Analysis
-
max time kernel
298s -
max time network
256s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
17-08-2023 04:05
Static task
static1
Behavioral task
behavioral1
Sample
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
Resource
win10-20230703-en
General
-
Target
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe
-
Size
1.8MB
-
MD5
e5cbc0114ff238740e72e907ad20223c
-
SHA1
98c5d3c714adb3fbef71c19eaaa53cb680dd2d91
-
SHA256
bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0
-
SHA512
7049adad987de004b179198aa72910c9bc47f5f0095032cc44a9c409bc6337150b05a208e47919e276c74bbbb9bfa1bee6b58575b2176083e0210af6ce9c9b92
-
SSDEEP
49152:bm/7cijxOPr17ocI5ut5TrCEJ5GtFRpr:bm/7cijcPr9ocI5K5NjGnL
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1508 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5020 wrote to memory of 1508 5020 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 70 PID 5020 wrote to memory of 1508 5020 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 70 PID 5020 wrote to memory of 1508 5020 bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe 70
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe"C:\Users\Admin\AppData\Local\Temp\bdf326424f960a66d01dd645db9fd335a157ceb86d7f482ff15205fa7d9cc7b0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1508
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
817.8MB
MD563593423259b160fef125e920a33a651
SHA1f325dfe3b7d6ed6121c2e9be52e3f1b6aad91637
SHA256678b18c8f0080f5da03317ecb4e2ab43704a3f34b2da9eb7457a3fd0a2496b89
SHA51211b359322f15d7972fc8476118791b654eb816ade7d31e83a238b65fa02d3c4d3fe8f050c4cea218e8246c82f96e92d332b4d3e819bd16028c4fd3fd74432540
-
Filesize
817.8MB
MD563593423259b160fef125e920a33a651
SHA1f325dfe3b7d6ed6121c2e9be52e3f1b6aad91637
SHA256678b18c8f0080f5da03317ecb4e2ab43704a3f34b2da9eb7457a3fd0a2496b89
SHA51211b359322f15d7972fc8476118791b654eb816ade7d31e83a238b65fa02d3c4d3fe8f050c4cea218e8246c82f96e92d332b4d3e819bd16028c4fd3fd74432540