Analysis
-
max time kernel
145s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
17/03/2023, 20:20
Static task
static1
General
-
Target
507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe
-
Size
297KB
-
MD5
bb37b749213479c84b7976511c55d9f4
-
SHA1
b413e7d55f7efafb6b14c868dfcfbd46fbc480a0
-
SHA256
507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082
-
SHA512
b51d904f4f153ad269ffaff9e191255dfda4af299b74b660ec1feb580b34d35f7203c55b414e25d650805555e60ad84adb201aebcb746948465bf4b5329203c6
-
SSDEEP
3072:I0+jh1gWLErGGgpTzZqmT+IrLzENoqpF7CD6ywOGXpS2x5dqyz0pwyeitTDnuM:d+rgWLE6GgpT1baxNZ7Wvxyqo0xDnu
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2668 IJDHDGDAAA.exe 4240 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" IJDHDGDAAA.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1344 timeout.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 5 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4300 wrote to memory of 1728 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 66 PID 4300 wrote to memory of 1728 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 66 PID 4300 wrote to memory of 1728 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 66 PID 4300 wrote to memory of 4600 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 68 PID 4300 wrote to memory of 4600 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 68 PID 4300 wrote to memory of 4600 4300 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe 68 PID 4600 wrote to memory of 1344 4600 cmd.exe 70 PID 4600 wrote to memory of 1344 4600 cmd.exe 70 PID 4600 wrote to memory of 1344 4600 cmd.exe 70 PID 1728 wrote to memory of 2668 1728 cmd.exe 71 PID 1728 wrote to memory of 2668 1728 cmd.exe 71 PID 1728 wrote to memory of 2668 1728 cmd.exe 71 PID 2668 wrote to memory of 4240 2668 IJDHDGDAAA.exe 72 PID 2668 wrote to memory of 4240 2668 IJDHDGDAAA.exe 72 PID 2668 wrote to memory of 4240 2668 IJDHDGDAAA.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe"C:\Users\Admin\AppData\Local\Temp\507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
PID:4240
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:1344
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
1.9MB
MD5bffa52b5cf6599656807cd59666821d4
SHA1a5b4f03c320488e0c616c7070166c3eccfe235c3
SHA256a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
SHA5126cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8
-
Filesize
1.9MB
MD5bffa52b5cf6599656807cd59666821d4
SHA1a5b4f03c320488e0c616c7070166c3eccfe235c3
SHA256a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
SHA5126cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8
-
Filesize
606.1MB
MD5e90884dd794d3802e4e41d973d4f097a
SHA17358daef4e6038d65a1bfa30c2f88615914027f6
SHA256024170cf550d318fb71a0349216072f4c544eb34023b71a747ef38f7735c7487
SHA512262b28150ee42abc4452af199a98317f79a2e0b47903ace505e9407d190277bc025953a2359cef5c6a4c76199ede3c2fc0ca0724d8e8de3eb14928ee93b1ee9b
-
Filesize
505.4MB
MD52cadb9713cd4fac58b00ddb1ed2ef858
SHA15a6b2c2de58ef66db4e3f0cf1eeedf103a9a4353
SHA2562b34f78351a79c9482a3950363a936ab221fd8c5fe51f09adc170428dedf6dba
SHA512b143a03944670db8bc6744cfbd7952ca3d91fc0de9f4de59e96c1beafb666960c2c15a20c696578aef994b6ea6beb666292408f6917461162ea37a34456f7a05
-
Filesize
582.8MB
MD5c978dca366954a1198f49443e29178fe
SHA17df5a6f05dc3e72969e718bd63440c5e72ab5475
SHA2566e433e519e812c0507c6e9844ce4c9b2cc0cbd8195e609e7d9cf9032428fc3ab
SHA51295a96db315ec42508b3a3dd8b08d34846a6f4f31eb3536356078a3fdb2f6ee297cc440f308d27319319402f3767bb6b48d03512e174bdc23a3581de89698c738
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571