Analysis
-
max time kernel
279s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
17-08-2023 04:05
Static task
static1
Behavioral task
behavioral1
Sample
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
Resource
win10-20230703-en
General
-
Target
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
-
Size
1.8MB
-
MD5
e5cbc0114ff238740e72e907ad20223c
-
SHA1
98c5d3c714adb3fbef71c19eaaa53cb680dd2d91
-
SHA256
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0
-
SHA512
7049adad987de004b179198aa72910c9bc47f5f0095032cc44a9c409bc6337150b05a208e47919e276c74bbbb9bfa1bee6b58575b2176083e0210af6ce9c9b92
-
SSDEEP
49152:bm/7cijxOPr17ocI5ut5TrCEJ5GtFRpr:bm/7cijcPr9ocI5K5NjGnL
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2188 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1664 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 1664 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1664 wrote to memory of 2188 1664 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 28 PID 1664 wrote to memory of 2188 1664 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 28 PID 1664 wrote to memory of 2188 1664 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 28 PID 1664 wrote to memory of 2188 1664 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe"C:\Users\Admin\AppData\Local\Temp\bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2188
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
711.8MB
MD5c988d43619f37e707f6d149a691e6d8b
SHA1d925b0cee4fa1b4de22572f4cfb5dd7aba3ef03e
SHA256431bd731ba2a98b8b44b80c50ccd0a8fdcd91113844cb5bfeba5459da07385c7
SHA51221dc0a1d0740750d95768c320e6cd25553596d54509b5f45a18d4c92a4cf27abface1c0d484f561fc8272ba5fb2056be760eafbfe92e378dc7ffd24567511169
-
Filesize
703.9MB
MD5f0f7de133e41379dfc8add0c9d913837
SHA1d014b24dda25c0dd2cab460a864ebd3388dabf2d
SHA25605b0a6cef9efd8c6c7fc474fc738671c2374696dbf736daef8975273fb9fdfcd
SHA512616908d2e9e509e49705dee26e2acbe35f5014757c29a876568af5d43c767ce1dd0c61c55c9338088ba516b334fa340697dc60d4bd21439daa54a494813bd64d
-
Filesize
705.4MB
MD559c2b097c6e0e1b374b081aa8c256101
SHA139dfa68872934998c970668150c4dee68b8db974
SHA2567cadf20f230518245f55bc4f0fa4408ed505267ffc4cb4baa82000f7aa0775de
SHA512034900a020bc4693086c4d876433722fe00ce53222e49680bc0e6185da0bf081ed4f385cbd8bec673acc89f5dbb489f890f57961daff5662dd6b2bf11cb45ab4
-
Filesize
710.8MB
MD522366b19cc9910cd5e5d825a11cb9a69
SHA1a0165546eb73b2a2c12330a046d2369c816f2be3
SHA25686b361f6766b009fb45a475a66cb28d737b0e8fe4ad8406dd846d9069766ec31
SHA5120a0d116e024c8eefa7ec11b481e647d43ec71bddd6ee1a09e0c0327cbed55cee3e0381290508e0cc0563346d4f4c40cb02a6b449de95f2e1d3e75822d94c983a