Analysis
-
max time kernel
32s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24-11-2022 16:33
Behavioral task
behavioral1
Sample
6738634d9b3bfcf7ebca8be48c091b3e.exe
Resource
win7-20220812-en
General
-
Target
6738634d9b3bfcf7ebca8be48c091b3e.exe
-
Size
4.8MB
-
MD5
6738634d9b3bfcf7ebca8be48c091b3e
-
SHA1
f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
-
SHA256
8c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
-
SHA512
c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5
-
SSDEEP
49152:cAMzHHGxBRJHrcFFmJAhaShRgxuMY8qa9vjTIt0IEqYjla27/BS5g+A:bMjGxBQFFmJA3Foq+vOEdZZ+A
Malware Config
Extracted
laplas
clipper.guru
-
api_key
0f183cb4288647960d1c458ed8456bf6524ebfbc16ebc53caab66c2376fd0eef
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1272 svcupdater.exe -
Loads dropped DLL 2 IoCs
pid Process 1304 taskeng.exe 1304 taskeng.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2012 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 912 wrote to memory of 960 912 6738634d9b3bfcf7ebca8be48c091b3e.exe 28 PID 912 wrote to memory of 960 912 6738634d9b3bfcf7ebca8be48c091b3e.exe 28 PID 912 wrote to memory of 960 912 6738634d9b3bfcf7ebca8be48c091b3e.exe 28 PID 960 wrote to memory of 2012 960 cmd.exe 30 PID 960 wrote to memory of 2012 960 cmd.exe 30 PID 960 wrote to memory of 2012 960 cmd.exe 30 PID 1304 wrote to memory of 1272 1304 taskeng.exe 32 PID 1304 wrote to memory of 1272 1304 taskeng.exe 32 PID 1304 wrote to memory of 1272 1304 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe"C:\Users\Admin\AppData\Local\Temp\6738634d9b3bfcf7ebca8be48c091b3e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\system32\cmd.execmd.exe "/C schtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"2⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\system32\schtasks.exeschtasks /create /tn \ipXroBUdMG /tr \"C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"3⤵
- Creates scheduled task(s)
PID:2012
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {7D741315-BB91-42D5-86B8-458F1B13442F} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exeC:\Users\Admin\AppData\Roaming\ipXroBUdMG\svcupdater.exe2⤵
- Executes dropped EXE
PID:1272
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.8MB
MD56738634d9b3bfcf7ebca8be48c091b3e
SHA1f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA2568c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
SHA512c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5
-
Filesize
4.8MB
MD56738634d9b3bfcf7ebca8be48c091b3e
SHA1f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA2568c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
SHA512c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5
-
Filesize
4.8MB
MD56738634d9b3bfcf7ebca8be48c091b3e
SHA1f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA2568c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
SHA512c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5
-
Filesize
4.8MB
MD56738634d9b3bfcf7ebca8be48c091b3e
SHA1f08091a4b3f5c167bcdfa565584bed8ed2a69f0c
SHA2568c77759eff69330a5c9697d05e2a0f99c6edff904bdd52a048df0461d0459b27
SHA512c8e6f3dd4c7de4c9a54278a398d096aabf8391a8a92484eb2a8e74d6d288d8b066e967916645e2aaec53fb4c8c3ac9f1cbd0fc01c1b828a1a742af3bc57aaaf5