Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18-08-2023 11:03
Static task
static1
Behavioral task
behavioral1
Sample
961751858d8b74b2dec9d4f165a0a8c0.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
961751858d8b74b2dec9d4f165a0a8c0.exe
Resource
win10v2004-20230703-en
General
-
Target
961751858d8b74b2dec9d4f165a0a8c0.exe
-
Size
1.9MB
-
MD5
961751858d8b74b2dec9d4f165a0a8c0
-
SHA1
88ca04fb4d62052614bd9da2b333ab10f5e0bfa7
-
SHA256
4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64
-
SHA512
c9625844e4acd328977d0078889497e6d8a81025d6d5da787a4ae0b9ee0fa717ee543cd7e520d26f4480265c56c0ea07ae8cecd8518f72afc59d114c605fbe4c
-
SSDEEP
49152:7YjDgDQj0z0HG2SYE/LA386lYmBk1U5nuyYPcEaC:7YjsEjJ33JYmSa5owC
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1836 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 961751858d8b74b2dec9d4f165a0a8c0.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 24 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1836 2520 961751858d8b74b2dec9d4f165a0a8c0.exe 86 PID 2520 wrote to memory of 1836 2520 961751858d8b74b2dec9d4f165a0a8c0.exe 86 PID 2520 wrote to memory of 1836 2520 961751858d8b74b2dec9d4f165a0a8c0.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\961751858d8b74b2dec9d4f165a0a8c0.exe"C:\Users\Admin\AppData\Local\Temp\961751858d8b74b2dec9d4f165a0a8c0.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747.9MB
MD552a5a274f1ef0a39404548ba4db4a7b2
SHA1db393896235851b069641b6aac693b4ab52e0d7c
SHA2563cba92e395a71784ab4f6c5be7c288308e7b63b1ba85281e913f2e6b09295aaa
SHA5121bf22699f189366ff5a939533e920177d4d65b1fff7999ae692639c7943e7e24c908a0517fe04e36886e6f400baadae5b572533abe31cd2c719604cdece75d3d
-
Filesize
747.9MB
MD552a5a274f1ef0a39404548ba4db4a7b2
SHA1db393896235851b069641b6aac693b4ab52e0d7c
SHA2563cba92e395a71784ab4f6c5be7c288308e7b63b1ba85281e913f2e6b09295aaa
SHA5121bf22699f189366ff5a939533e920177d4d65b1fff7999ae692639c7943e7e24c908a0517fe04e36886e6f400baadae5b572533abe31cd2c719604cdece75d3d