Analysis
-
max time kernel
138s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
17/03/2023, 20:25
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230220-en
General
-
Target
tmp.exe
-
Size
1.9MB
-
MD5
665c62d3bd6c21614fafb9a9b50bb574
-
SHA1
56322f2bb8a61954e6ec974612154402cdd98b29
-
SHA256
a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99
-
SHA512
07fda86a50c1aca80db3906e4201ec4f97be00d1563eb386d750b28160cd30bed1435e473c9330943d5c854a55fc7078bcdd3c99731fabd8019b1b22e10f9ed7
-
SSDEEP
49152:vmixags4hfkNAm3X86KoCwwJFZTjS7Pt5o:vNagdhcNAqHKoCnbUPt
Malware Config
Extracted
laplas
http://45.159.189.105
-
api_key
0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1316 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1972 tmp.exe 1972 tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" tmp.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1972 wrote to memory of 1316 1972 tmp.exe 28 PID 1972 wrote to memory of 1316 1972 tmp.exe 28 PID 1972 wrote to memory of 1316 1972 tmp.exe 28 PID 1972 wrote to memory of 1316 1972 tmp.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1316
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
438.4MB
MD52ceedbfac70dbb9765733f5289a47742
SHA1591860b2eef6756fe60c558258bcbc9d63fd2d50
SHA256745ed34927ef54400d11081f85df47c2870f48e0ca7bbb8b4f377d51dbe4d0c8
SHA5128623df44062c54905571a9bee177559e46b6071012892198b3b4b616ef81679bbf24ccdb762a22f5a9bb872c1d01a83b70d728bd67637a9f235a3aa4a8d24af6
-
Filesize
454.3MB
MD55725055b7265abc35258f17fd78b3ef9
SHA10352eb25a57af1950636df651e5288f60b7a6758
SHA256b29a85bca1723a7cd5fc5b922241010b1f41616c838a36fdde0d992468fd52dc
SHA512cd2387e648ee74e5ad6208a3d0991d3e2c34fabf04c75db17c2b45d57e340bef5fc04babc37889e81f1ced0e1f4407cdedfa2bbc53f263b088128220909d17d7
-
Filesize
260.5MB
MD5a0baa2d4e477eb3efa90ec2a61087aae
SHA12802d4ba3c7c06642814f7355e4ba91bdabc0149
SHA256708763265421beb6f2065784633359ad042c26cd3d4951793c697efeb5a78036
SHA512ee22f242edead83f8eac3ed55056cb75be2ed1aa2ee6ccc9e55f5761ab8bcef6f2f343e0b77fd0ba1d24aa2dde15e6ca91f328000e06253c26ae55b614e6c0d0
-
Filesize
390.9MB
MD5df1ce70355778c74b30b6b87fb476446
SHA163b7c45c48d0e11149e97e2d394379069072f903
SHA25661b2dc5fa1768117abeadbbca982ebf57217b74dae8bb12fcaf6648c67518469
SHA5127640b68fc81665f8387b13905033b857e57c165a381b3f51ad2951896c9b726dac376e04fc10ab12ab526e36906b9f3f2ef2ad2b698ad5fd6c6d49cf97ac2d6e