Analysis
-
max time kernel
145s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230824-en -
resource tags
arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system -
submitted
30-08-2023 13:55
Static task
static1
Behavioral task
behavioral1
Sample
signed.exe
Resource
win7-20230824-en
Behavioral task
behavioral2
Sample
signed.exe
Resource
win10v2004-20230703-en
General
-
Target
signed.exe
-
Size
1.8MB
-
MD5
ec8952a8dcbbfaa1fb6fda23df851402
-
SHA1
4fb7a97221090f3a4ff5263103623da165624881
-
SHA256
f022037056b50b4baf5db8ba0a437494662dc93cee9421ed12471e14a58a0d50
-
SHA512
33ce0a6ae2929145d75aceee5ab7ca6256c8a630ecb04f8df4addab02541b74c6a350a210cd5426466bf254699b76d8b77259b9bf969a131ca292d9d372d7ffd
-
SSDEEP
49152:N4o1Bkql93ztp3vKhV2E8rf/L0ZNo2gV6UlAo7TWJ:N4o1Bb73ztVv5Ei0ZTUX7Y
Malware Config
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Extracted
laplas
http://clipper.guru
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2720 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 816 signed.exe 816 signed.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1528014236-771305907-3973026625-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" signed.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 816 wrote to memory of 2720 816 signed.exe 30 PID 816 wrote to memory of 2720 816 signed.exe 30 PID 816 wrote to memory of 2720 816 signed.exe 30 PID 816 wrote to memory of 2720 816 signed.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\signed.exe"C:\Users\Admin\AppData\Local\Temp\signed.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2720
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
343.3MB
MD55bc68f6c2f3c7b73d29806f78cc2b5df
SHA191948cbcbdb679cb3460a840df027c684a356193
SHA256af388468c24c01c531538e0e9d6ad0d4600a5e782c1c56c6cba252f0c39823ee
SHA512b2ca20b95a8807ae84ebbcbf39a88df79681d30436568d85e8b7097e30f0da900513eab186ed87335255ae7c257481c3caca836792b5be8413dc7faafcf7417b
-
Filesize
354.2MB
MD5dadc572618678ade4f1766e59990e7c5
SHA17d8beba62ddc84c084c16fdd69f22d53496a2f7c
SHA25673bc8b09cc84a8a3c52381ae9ab368fe68f72ab9d5e97a09c8623ec846f2bfbd
SHA5127e787e7771be4625a549f680ef0a7016d6017bb5bd14a2ff6b9cea166af4772f8232db4ed8665b14f418c2e12c8e6f0871c633e8f4849e30f3b1b8ebb399c591
-
Filesize
346.6MB
MD536e830ab141df89b175ca5b28d92be73
SHA19f14ec9b963920d577eeac87305b2f4fda7645e2
SHA2563fa07342236755ea0f954dec9c01edb4a42cabe8e7ccadbfb4fc27f872bfaf55
SHA51202744ad20a712663fe64b074afda69deb89aa1151132ec48f8fc3442593e481f45ed0ab90bb756b8e350631c0eedbad87cf5ce2c4c6ffdc949c940867ecacd49
-
Filesize
351.4MB
MD5ddb66973f1c7e9d243974e2aa5834b97
SHA1ddd7bb1ac8cbdf1b6f3de1125d3c35aaf73f83f3
SHA256335f66b2a944a71873cb8aab917e80b2338b9e2772b062c8831b932a08f4cfbd
SHA51269e234bdfc6f24282f90be355465b639c5d5ac2be92849f46dbf3c490dfb8aa0905545f346f24d6da985b8581755fce48a44b823caa0a82061fb2a3ff725990f