Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 23:10
Static task
static1
Behavioral task
behavioral1
Sample
f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe
Resource
win10v2004-20230220-en
General
-
Target
f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe
-
Size
1.9MB
-
MD5
2bf7a5a8fa98cc72f6953c835531f651
-
SHA1
284871c67b96e46064c1529119801e26e065efe3
-
SHA256
f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213
-
SHA512
38880e544b3359abbec5b7da0573d1c5371d274bae90a4541a79b590c75a5c1ecd3e15b77a937c10c0942842634a3f6b4063a4c182f91526f7f33cc790994fbe
-
SSDEEP
49152:qTtTRKS1gxrqJ+QfTMmB5NB4Va6xWhWR:qTtVFuMN+Q6xB
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4408 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 20 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1200 wrote to memory of 4408 1200 f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe 87 PID 1200 wrote to memory of 4408 1200 f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe 87 PID 1200 wrote to memory of 4408 1200 f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe"C:\Users\Admin\AppData\Local\Temp\f3e5f6a779b9ff46c5e151ccad1e83fd7bf5e9d29e4ffcfa4775d0a77e99a213.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:4408
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
725.9MB
MD5691c59a259bf930c6dbe4deb3cc0cbd0
SHA1e8bca4ef4a61f4e6d10450955f8827bf44f9b81c
SHA2567c7779128fe4ea5646bbcac8feea288506caf5601075e19fd59cefe84d971087
SHA512d114803999275d5582e97ce30a97df7d23e929d5b08ae8dfdf26e01e48eca24bb097940235c5037f2b47b06b3c31b822249c4d9c7a93c45c13e18a7477202ad2
-
Filesize
725.9MB
MD5691c59a259bf930c6dbe4deb3cc0cbd0
SHA1e8bca4ef4a61f4e6d10450955f8827bf44f9b81c
SHA2567c7779128fe4ea5646bbcac8feea288506caf5601075e19fd59cefe84d971087
SHA512d114803999275d5582e97ce30a97df7d23e929d5b08ae8dfdf26e01e48eca24bb097940235c5037f2b47b06b3c31b822249c4d9c7a93c45c13e18a7477202ad2