Analysis
-
max time kernel
131s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16-08-2023 12:39
Static task
static1
Behavioral task
behavioral1
Sample
e5cbc0114ff238740e72e907ad20223c.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
e5cbc0114ff238740e72e907ad20223c.exe
Resource
win10v2004-20230703-en
General
-
Target
e5cbc0114ff238740e72e907ad20223c.exe
-
Size
1.8MB
-
MD5
e5cbc0114ff238740e72e907ad20223c
-
SHA1
98c5d3c714adb3fbef71c19eaaa53cb680dd2d91
-
SHA256
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0
-
SHA512
7049adad987de004b179198aa72910c9bc47f5f0095032cc44a9c409bc6337150b05a208e47919e276c74bbbb9bfa1bee6b58575b2176083e0210af6ce9c9b92
-
SSDEEP
49152:bm/7cijxOPr17ocI5ut5TrCEJ5GtFRpr:bm/7cijcPr9ocI5K5NjGnL
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2800 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1788 e5cbc0114ff238740e72e907ad20223c.exe 1788 e5cbc0114ff238740e72e907ad20223c.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" e5cbc0114ff238740e72e907ad20223c.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1788 wrote to memory of 2800 1788 e5cbc0114ff238740e72e907ad20223c.exe 28 PID 1788 wrote to memory of 2800 1788 e5cbc0114ff238740e72e907ad20223c.exe 28 PID 1788 wrote to memory of 2800 1788 e5cbc0114ff238740e72e907ad20223c.exe 28 PID 1788 wrote to memory of 2800 1788 e5cbc0114ff238740e72e907ad20223c.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5cbc0114ff238740e72e907ad20223c.exe"C:\Users\Admin\AppData\Local\Temp\e5cbc0114ff238740e72e907ad20223c.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2800
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
343.7MB
MD5630c0fad47240e1c1b91785948f2df6b
SHA120961fb4f5ae7036e73e1bb899e51cba35b9bb57
SHA256b56d4524869de757fe5271aa696ae434791a76a96aa1024b60eb70fe14ea65b4
SHA512f32afe6f93d08baed4d884757649c407731dd02ac3b345d4947f26a3b624390375fdedd248481bbc7be71c3b74d969463dd448ae692290ff93859117218eb955
-
Filesize
350.4MB
MD5ab49800e15e33578204ed5712fe20d59
SHA101deea3ddcf8c63324157193d4ef0cd7e4a593a1
SHA2560ff2b07e44ff14b8e50ecacf42f1751d60d04c755f1355edc69d80d25a10647f
SHA51227d654502ffdf22b05bdc72e953777eadc5cdc9af242f96793a01b11e0f57074e7f9f79b872dbc7220ed4f41f44a46012e229b5586b6bfc31338892a7fdcd995
-
Filesize
339.3MB
MD5b5a9d4bc45e1e7f2354aa657a450b527
SHA1d07cc50f94fb86f6231f3c12f6c4961ce5933e64
SHA2561a3c0fa13cab829d84773133616a1eb9fbdf7e028d52c7ffae2299c4a1eaa008
SHA51250a8ad6ad18c67b2247640d33f93bb07941ffbd9efc9bde8bd38ea6f7a53dbba68d0471802feb8c646145168bc54cf3cc8ae60b068ec2dd16b85b5005c4f304c
-
Filesize
335.9MB
MD57f07e55f618cb09a98d865013eca23cc
SHA125acb70ac21a6bf31a6303835bf8dd5c170808ca
SHA2560a6bf05fc955aac7f1bf98284a22ea52f36203500b9a14949a4dbb44db14e546
SHA5123626572e56a7937da628465d5ad9e8d6ee9bf82f39bdf4c97c7c4607b56fc6eef3ac91fed284afd7336c5a25762fb5fa302fc2051fbf9e0d77c62c11f1cf7674