Analysis
-
max time kernel
140s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
03-08-2023 14:31
Static task
static1
Behavioral task
behavioral1
Sample
43a466ea26d18d125bf8af925bb617b7.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
43a466ea26d18d125bf8af925bb617b7.exe
Resource
win10v2004-20230703-en
General
-
Target
43a466ea26d18d125bf8af925bb617b7.exe
-
Size
1.9MB
-
MD5
43a466ea26d18d125bf8af925bb617b7
-
SHA1
a05f3fa8d1b9c7bc183948a516025503a9dda569
-
SHA256
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2
-
SHA512
d8c86539b9a115794884f3c6d6fe00beb2e75b0510b85777fc342c691986011864c04c21e0724af5874baa695168fa1e43281e782aeb06348bd572be7b4cf551
-
SSDEEP
49152:vdndufbt9ODXz12CkNram8AciuXRyjy0EjIdfCN:vdnd6av1iam8Ac4GbU6N
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2640 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2568 43a466ea26d18d125bf8af925bb617b7.exe 2568 43a466ea26d18d125bf8af925bb617b7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 43a466ea26d18d125bf8af925bb617b7.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2568 wrote to memory of 2640 2568 43a466ea26d18d125bf8af925bb617b7.exe 30 PID 2568 wrote to memory of 2640 2568 43a466ea26d18d125bf8af925bb617b7.exe 30 PID 2568 wrote to memory of 2640 2568 43a466ea26d18d125bf8af925bb617b7.exe 30 PID 2568 wrote to memory of 2640 2568 43a466ea26d18d125bf8af925bb617b7.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\43a466ea26d18d125bf8af925bb617b7.exe"C:\Users\Admin\AppData\Local\Temp\43a466ea26d18d125bf8af925bb617b7.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
435.4MB
MD5a968155ac18c4e18a8b936fb44971419
SHA1484d6d12a4c4bb58b30f1407c4cb267b46b24f4a
SHA25691094234b47107d96d32ae7104f6853c5613b58a9f6eaf814d12a0c78a602917
SHA51210972312098f22b11bd6e0b7585be7ee8f432fb93f17c6265f8ea7f5868d1d596eabf0f73afd0166aefe3f70900dad24bf1da6842ec33efcc47fae6fffc1cd5c
-
Filesize
437.7MB
MD58ed4c61575fef08a4d5eb94ae44bbc87
SHA143fbbd639e7b368aca8bad6e3f55e73ac8ec7cfa
SHA256890433ab1b449a0cc104e500ea3ecc1d672facb743d271abd8c5f3822dbe8497
SHA51203a6b4e567dfcf3794c5a3b2286e06b3e25b4d33e4271b2bafd0ea3be9f9ce27cb5825ecab3a231b0eeeeca0a223468f9c6676f824c9da055c0133e9210379e0
-
Filesize
423.4MB
MD50ee4952df9d98f797455c72d2d4f56a0
SHA1c4a8d748bdfa6f548c2f0a2844d90a33b5f38dba
SHA2561263503ea84644b3fd668b8fd7168621dadeeb5d72fcf4bdd64509a54fa1388b
SHA51258d82c855924c037032283bfd6573227e31b0bc9a905c4ea7107fd847ecd4e8f9c9cbb838e987eefd40588f1b6b04825c4d1d1559602712250de74d8f8565696
-
Filesize
423.1MB
MD52042160ae16c53d8f08a13baa3666fad
SHA1c5f2a1ee8525e4684032b1ef2a363ce36c693cd9
SHA256d69824bdac136543f14739f2ad0c89e42dc16ed773911543f2029a025f8c8385
SHA512ffb9addb394b9e5da9fe10a7f82d7a182916c8861083ca09983f4d2cb0fda5bba61fdb33bffd686d2a611989132e756744d9d6492cdbfb181abf8326fed01b92