Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24-07-2023 12:39
Static task
static1
Behavioral task
behavioral1
Sample
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe
-
Size
1.8MB
-
MD5
68732e21f497396296e93fb7277add61
-
SHA1
1fdec6fc0ab4647491cb163a732d985bf6e75f16
-
SHA256
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e
-
SHA512
b3b2deb42b8c1362642ac725f24a3fc59eade40da1bf5e9f2a66e634ab8f7e3ad75a3eee65003be6532b808ad299ec293a9ceae024217a5de68aa41b61134305
-
SSDEEP
49152:ZxP1ZMKdnhkmr5VlkA/azDEPKkb89KTYkr3T6:H1v9ViA/wkg9KTZ3T
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2256 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2072 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe 2072 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2072 wrote to memory of 2256 2072 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe 30 PID 2072 wrote to memory of 2256 2072 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe 30 PID 2072 wrote to memory of 2256 2072 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe 30 PID 2072 wrote to memory of 2256 2072 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2256
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
191.4MB
MD572e75534ff6ca1d2024df7933e403102
SHA151f337cf7af4131f2fbb6149cc881b86b190affb
SHA2569002d2920cbd8d151906a2284a81cfebc986c584a2632b381f2c2da098dea1fc
SHA512f985873a29d653f4311904b18569db530853685f9f5470df64d0d47d891c343873d51304da205004855955dc1bd78f9fb100883a276db8aeeadb85ced6717e0b
-
Filesize
194.2MB
MD55e44a9952ef73392f0d8697be0c25f59
SHA1813fe0d8435a88c5e39d2c793494c055f65badc0
SHA256c2fec65db394a8b947227cb9d23352cc565a7919c48ce369c0d6ad1d57bfc041
SHA512cb762c10161d391ab0ab9ea191257e041867fdb06109169cd91ae882f9ac46ec03802dbf68ae51dad67c94561a2534f4acfeb4559f8d64de03d4f1e8c48376c0
-
Filesize
187.5MB
MD5edd171abb67d2f2273b342619239094b
SHA1b22003bfc48254e80462e0bae26197f4eb8db4ea
SHA2569b3ee74b3178e71a7dce918379eaa6dd4e85941a9f8716f70360b0691cd9a7a2
SHA51226e30d90833aa7cebecea41a516eab9b738e1a8eab1fb755d2fc0b0b09489eb44d532a3c8832b22b753e156343de82a6f33ea06b0fbf9a4d85ee1a8a2e7fe809
-
Filesize
189.8MB
MD5e434ac15ddbfeecd035edcf066bc7ab3
SHA1e5b015114668e1157adb5c33c5da859107ea017b
SHA2560a2bfe6dc34886a7ef45b1bc0fba92d4211f497e7715aa8db71103a0252ee7c2
SHA5120ee71e0f813e9eb846d6ee451907d4932267ca6830ad247ca31abb790dd0d506aeb1d89c8d832d6720ee17bf62060a96d107cb64180edf5bccef9b11f52af7c6