Analysis
-
max time kernel
139s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20-08-2023 15:12
Static task
static1
Behavioral task
behavioral1
Sample
4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe
-
Size
1.9MB
-
MD5
961751858d8b74b2dec9d4f165a0a8c0
-
SHA1
88ca04fb4d62052614bd9da2b333ab10f5e0bfa7
-
SHA256
4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64
-
SHA512
c9625844e4acd328977d0078889497e6d8a81025d6d5da787a4ae0b9ee0fa717ee543cd7e520d26f4480265c56c0ea07ae8cecd8518f72afc59d114c605fbe4c
-
SSDEEP
49152:7YjDgDQj0z0HG2SYE/LA386lYmBk1U5nuyYPcEaC:7YjsEjJ33JYmSa5owC
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2344 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2784 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe 2784 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2344 2784 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe 28 PID 2784 wrote to memory of 2344 2784 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe 28 PID 2784 wrote to memory of 2344 2784 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe 28 PID 2784 wrote to memory of 2344 2784 4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe"C:\Users\Admin\AppData\Local\Temp\4230177379ff0422741a5714ba02dbeccdac0edc6d2c1e4123827f23ff179e64_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2344
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
446.0MB
MD51d556d8050fb68311bf6f07d92c24187
SHA1225917ab4f687de4f09a8cfb4978b7b47a9e4a44
SHA256189848957a2e22ab21bc18ba2598229166bd30ed248441c4c9dc6acd3c428fe3
SHA512de7ba5001a2eed15cddc1c04e462dd34397aff0f3ef436508a9fcb1b554a2a1e58aa969fc3ff4fe6c05011fdf8f56be3387aaebbf0120db750aff6490546e36a
-
Filesize
447.8MB
MD528e5297417cbff70de69ab6ba44a0f74
SHA187a55a20fcad09df4f7036960d19d21701ad3c5d
SHA256c40c818e55c52c1d8a3605c169d5ec94249e3b7d38409bf525381655664433f4
SHA5124baca3631aaefab25c8bf64e88a00bb9bada8d46cde76d8f4512d86065ced20b2ade263cae16fde37c813920e01f6bb3e5e4f27f218cada59e8195449f792d94
-
Filesize
470.3MB
MD5e4356feec092edc7ff8f4213b0d14ecd
SHA1bb921423652057e7c96c3cb15a25b32eacd37eb6
SHA256e2ca37a1cbf09b54cbed4c54a9fae6cf63d58fd08d9384a0d7cd5d97eb124df7
SHA512f5ca0eeb42630a91eeeb5d6f9accc54673a2dbbdf025500192451c86d3400499acf780c8737302a03fbe130817be2e2f3d83b572308f310b683f05aa841fc57f
-
Filesize
433.8MB
MD5505a27eda0a4f5a212fd604eda6924ff
SHA1ad0d95a2115e777510901e2f33edf161e0496a7b
SHA256da89e4a57178cedd3ba38199e6b08ed221f01d530819be5d2cb3a3a38c3dfc7a
SHA5122625c2ccfcd3ce9d6a59bd060990f844311bae47fbe8abb9693f4065a0b116e2e55f77cd3e505ef3add18af6c6a92ffd0b04c1438a2df739b9af93a9bff60489