Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
General
-
Target
file.exe
-
Size
296KB
-
MD5
8ee319a68644628af5df86add9dc87cd
-
SHA1
e04fd5d186041e8423c0407ca3d2b844f2123c32
-
SHA256
ccd1cde08e07f3be31008ea2b7ace4190317f179c3a75e0b9e88670aa70626cb
-
SHA512
cbdf160308a8c1d9a78e0f2c8dadf7e65661e9d564497e17c92be1ab7423ad5db256166180285074b9843add81648d20ff2438f44ba69990195a48f6a376a6a6
-
SSDEEP
3072:Z0kKKgML7DG7uJAj7VDpo18Ur4+f6trQ2KmknjpBv8sVHI4yjitchauM:imgML7C7uJo7/+f6G2K7jpBv8Gupcu
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation file.exe -
Executes dropped EXE 2 IoCs
pid Process 1908 GIDHDGCBFB.exe 3176 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 2564 file.exe 2564 file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" GIDHDGCBFB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4824 2564 WerFault.exe 86 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2308 timeout.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 56 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2564 file.exe 2564 file.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2564 wrote to memory of 448 2564 file.exe 89 PID 2564 wrote to memory of 448 2564 file.exe 89 PID 2564 wrote to memory of 448 2564 file.exe 89 PID 2564 wrote to memory of 4968 2564 file.exe 91 PID 2564 wrote to memory of 4968 2564 file.exe 91 PID 2564 wrote to memory of 4968 2564 file.exe 91 PID 4968 wrote to memory of 2308 4968 cmd.exe 96 PID 4968 wrote to memory of 2308 4968 cmd.exe 96 PID 4968 wrote to memory of 2308 4968 cmd.exe 96 PID 448 wrote to memory of 1908 448 cmd.exe 95 PID 448 wrote to memory of 1908 448 cmd.exe 95 PID 448 wrote to memory of 1908 448 cmd.exe 95 PID 1908 wrote to memory of 3176 1908 GIDHDGCBFB.exe 101 PID 1908 wrote to memory of 3176 1908 GIDHDGCBFB.exe 101 PID 1908 wrote to memory of 3176 1908 GIDHDGCBFB.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
PID:3176
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:2308
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 22842⤵
- Program crash
PID:4824
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2564 -ip 25641⤵PID:3280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.8MB
MD5d433fee70e60de32de4608f07bed7d2a
SHA18b84224c8319705317340392ad99bc529183a7db
SHA2560a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8
-
Filesize
1.8MB
MD5d433fee70e60de32de4608f07bed7d2a
SHA18b84224c8319705317340392ad99bc529183a7db
SHA2560a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7
SHA512ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8
-
Filesize
605.4MB
MD5e2e50ac1922cc98da8b08ffa2279f15a
SHA1c70e2f5018f4fe4e30bbaf84414732380e8dadbe
SHA2562fcc9d972e19d33436a05afc19b2bd1b502e8193179317bc1f3c8abae336da52
SHA512c72f576cb007fc31c2aa722fd8a7eb441952ff96c3ac959200b4717b0e0fdb116bf1002a65454e8827b14f864c189c0d6bd7a4ec05bec89cfe9d6cd06a5be1bf
-
Filesize
785.1MB
MD5e0bfbe15e46cea779c24009b69fb4a75
SHA1d9b919358c54365f092b939137bfc5b266fd3759
SHA2562a20a959bbe9fd0eb2d44a0d268ed8619dfee735a6a214a3b20cdf53f9f71562
SHA512331dd86219e57e05b8c234a597107d8d2df90ae989649d207a70f8ab5e0f815848a37687c472430ed3ec918ebc883eb85221820145e21a0e6d43be6bd1384103
-
Filesize
741.1MB
MD5bb0c13f605cfe5ec08ddae9c2dff2833
SHA1e639dc7fe022c74999f667782209acce77743624
SHA256735699bae2c3d0ba49c014c8c29d67a87f4cca3b4c3baa4b5bfa09f1646b572f
SHA51290c8997153ff5f349e8196309d12b6c95f1df2c84d64db35456a192c455a2d34c77e75a3e24878336f8361f4decacab96b6d0709ffb6545dc1c976fb1c5e99ab