Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-07-2023 01:27
Static task
static1
Behavioral task
behavioral1
Sample
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe
Resource
win10v2004-20230703-en
General
-
Target
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe
-
Size
1.8MB
-
MD5
68732e21f497396296e93fb7277add61
-
SHA1
1fdec6fc0ab4647491cb163a732d985bf6e75f16
-
SHA256
4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e
-
SHA512
b3b2deb42b8c1362642ac725f24a3fc59eade40da1bf5e9f2a66e634ab8f7e3ad75a3eee65003be6532b808ad299ec293a9ceae024217a5de68aa41b61134305
-
SSDEEP
49152:ZxP1ZMKdnhkmr5VlkA/azDEPKkb89KTYkr3T6:H1v9ViA/wkg9KTZ3T
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2208 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2012 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe 2012 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2012 wrote to memory of 2208 2012 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe 28 PID 2012 wrote to memory of 2208 2012 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe 28 PID 2012 wrote to memory of 2208 2012 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe 28 PID 2012 wrote to memory of 2208 2012 4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2208
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
337.7MB
MD5088c3404b2dbfd53e77de7af7a184531
SHA1031074eba4c8dc0c537bfdf38ee7ca8199f35df8
SHA25676523d9c8233b2ed47eb29aeb072bd5f896dd0e4a63c1a6442736b5d85c4c3d7
SHA512fa631767662cb0cf49c2f4bb9f9e1177f8bbd02f40d25158ba64363cd35e432a58117176f251fe97fc2c29abccc1c8b3485b01cd5469641427a5fac3ac6cb984
-
Filesize
340.2MB
MD5e60cb6b605425a4081597d98f404c42b
SHA1d46b6aa0b1e8eb39396a200d7090fa26c173e894
SHA256bce38f3ab765b8049329be686652b04b4bab2d06025834c3de882ea8a9780994
SHA5120c519a5dc0a6eb04bd6c333af4a887d70f29f3dda357648e7b9f91af1435a9356cd430d0eaf7b17e9f82fed0b0cb5f462ff0a51d87c7aa1d780397f3b9d8a704
-
Filesize
341.1MB
MD5d411e9b88453993c4ced925ac7979758
SHA15918bd49b766cb6b61c1f99160efa1e7faa53db2
SHA2567ecc4808ab999d6a101bca6446706d0efffc0a4f0b37a7a75884d7ff9cddc345
SHA512eaab8486a53216f6590459deb03ce7414ed453542066a80d3ba464fc26cbff1c72b744c32fedc889b16812f493de11b0bd742ee1a3d8752b58dfe72d14874687
-
Filesize
338.9MB
MD5b303027803b604fa874988438ac1b6db
SHA1eabe34c21f113ddc28b72a2c204e73eb2d1d4fbc
SHA2569be26f1cd2a747aacb4b1b71b1b60605cdfd550bdf7a91dbb4c29e33f86ccee5
SHA512c292f247a236c4d9ef2d06d62bcc90411e5b8064c55097faa50e4713c82d2aa2aa9183fc5a80a3cf62cbcc54823d87a672fc83ec650b43f71b7080dee32f4e7c