Analysis
-
max time kernel
301s -
max time network
310s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
26-11-2022 04:51
Behavioral task
behavioral1
Sample
fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
Resource
win7-20221111-en
General
-
Target
fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
-
Size
5.4MB
-
MD5
610a076f83218b51b01a24e9c8eba3ae
-
SHA1
7956cbd49823b35362f2244a350078f066873e65
-
SHA256
fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08
-
SHA512
bed36d4f8663e1c3e9b877367b64a2bf0ae95a86da0c02d74b29872137f370f8419359be2244e009039705f64d68eb9792dee7dd4ed1456bc54789c1ca82c707
-
SSDEEP
98304:InGmlwPwuBvk1wu8JZfB7QJYfUbNM9VlE/V3VydE18wkcUrL5iKroh9Q4QGn7MO:InGmlgwgM18JPvCIU3V/+rLr29QUMO
Malware Config
Extracted
laplas
clipper.guru
-
api_key
e967005093020788056c9d94da04435883edc18212f0de012679a229f024fdb6
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4272 udakqMngIV.exe -
resource yara_rule behavioral2/memory/4208-122-0x0000000000110000-0x0000000000CE3000-memory.dmp vmprotect behavioral2/files/0x000600000001ac21-172.dat vmprotect behavioral2/files/0x000600000001ac21-179.dat vmprotect behavioral2/memory/4272-180-0x0000000000EB0000-0x0000000001A83000-memory.dmp vmprotect -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2624 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 11 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4208 wrote to memory of 440 4208 fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe 66 PID 4208 wrote to memory of 440 4208 fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe 66 PID 4208 wrote to memory of 440 4208 fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe 66 PID 440 wrote to memory of 2624 440 cmd.exe 68 PID 440 wrote to memory of 2624 440 cmd.exe 68 PID 440 wrote to memory of 2624 440 cmd.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe"C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- Creates scheduled task(s)
PID:2624
-
-
-
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exeC:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe1⤵
- Executes dropped EXE
PID:4272
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
744.7MB
MD5585e09661a0733689fbd7f9da2679b48
SHA1b1b33f47c58c144d7b0f9931718bc05f77a56962
SHA25618e040ddf8deadfbd11a7a639c82b1fbe6408d6d17884dbbe47f0302510cfb01
SHA512cee74e3d6dc5312164ba9558f73744767d3a6e28cb690da31c50ed24dd0a3c5f25e291709413ec8ee989cdbe703f22c17f85b62b4801e3fb800f47b187a2ff09
-
Filesize
744.7MB
MD5585e09661a0733689fbd7f9da2679b48
SHA1b1b33f47c58c144d7b0f9931718bc05f77a56962
SHA25618e040ddf8deadfbd11a7a639c82b1fbe6408d6d17884dbbe47f0302510cfb01
SHA512cee74e3d6dc5312164ba9558f73744767d3a6e28cb690da31c50ed24dd0a3c5f25e291709413ec8ee989cdbe703f22c17f85b62b4801e3fb800f47b187a2ff09