Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
68732e21f497396296e93fb7277add61.bin.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
68732e21f497396296e93fb7277add61.bin.exe
Resource
win10v2004-20230703-en
General
-
Target
68732e21f497396296e93fb7277add61.bin.exe
-
Size
1.8MB
-
MD5
68732e21f497396296e93fb7277add61
-
SHA1
1fdec6fc0ab4647491cb163a732d985bf6e75f16
-
SHA256
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e
-
SHA512
b3b2deb42b8c1362642ac725f24a3fc59eade40da1bf5e9f2a66e634ab8f7e3ad75a3eee65003be6532b808ad299ec293a9ceae024217a5de68aa41b61134305
-
SSDEEP
49152:ZxP1ZMKdnhkmr5VlkA/azDEPKkb89KTYkr3T6:H1v9ViA/wkg9KTZ3T
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3268 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 68732e21f497396296e93fb7277add61.bin.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 23 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3268 3588 68732e21f497396296e93fb7277add61.bin.exe 85 PID 3588 wrote to memory of 3268 3588 68732e21f497396296e93fb7277add61.bin.exe 85 PID 3588 wrote to memory of 3268 3588 68732e21f497396296e93fb7277add61.bin.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe"C:\Users\Admin\AppData\Local\Temp\68732e21f497396296e93fb7277add61.bin.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:3268
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
714.8MB
MD596f7317988d038b2f2c8862a3f05fc04
SHA14c675e9a5b00846e2435c8ee7f61f092f100dd9d
SHA256e071a7b1e8015b55ef688382a7f8b418923a88a0a04799bbdbb2bd8902ccf9b9
SHA512841f2b5b8f1e4c977608207b2b75829ca95f450024e25f2cd1b3152cfe4cd0e88e46e65511dd3a40b31124742969c8125843955e78505eb786250da20c08d3ba
-
Filesize
714.8MB
MD596f7317988d038b2f2c8862a3f05fc04
SHA14c675e9a5b00846e2435c8ee7f61f092f100dd9d
SHA256e071a7b1e8015b55ef688382a7f8b418923a88a0a04799bbdbb2bd8902ccf9b9
SHA512841f2b5b8f1e4c977608207b2b75829ca95f450024e25f2cd1b3152cfe4cd0e88e46e65511dd3a40b31124742969c8125843955e78505eb786250da20c08d3ba