Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
16-08-2023 12:33
Static task
static1
Behavioral task
behavioral1
Sample
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
Resource
win10-20230703-en
General
-
Target
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
-
Size
1.8MB
-
MD5
e5cbc0114ff238740e72e907ad20223c
-
SHA1
98c5d3c714adb3fbef71c19eaaa53cb680dd2d91
-
SHA256
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0
-
SHA512
7049adad987de004b179198aa72910c9bc47f5f0095032cc44a9c409bc6337150b05a208e47919e276c74bbbb9bfa1bee6b58575b2176083e0210af6ce9c9b92
-
SSDEEP
49152:bm/7cijxOPr17ocI5ut5TrCEJ5GtFRpr:bm/7cijcPr9ocI5K5NjGnL
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1508 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4516 wrote to memory of 1508 4516 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 70 PID 4516 wrote to memory of 1508 4516 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 70 PID 4516 wrote to memory of 1508 4516 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe"C:\Users\Admin\AppData\Local\Temp\bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726.8MB
MD55c1cee6437cff3af2d49259476e00037
SHA1eb57063e3ce53d86b11a52254fb44b761e89d845
SHA256171d093a38c6665f9563a147716aafb56a779dfa506ae40163b74612183c36f7
SHA5129dd881f7558ba6f06088f73037576c379e8a5bbc5b373d44a74574c865d420d032ebfdd310978ea72fe4f72c9267d2edec0ab89310a45fb98e3b93dc20c25722
-
Filesize
757.3MB
MD5edc997eac25edbacd83bcf2798c18d12
SHA160ac4621aeb0e65f45ff6d0407570cad1076e488
SHA2567a651b3580f0e568ed545809cd58e90911d44a874dc920054a092085207b06b9
SHA512b6b13c782b69f387b8344ace821d9a217edd7833b07120cc84ff52eac08881a851d4e7b775ce9f2f9e3e5d412faf48ac5bc02cf776e91906449c9040f91cfab4