Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-08-2023 01:30
Static task
static1
Behavioral task
behavioral1
Sample
ec8952a8dcbbfaa1fb6fda23df851402.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ec8952a8dcbbfaa1fb6fda23df851402.exe
Resource
win10v2004-20230703-en
General
-
Target
ec8952a8dcbbfaa1fb6fda23df851402.exe
-
Size
1.8MB
-
MD5
ec8952a8dcbbfaa1fb6fda23df851402
-
SHA1
4fb7a97221090f3a4ff5263103623da165624881
-
SHA256
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
-
SHA512
33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
-
SSDEEP
49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2192 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1704 ec8952a8dcbbfaa1fb6fda23df851402.exe 1704 ec8952a8dcbbfaa1fb6fda23df851402.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" ec8952a8dcbbfaa1fb6fda23df851402.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2192 1704 ec8952a8dcbbfaa1fb6fda23df851402.exe 28 PID 1704 wrote to memory of 2192 1704 ec8952a8dcbbfaa1fb6fda23df851402.exe 28 PID 1704 wrote to memory of 2192 1704 ec8952a8dcbbfaa1fb6fda23df851402.exe 28 PID 1704 wrote to memory of 2192 1704 ec8952a8dcbbfaa1fb6fda23df851402.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2192
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
373.1MB
MD55aa51a67b924eded425e095182bb85d7
SHA126ebe5356a1973ce712e186680275e3d0a74f01c
SHA256312a2d47ec13257159eac715e7a33d290a1b91c482d805a880a5e34078449b4f
SHA5125e6860caee36e99da8eacfe89633d1a7d928b6ac18246836a152f44816711073148aea8d0300c4cc65f304e5946b8b5ea00e94774c2bdbc3656e268a70ea0b2e
-
Filesize
368.6MB
MD50e8646f81c268eb7a1a6b46539df12ed
SHA1dc45cff19245b65752e13d8f5370f8b5e4c3b14c
SHA2567b09d5b017f59e95f1fb40ed833b945e45110cbbad72bdc3baf7a13792537b49
SHA512d700925dcfddc5c60c7331bd22d1bedf1872d020848ba645e4256d859b023b72e85aa3450446415f61fe4c76d7f00ce787c484280e44a640472ea4a41c631045
-
Filesize
374.2MB
MD59cf4f4b8a4b29938bc3e5d08c45cc60a
SHA1b06255c720572509f78158b25e3e92f28a42ad5d
SHA25645d44a83495b3d384cf667719142c4054da78833d77b7b4b6b2071019b9ad5fa
SHA5125fb0a874c2131bb1d05a0d0f6f44fbeeddf377809ef4aa7069d3fa11f951db1bef2c46dea3f7dc6765703fd8e11e687c0c431018160c672549c41182079fa2b1
-
Filesize
380.1MB
MD5f7422b07f7e420588a75a9dcf9ff8a0a
SHA122e3c67804597062980b8fdca88e4fafe1764329
SHA256d7f661b9084e49b4ebbae492cc808a6e8257df45eeb3de13c4c8d069367a8305
SHA512c090f52adb1c4a00765243c412d7a5fc6a90e648502eca1140152cae191dcb2e0b2c2a3ce780c194f73f0232ba633acde4baa0f61a83b2db4c394a0371233eb7