Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2023, 02:50
Static task
static1
Behavioral task
behavioral1
Sample
fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe
Resource
win10v2004-20230220-en
General
-
Target
fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe
-
Size
1.9MB
-
MD5
10ca7006da58a867243524ef06e9ba10
-
SHA1
890131a6e5db1442acdba2edde744a8222642652
-
SHA256
fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67
-
SHA512
7210dd56af754e013aa6d2a4c282bbb020bf41aa336d5f5b2d9709d1f446502275cb998e844f03494c4abfbdba3c5c390e37c1850829eb137cbe9cfb860525fb
-
SSDEEP
49152:lmmghYtG62ibS018yzHMCbZZUHe6YWvHin1k:lkhE9jbzbbZZU+6nH
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1820 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4216 1920 WerFault.exe 84 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 25 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1920 wrote to memory of 1820 1920 fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe 85 PID 1920 wrote to memory of 1820 1920 fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe 85 PID 1920 wrote to memory of 1820 1920 fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe"C:\Users\Admin\AppData\Local\Temp\fd517e6d3271b9a989afa22ce38db6bf0fc6d20ea84faaf0e74890530d694a67.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1820
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 4602⤵
- Program crash
PID:4216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1920 -ip 19201⤵PID:4212
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
821.9MB
MD54499a8adab749ac124c6605998b4c252
SHA1afe985ec2eb13f38cb8e6b29a22c2aff140d63c1
SHA2563a47894255f30d5f434218ccfb9d14682c7d6b9212ef165139530637683c4dec
SHA5124c1ef41d4360223cf6b7bb5c4e1b65a6881e74b0fab5c7f9a4b21b5484a7da63248d1e2a11484cbca92ca23ec2b70a4702d50c1e4414ccf11d60efcc1ad08045
-
Filesize
824.9MB
MD55c4c68a067450f913b820dd45e57465c
SHA107127451ce5b6f7a21bb06cd0acbf331446d2f33
SHA256761721dd00100ceca51442107d211c73592c222c845c680926f128c4b7c9cf9d
SHA512e815a8d676d8b49c7d1fa522d3ab29e7d524de1ac71a4f2daa8c1b7b1258612134946a48015e657282cd87ed3d1092d77920d8fb3c0d045ef879962dba69ba04