Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
18/03/2023, 08:50
Static task
static1
Behavioral task
behavioral1
Sample
539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe
Resource
win10v2004-20230220-en
General
-
Target
539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe
-
Size
1.9MB
-
MD5
767304da223d94dd67714d4089f354ad
-
SHA1
cab06ce07cfd4aa406f02fb867b9dc00f6b0fbb9
-
SHA256
539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5
-
SHA512
d1cb342c29b3c0a16c284f9453d43835efedeadcc276e83566a178fef2f67e01cb3e0ee7dbcf381b51a76f646c080b2ed63ab06f85a818fb9d11b2abc33e33b9
-
SSDEEP
49152:DadySunZffa8wPIqp74qO+jQJvXdHOgxeZX:DKySuSPLCqHkvXdug4
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2840 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3128 740 WerFault.exe 82 -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 54 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 740 wrote to memory of 2840 740 539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe 87 PID 740 wrote to memory of 2840 740 539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe 87 PID 740 wrote to memory of 2840 740 539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe"C:\Users\Admin\AppData\Local\Temp\539d9bfc0eb0a2d7b2d638926731f424e890c7b7c2a9c4410b5fe378a992e0d5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 5202⤵
- Program crash
PID:3128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 740 -ip 7401⤵PID:4584
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
730.9MB
MD5a7131138b222193d6a82c0e3fd8fd89c
SHA18dab202364e5ff4d1d6feecbb341dd6e1e82c107
SHA2566a504e81eebb6e9b2da9c16717c2177381aa787b952c4b776ec74b42d81a1117
SHA5124958ab11a4bbbd33ac9d59f5aed468df05917dc10b8bbddd5825066d632738232abf6a29fe5d2cadbc7b4cbb46a720c377ef62b62e9b7f964cfd613d572812ad
-
Filesize
761.9MB
MD5a06067dacea140497c6fc821a8bcdecb
SHA1dab4bb78559451635b1c49b93df3b24cc2449a22
SHA2562d734f5033b839937ce21ec6d5de765ddc5f14b08a0b57573e10b00e1d5ee3a7
SHA512ad1b27dd343f01978f40ca680014aafb4a723a1bb199217a0922dba1475bf20f0e18f7d976c86f6073fb33f3c9e0054e0b13f6d8b4dac394193229c7a877bc1f