Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2023, 10:20
Static task
static1
Behavioral task
behavioral1
Sample
a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe
Resource
win10v2004-20230220-en
General
-
Target
a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe
-
Size
1.9MB
-
MD5
9168ec28d42b59ac24e152d107de761f
-
SHA1
a6e74e0c2f4f85472aa6734b347743d8e187056d
-
SHA256
a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d
-
SHA512
1bf72d0f663ed83c27eb3986457695ed61a143e53a74eaf39586d2ec7d27e2bc288ae2ec1671e911ee714625607a09b19fd5d909e1338bd26020e546872d3f54
-
SSDEEP
49152:+K/LohE2B47+2T1Uyd7wIUUXbp9u6eXLvVTs3CJVO:+wsdmL1dwIUUX7deXLxDO
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3944 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 21 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 820 wrote to memory of 3944 820 a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe 85 PID 820 wrote to memory of 3944 820 a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe 85 PID 820 wrote to memory of 3944 820 a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe"C:\Users\Admin\AppData\Local\Temp\a286b62e3ae77cf3c260bd20986d446e08afbe72e642883d529d83e56674446d.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:3944
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
656.2MB
MD5e6908814b223b4cd087c853bcab796d6
SHA1fd19ef0e7dcd64d7d90eb741684c62f7a563c4fb
SHA2561c14d8671e3ef0a766dd17174ae4ccbd3d583d13ad1803d4ba04df85c2d164d7
SHA512aa1d7e6826f7b79deec4e6c44fbfba1121f14a01b800379054cfaa6b477e6a8fb0724de33808f144b7a9f1d9e2c3a106d4bea7566ef899ae17b1604a05847515
-
Filesize
606.2MB
MD574dd81e535100a7774dacfe4a2e8c761
SHA10f0f95c20e436130720af7b7e076c85758c483f4
SHA2567eb16d1ccc4e83c4326c4ecf4acb7852c8dccbb1c8ae6997b1f319e53fb11a3d
SHA512503254c13dd1170b3acc6ccbd2bc34402ed7b7d080845bad6621a5db92499492e1e387c9ef35ce586f57fc41036e96c8b4901a809547973fff47d75539dcfb43