Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230824-en -
resource tags
arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system -
submitted
26-08-2023 15:38
Static task
static1
Behavioral task
behavioral1
Sample
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe
Resource
win10v2004-20230703-en
General
-
Target
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe
-
Size
1.8MB
-
MD5
ec8952a8dcbbfaa1fb6fda23df851402
-
SHA1
4fb7a97221090f3a4ff5263103623da165624881
-
SHA256
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
-
SHA512
33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
-
SSDEEP
49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2300 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 940 f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe 940 f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 940 wrote to memory of 2300 940 f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe 29 PID 940 wrote to memory of 2300 940 f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe 29 PID 940 wrote to memory of 2300 940 f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe 29 PID 940 wrote to memory of 2300 940 f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe"C:\Users\Admin\AppData\Local\Temp\f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50_JC.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2300
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
314.5MB
MD5f1afe31319dc5896890fb9fb27d85fa8
SHA12d957077ad4c494f7724bfa73866e5a5328818fe
SHA25643d1306f6383d117fdbe7d436e8c5c4dd7990e31061587a40375cc392cf4601b
SHA512922268c51be8faf0dd5890c4c1285a530269077c449ff99eee4f469ef875fa425763ddad67fff806b72c24bb9960ab1491f0ecf13d892b3ed423c7670a8071e2
-
Filesize
325.4MB
MD56508a8d69541bbc06f14af374184f78a
SHA14ffa56cfe8e970ebebe4dc93747e518d921d00c1
SHA2565fd6a5c43a551c723a295f3321f9c01be83f68b29ec9553e98a28e5717c142ab
SHA51296209fc2184119461c05dc3cc43c3bdeb537dd0fc2ebebbf74c72a87d5530f93940f4045fd4d95a19da537057b5bcfe9064ec5ffa56ca7eeacb32e07cb9ef160
-
Filesize
302.9MB
MD5fed7c6e67d362ff827c52805c95abde3
SHA1fdecb7e928debe0f5ce1849a49b42084b5aa214e
SHA256ca9f7f1954bd52c5d093cce0dc63c42e7280619954da44a65d88db7afd2adcfb
SHA5127d471a3c0ee17d73dc85f71cffda5742ebbcaa7c68a2f72dada3c26d099c7cdbd60f0560bda4e00bebb1af71f574a396f1d6794cece33ace4a0bdbb9f614a85b
-
Filesize
313.2MB
MD53f3dbc06119168c123327e14e98eda44
SHA1b97fd8e41990452ab910a41ccc17dd9a47784b0a
SHA2566ea6a32b474717e10555c54a1b0a198766a9a004e70d08c548617ffd4109c1c8
SHA5121e97e19d332187bd7944a69a444f4a357608395875b69d6538b349450582ce8531b92ee27646a26c88206f94038bb7a3f0c12f4ed610eb8c78768f0a289aa712