Analysis
-
max time kernel
144s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17/03/2023, 19:20
Static task
static1
General
-
Target
857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe
-
Size
296KB
-
MD5
938fed232b4297ee30740b7a918f7116
-
SHA1
aaf780bcbbb7f58219f62e7cf92ff8c90e654f6c
-
SHA256
857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a
-
SHA512
46fcfe14ff2031373ed5a78a1ce1e0a80fbaef5bc8c102a24114b4d63a4e9b2c0f93d57185ff5586ef3b8c168f763a7e74f437922975952c0f1fd3e12bcf42c9
-
SSDEEP
3072:3UQX9GVwCLsGWaZgI9lkBDHr0Rd0JNCbH6Y9epdylftLCuM:ka9WwCLsPaZD9If00JNCb6arjCu
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe -
Executes dropped EXE 2 IoCs
pid Process 1980 AKEGDHJDHD.exe 216 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" AKEGDHJDHD.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2892 1148 WerFault.exe 83 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4956 timeout.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 47 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1148 wrote to memory of 4704 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 92 PID 1148 wrote to memory of 4704 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 92 PID 1148 wrote to memory of 4704 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 92 PID 1148 wrote to memory of 2796 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 94 PID 1148 wrote to memory of 2796 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 94 PID 1148 wrote to memory of 2796 1148 857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe 94 PID 2796 wrote to memory of 4956 2796 cmd.exe 98 PID 2796 wrote to memory of 4956 2796 cmd.exe 98 PID 2796 wrote to memory of 4956 2796 cmd.exe 98 PID 4704 wrote to memory of 1980 4704 cmd.exe 99 PID 4704 wrote to memory of 1980 4704 cmd.exe 99 PID 4704 wrote to memory of 1980 4704 cmd.exe 99 PID 1980 wrote to memory of 216 1980 AKEGDHJDHD.exe 103 PID 1980 wrote to memory of 216 1980 AKEGDHJDHD.exe 103 PID 1980 wrote to memory of 216 1980 AKEGDHJDHD.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe"C:\Users\Admin\AppData\Local\Temp\857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AKEGDHJDHD.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Users\Admin\AppData\Local\Temp\AKEGDHJDHD.exe"C:\Users\Admin\AppData\Local\Temp\AKEGDHJDHD.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
PID:216
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\857e87bd5f7ecb3015f37aa14f25c34a0f07aa49c86e02439c2710b241f84c3a.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:4956
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 21402⤵
- Program crash
PID:2892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1148 -ip 11481⤵PID:4964
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5bffa52b5cf6599656807cd59666821d4
SHA1a5b4f03c320488e0c616c7070166c3eccfe235c3
SHA256a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
SHA5126cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8
-
Filesize
1.9MB
MD5bffa52b5cf6599656807cd59666821d4
SHA1a5b4f03c320488e0c616c7070166c3eccfe235c3
SHA256a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
SHA5126cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8
-
Filesize
535.5MB
MD5bc7ca0a31c1f0c58cf283e6cb942abbe
SHA1765776b1c81933b55721f04c7982c007f3f6f2b1
SHA2567fc39a1c6bb66d5bf7d006a7170e43b561ac2c9e6a44715a0e07b8a822376c45
SHA512730d256c0915364fd9c00b073341124cb978c846f25a32c36e0a734d73bcb1fadf2363a1e4c7f00c0e3b7aa95fd0ad1cf2f3f4630a271498e5490710d3bc08f1
-
Filesize
560.3MB
MD5c254c4b599025bf2dfb8c147f98dae57
SHA16b44dd32aeedfc77fd5eeb4946e332e7e9477057
SHA2565c4fa44098fa43cef9c9e9520c7cacd06d6c13c441217d36ca9c3f8331f20c0d
SHA51256b8d4861cdf013ab37272c116309cd6f57b5e5248e1849f11620d94a6ecb735b12ba88d5a671fa2a8c69b52e7829ce30f685c49bfba472b15e8a4cad53967da
-
Filesize
482.8MB
MD54c18118a075446a0d825a3ee48c436fb
SHA1d8b0fe03de03794ee929b1dceb63ef28b30b8616
SHA256596a4f3aa9033993f811c0aa2267c8a772f200659c8bc914c79ada78771b3706
SHA512d08c9e7948202e6da0e4e67917b2892e6c510cc24cc8ae3d5035ed4d12e0099ff9649b4b096f62a6da1b8f53419f51c7ec0a7e522a53e826aa2dfa48f6772300