Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
03-08-2023 14:25
Static task
static1
Behavioral task
behavioral1
Sample
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe
Resource
win10-20230703-en
General
-
Target
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe
-
Size
1.9MB
-
MD5
43a466ea26d18d125bf8af925bb617b7
-
SHA1
a05f3fa8d1b9c7bc183948a516025503a9dda569
-
SHA256
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2
-
SHA512
d8c86539b9a115794884f3c6d6fe00beb2e75b0510b85777fc342c691986011864c04c21e0724af5874baa695168fa1e43281e782aeb06348bd572be7b4cf551
-
SSDEEP
49152:vdndufbt9ODXz12CkNram8AciuXRyjy0EjIdfCN:vdnd6av1iam8Ac4GbU6N
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1576 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 12 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4004 wrote to memory of 1576 4004 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe 69 PID 4004 wrote to memory of 1576 4004 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe 69 PID 4004 wrote to memory of 1576 4004 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe"C:\Users\Admin\AppData\Local\Temp\a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1576
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
735.9MB
MD526b3197785cb690887511eece2ceb31c
SHA1773ddfc653fdf594ece2926dae27fa4338516ae1
SHA25668fe851aaeaeb8f8a956d5f08770db846b73bb4fd8fd97a932f79f3b2cf8b9e0
SHA512e44181edda96ceb88e3690abba4e9a2f9e29029457d9a05741a67e55cc4cee00e14364f1fc552c65acf5b0050239196a5db5b7e843c0cbc5f4b2eafd2608a777
-
Filesize
735.9MB
MD526b3197785cb690887511eece2ceb31c
SHA1773ddfc653fdf594ece2926dae27fa4338516ae1
SHA25668fe851aaeaeb8f8a956d5f08770db846b73bb4fd8fd97a932f79f3b2cf8b9e0
SHA512e44181edda96ceb88e3690abba4e9a2f9e29029457d9a05741a67e55cc4cee00e14364f1fc552c65acf5b0050239196a5db5b7e843c0cbc5f4b2eafd2608a777