Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
25-08-2023 01:30
Static task
static1
Behavioral task
behavioral1
Sample
ec8952a8dcbbfaa1fb6fda23df851402.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ec8952a8dcbbfaa1fb6fda23df851402.exe
Resource
win10v2004-20230703-en
General
-
Target
ec8952a8dcbbfaa1fb6fda23df851402.exe
-
Size
1.8MB
-
MD5
ec8952a8dcbbfaa1fb6fda23df851402
-
SHA1
4fb7a97221090f3a4ff5263103623da165624881
-
SHA256
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
-
SHA512
33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
-
SSDEEP
49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4944 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" ec8952a8dcbbfaa1fb6fda23df851402.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2828 wrote to memory of 4944 2828 ec8952a8dcbbfaa1fb6fda23df851402.exe 85 PID 2828 wrote to memory of 4944 2828 ec8952a8dcbbfaa1fb6fda23df851402.exe 85 PID 2828 wrote to memory of 4944 2828 ec8952a8dcbbfaa1fb6fda23df851402.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:4944
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
839.8MB
MD512815e7de5af5e4b6298da7e858107f7
SHA1f80d4bafee89e501cd5c5c0569b57f2c137bfe76
SHA2562ab5bf8bcc20f8e0759df42d458175edd4b1e8ac3937c6d494eddbbfe9709333
SHA5120e84ca83decca11f166de4de2927d1bab6b80c4394987929c97af11b03f0c6abee5505da48535a8a1f7de895b82aa37d2f4af6fcaeded31c33074b62a10dcda7
-
Filesize
839.8MB
MD512815e7de5af5e4b6298da7e858107f7
SHA1f80d4bafee89e501cd5c5c0569b57f2c137bfe76
SHA2562ab5bf8bcc20f8e0759df42d458175edd4b1e8ac3937c6d494eddbbfe9709333
SHA5120e84ca83decca11f166de4de2927d1bab6b80c4394987929c97af11b03f0c6abee5505da48535a8a1f7de895b82aa37d2f4af6fcaeded31c33074b62a10dcda7