Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
03-08-2023 14:31
Static task
static1
Behavioral task
behavioral1
Sample
43a466ea26d18d125bf8af925bb617b7.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
43a466ea26d18d125bf8af925bb617b7.exe
Resource
win10v2004-20230703-en
General
-
Target
43a466ea26d18d125bf8af925bb617b7.exe
-
Size
1.9MB
-
MD5
43a466ea26d18d125bf8af925bb617b7
-
SHA1
a05f3fa8d1b9c7bc183948a516025503a9dda569
-
SHA256
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2
-
SHA512
d8c86539b9a115794884f3c6d6fe00beb2e75b0510b85777fc342c691986011864c04c21e0724af5874baa695168fa1e43281e782aeb06348bd572be7b4cf551
-
SSDEEP
49152:vdndufbt9ODXz12CkNram8AciuXRyjy0EjIdfCN:vdnd6av1iam8Ac4GbU6N
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2028 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 43a466ea26d18d125bf8af925bb617b7.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1788 1344 WerFault.exe 82 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 72 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1344 wrote to memory of 2028 1344 43a466ea26d18d125bf8af925bb617b7.exe 85 PID 1344 wrote to memory of 2028 1344 43a466ea26d18d125bf8af925bb617b7.exe 85 PID 1344 wrote to memory of 2028 1344 43a466ea26d18d125bf8af925bb617b7.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\43a466ea26d18d125bf8af925bb617b7.exe"C:\Users\Admin\AppData\Local\Temp\43a466ea26d18d125bf8af925bb617b7.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 5882⤵
- Program crash
PID:1788
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1344 -ip 13441⤵PID:4796
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
697.1MB
MD5a57abd48f3cf7c3c68ad2f68065c85c7
SHA1182da94f023e1185cb573cdd2f3cd0d98c17788e
SHA256d55e56b015ccdc567e18b508d58e992586908b45597b918f2a9b2e69e3a2dadc
SHA5121e50c4d6d64ab80cd1122a6069baeb4f37d84a9b0400d73e6c6eed56e47275062f8eba54e562c59b795ceb0746f730f6e8c884bdb862c4cef3d0ab005a939497
-
Filesize
743.9MB
MD56cba37adb6344964cede5d1f12213906
SHA1e6a370cb5b2b3a69482ea90f1dc6de9902f838d9
SHA2563b5e7f8ac2733f666029707314b963f93fbe2dbd0998c52473f67aca0edfb37d
SHA512dd0be04965fe17e2368b51d275a0151e72834d46a07731b9be79da1e298615868f9febb2b6cfae7c802238d9492ec9af423f009a519abc8e94fc199b0d628a6d