
142s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-03-2024 03:08
Static task
static1
Behavioral task
behavioral1
Sample
cfc46aab6c4f034ab974d9a5171b10a6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cfc46aab6c4f034ab974d9a5171b10a6.exe
Resource
win10v2004-20240226-en
General
-
Target
cfc46aab6c4f034ab974d9a5171b10a6.exe
-
Size
67KB
-
MD5
cfc46aab6c4f034ab974d9a5171b10a6
-
SHA1
c725efbae5d67af9f2e90424013ca110c3b8ebf5
-
SHA256
d660674028ca3498f5b2ee5d6f97a789b9f9e71ea0e7e2a60f6f31c6a68123a1
-
SHA512
b46465998d68e8ede8f7e4639ff620726b1c280390173763808fdfe531fcbf29ea4c9c567425963c01efbee9a7a23c4b4a5cebcff635a5f00ee2089a0c971db4
-
SSDEEP
1536:9z/igJA6OOeO4j61YZ4RiHGCIIEwm1PECDLN8v2jBy8ZO:97VGVOJYyRYTi71PECDLNy2jBJM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
netprotocol.exepid process 1408 netprotocol.exe -
Loads dropped DLL 2 IoCs
Processes:
cfc46aab6c4f034ab974d9a5171b10a6.exepid process 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cfc46aab6c4f034ab974d9a5171b10a6.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Netprotocol = "C:\\Users\\Admin\\AppData\\Roaming\\netprotocol.exe" cfc46aab6c4f034ab974d9a5171b10a6.exe -
Processes:
netprotocol.execfc46aab6c4f034ab974d9a5171b10a6.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 netprotocol.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 netprotocol.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 netprotocol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 cfc46aab6c4f034ab974d9a5171b10a6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 cfc46aab6c4f034ab974d9a5171b10a6.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
cfc46aab6c4f034ab974d9a5171b10a6.exenetprotocol.exepid process 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe 1408 netprotocol.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cfc46aab6c4f034ab974d9a5171b10a6.exedescription pid process target process PID 2172 wrote to memory of 1408 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe netprotocol.exe PID 2172 wrote to memory of 1408 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe netprotocol.exe PID 2172 wrote to memory of 1408 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe netprotocol.exe PID 2172 wrote to memory of 1408 2172 cfc46aab6c4f034ab974d9a5171b10a6.exe netprotocol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cfc46aab6c4f034ab974d9a5171b10a6.exe"C:\Users\Admin\AppData\Local\Temp\cfc46aab6c4f034ab974d9a5171b10a6.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Modifies system certificate store
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\netprotocol.exeC:\Users\Admin\AppData\Roaming\netprotocol.exe2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of UnmapMainImage
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
1KB
MD5a74f44e14f4813b6529a896d1feae696
SHA191075e8378e02506e2f392c8f560247eb0f0ec68
SHA25688ffbcefde2c4018481fcb6737101f4f0a64e9c43b7c706402c9423064b1e243
SHA512f99d3970f7e296eb536e9ebb5a12cc45b67dab72ad34c2b2739322541ff6e646a9313fae58e289fe7dbd072f6b9fc6456b0df44e503169249236d25973a9f17c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27Filesize
408B
MD5c3ddf6b8f7c66300d8eca320d743064d
SHA1ddf3676fca507ad30783ade2d8898c53f15e1287
SHA256e5ff5b502bae9e27b7c1cf2c74571efa995c2dfd8765b60d3fca49f22a47bdbd
SHA51269c3b4ea3017273f457da52862147ad60121260d6fe9ed67110a6f4e4ed2c089f0162f40d5c6cfdc6a5355fdb6d792f4d3a2d626d3645b4a29ab3005b11dbdc5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD5cbba138c912c28d1cb7a2d351656ecf8
SHA123951f84807da881816b193b94cd02dd78486270
SHA256641e729d3d9c6da0483216440fa78d8ac7e2d5f69e3b40061213391476b94182
SHA512097888914d6cfb7dd2735f448b27ff5754d33f2f7fdd2ebef73e7522bf408e278d512aeeb64c02df786e593bda38f9ebbe578cfe8d8a1f67c217ced05cf7002e
-
C:\Users\Admin\AppData\Local\Temp\Tar7C87.tmpFilesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JP7W2QNU.txtFilesize
303B
MD562cf96b5c241f8ae06ed6a4239ec2d59
SHA16d03383a943b25f4dc8657af322288119ca4cad5
SHA256cdeab872e713f8ad693c04f967cfd534632eaffa426b7234cfa6f470363df339
SHA51275ba919da850adb73a5ab114938e3ce56b24b582839f6f7365e5b5f097467468ed6e867814526bd2991329d0b717e760e743ce4f785be238ed5bc94ad9db7f03
-
C:\Users\Admin\AppData\Roaming\netprotocol.exeFilesize
67KB
MD57902d478bc82e230fa98a5277e6d2b5b
SHA1c96db4edbf24968580fe8b49dfb70b05e96b92c7
SHA25614a654f87cffc3986c51001fbffce652b8dd059a31b25031551a97e0496b1425
SHA5127cac09f48e336697152a28a1d7ef003273ea2e8e82d9d6ada84758164fc449cfa2260f2b70ca82095d0785dbc1aa02a3a60daea7cb6de99e04ea4b54c2f65839
-
memory/1408-11-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/1408-10-0x0000000000230000-0x0000000000256000-memory.dmpFilesize
152KB
-
memory/1408-82-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2172-1-0x0000000000230000-0x0000000000256000-memory.dmpFilesize
152KB
-
memory/2172-2-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2172-81-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB