Analysis
-
max time kernel
156s -
max time network
172s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
09-08-2023 15:56
Static task
static1
Behavioral task
behavioral1
Sample
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe
-
Size
1.9MB
-
MD5
43a466ea26d18d125bf8af925bb617b7
-
SHA1
a05f3fa8d1b9c7bc183948a516025503a9dda569
-
SHA256
a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2
-
SHA512
d8c86539b9a115794884f3c6d6fe00beb2e75b0510b85777fc342c691986011864c04c21e0724af5874baa695168fa1e43281e782aeb06348bd572be7b4cf551
-
SSDEEP
49152:vdndufbt9ODXz12CkNram8AciuXRyjy0EjIdfCN:vdnd6av1iam8Ac4GbU6N
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2464 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1688 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe 1688 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2464 1688 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe 29 PID 1688 wrote to memory of 2464 1688 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe 29 PID 1688 wrote to memory of 2464 1688 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe 29 PID 1688 wrote to memory of 2464 1688 a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe"C:\Users\Admin\AppData\Local\Temp\a3f665043305d67f64f7386a8bcd89dc5ce86a76a6b5042827af58cd8b4e10f2exe_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2464
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
313.0MB
MD5ab58c7a4fb38b0a365f67f5fc4a0cc31
SHA1e983d3e2890ac0f5139b690bd1a82c947683305f
SHA2561cdcfd48b97192d3bd7e3701f430a39884515bc7d995535315b9a1ab8cd6a2d0
SHA512131e9de1785a9ac2cf1b08adc2679519b24c401ef90098789c154cdec917eb47327dcc81745286f5b0cc09014f15901a94b21cf85564abcdd7f0e16c41363f04
-
Filesize
306.2MB
MD5c50127c617f23c7f453bcfdd6d39603e
SHA1ee6637a687d5dc1c03becf26f61d1b6eb2b37929
SHA2566a9945347763410ebd9b281d790c8185baad805d8240e1ae45baf570bcf3bf52
SHA5121eb672ec80eb92d9a2c826f981cdce7b1493627b89435434df709449a36afa716b15261559ed7edb9b54c2e4f7bec34294bf2aaea7d12670b408529c85fe596a
-
Filesize
310.2MB
MD52ebc6b125f7f57f732c83b854f5d1415
SHA1beadc5fbda55a0d56fd287b261673c6fd12ef587
SHA2569207419965d7a1c668c8680f70af8a3939be675c1ed03dc2c1f4693b98b2ba5d
SHA5128ddcbcd430ed43c1683a6a8cdbd891d1363144cf3dc72385ba68656f10fcdf578d003b0878a10257ed353394110a69f37355ae5e3474767eea6e2fc50c73f7ba
-
Filesize
301.6MB
MD5dea954bf15b52e31920f4db85d6e5ea0
SHA1548fe5ed58f69e2f3abc15f396d5bacffc9bf965
SHA2566f5c0f59d10f8c42ab1ba9790df01786dce3e713e7d84ea9528e7baabd652aef
SHA51201091e21fa3e413bff6442eb11fd8b789811463d0baed02f2f0945e215d20fed57235072ca5ecb1d61fb23e0ead1e7ba2ded9f7314ba429cda49c10b5da3e68c