Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230824-en -
resource tags
arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system -
submitted
25-08-2023 01:30
Static task
static1
Behavioral task
behavioral1
Sample
ec8952a8dcbbfaa1fb6fda23df851402.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
ec8952a8dcbbfaa1fb6fda23df851402.exe
Resource
win10v2004-20230703-en
General
-
Target
ec8952a8dcbbfaa1fb6fda23df851402.exe
-
Size
1.8MB
-
MD5
ec8952a8dcbbfaa1fb6fda23df851402
-
SHA1
4fb7a97221090f3a4ff5263103623da165624881
-
SHA256
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
-
SHA512
33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
-
SSDEEP
49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2504 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2988 ec8952a8dcbbfaa1fb6fda23df851402.exe 2988 ec8952a8dcbbfaa1fb6fda23df851402.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" ec8952a8dcbbfaa1fb6fda23df851402.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2504 2988 ec8952a8dcbbfaa1fb6fda23df851402.exe 30 PID 2988 wrote to memory of 2504 2988 ec8952a8dcbbfaa1fb6fda23df851402.exe 30 PID 2988 wrote to memory of 2504 2988 ec8952a8dcbbfaa1fb6fda23df851402.exe 30 PID 2988 wrote to memory of 2504 2988 ec8952a8dcbbfaa1fb6fda23df851402.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"C:\Users\Admin\AppData\Local\Temp\ec8952a8dcbbfaa1fb6fda23df851402.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2504
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
54.1MB
MD5905194b9a7310eacf2ddf4ab93c006ad
SHA169448f49b71e4eddad8a833e7afd8451f1724730
SHA256c3176380f79887478898649a08c3ca381397cfb4d8f774a93676bc1fff9a8d86
SHA51230531db483766ba37ae93bb168914ed82eb26402f9b66a7bafc29947e2ee18c41624b89845652df4a475917a8e95eadd0bd3d6dbfb03611f5ea2d79df6225a7b
-
Filesize
54.8MB
MD5c33e43259c9712ea40fa60c5750b75bc
SHA1c45e020958ee6a417fdcbef837a31e127d1a3a3e
SHA256e58ed2c53724cbbb911aa0e990986acc23a49a72926afd510656bf6331357919
SHA51259b0fb6648b5ca7bfee3669e63375e5f987ca6e8b1e22beb64c6387522560d98d16cb21db23ec848692da45257d4554b8259c25be114617817542b39fcd16976
-
Filesize
56.9MB
MD5b45501f321c1e2042431c7dedcf810ee
SHA102732aec3792ee98524d782fbad845217af62a58
SHA256cb93f0044caf723e6ca8de056c8f1832d0ceb8fb7d11eaf48b6dd9ff08500b52
SHA512b36469c1307ee33e4a7ed3197108cf1d7151a70ab1f2d2459a216fa9cd5fe27e13e1da326aad859a155cf4c1b4d89b0e7ca9c3ebc50ab908e54080a8784c3e8a
-
Filesize
55.4MB
MD5b689e1556ef5317710db10fa4ac122c4
SHA1fba4c8e80180f9577dcbd4cc21de85160a100b3b
SHA256bc4845511dbd389db2ae753ffe9edb10ae1228a250b5814d8525de61aab2ba7a
SHA5128d874efd6120552b03ac10107374f309cc7202f4daf59d1b931f145d5c010a6fdef0afb7fad7154ea52ff0cd9bc41c9ef661e8c2d2afd6772f9752892f6b442f