Analysis
-
max time kernel
128s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21/03/2023, 02:13
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20230220-en
General
-
Target
setup.exe
-
Size
1.9MB
-
MD5
7e1ee04719bea1b532ed44609632ccd9
-
SHA1
f6ad1ded616f8877cb34f873b3597aa6df50e957
-
SHA256
b46481ba0ba92b4cf9306181a82bff5cd1f1213fd23fb73c01a5b46435c7bebc
-
SHA512
0bbb7c9e68f27d05476a301ec95b0a3ee7ab46ab3e912adcb14bbe44015b07ef1668e076518076abf79c6b366a1d59f057553411383a263ab539786853bc2819
-
SSDEEP
24576:prRWZ35JhqWpgXEC9CsacGA2XqHO4fOD22eAbFKhvb12pG5UojUsw1EyYMoPBETh:prsvJhS7Rj26H/fOyj1qG5UojUslMoJ
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2008 ntlhost.exe -
Loads dropped DLL 5 IoCs
pid Process 2028 setup.exe 2028 setup.exe 2008 ntlhost.exe 2008 ntlhost.exe 2008 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" setup.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2028 wrote to memory of 2008 2028 setup.exe 27 PID 2028 wrote to memory of 2008 2028 setup.exe 27 PID 2028 wrote to memory of 2008 2028 setup.exe 27 PID 2028 wrote to memory of 2008 2028 setup.exe 27 PID 2028 wrote to memory of 2008 2028 setup.exe 27 PID 2028 wrote to memory of 2008 2028 setup.exe 27 PID 2028 wrote to memory of 2008 2028 setup.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
182.8MB
MD52d4e4c4500aae71cb4cb88f36883f8b3
SHA1285d3b6a4fc24db52f456eca938255e6be70704d
SHA25684551336a122e2a429f78b6ad734cf899784859c81f1986570b77e96e8376575
SHA5127659a1483a17700db59e9dbd652dfeb98d5dc8a1d6fa08d30c41624e666351fff4982feb73858cd36e326b4badd725f6f452b67443cf9e90673c2942e34e6988
-
Filesize
186.0MB
MD511a1804ab959f78299d30ef19927eea9
SHA1e109401abc24dea6a8f194c533eeef3bfb05da11
SHA25617c7be4a61116519d0af56fc89d7d8f3e53dbd679cc932efed459c776966b2c9
SHA512459e2d7b720b4c2aa85637c1e513bad2be91e51ef7036d403d578441a78d18c9496b2faaf2205f50afd5dcf78bfe342a96233008f95e9f2ab60be18df33d36ba
-
Filesize
186.4MB
MD5363b99619f7b6400bbafa93489efde69
SHA17312005414e2d1da6d8b14eb7fd777f04a5043f0
SHA25659516288b37b4c690f7afcf1b2d6044bd868f366889b2b80826acb29c6f90606
SHA512baa70d144408fea468d94fcb7636fa3514a3a22fad7cbbf643dff87d178d08d13019964f7bc09e6f72d5a8f201bce96c925c1cf8fa47d473e28c324dd46afce5
-
Filesize
141.0MB
MD5abb10b216ab8aba4e02634eb386dca93
SHA1f3072a40374c678c8c5dc650395fc3388f21ddfc
SHA256ad8341dd40eb41b25435c322aa7939e8879174061164bc24caaa39aefb654778
SHA5125195647d499d6e43822f86b72121d46f2b1a0655c933684eb8f6d81232c772aaaea5ad93360d6206d66bcd895db45095e49cf2a4578f1e26006064a0213afe95
-
Filesize
182.7MB
MD58423f272244a99fe63dca5c42a681015
SHA161a71553c03432d8aa4d3a287e7a0ba07e6ada33
SHA256d8c6e7c543e12f58fbde761654980c19a219036e6086141c04ee0c135e51c171
SHA512fdf9d458723dfc2915ef40f9f4eaf34904826e5836d9c45555ffd1e9404c570090f5791582eda7ad13a9f193c1ae58bde21bb0de621bc1cfec6781cebe540fb7
-
Filesize
187.4MB
MD54d8e8dc1bc5cd13087285efc52bc0f65
SHA197ad964b26d5c38af8f978863c5a14834bed04ac
SHA256a14ed133626935f04d2a1d61ca622bc4c4b7c854753cd24d7768fb02026673ec
SHA512e38c9b6d90dce4d85437859a60ccb79616400bb351f220a44a0a25d025d22055f702341a5d9e786f98cf785906626c1b9c50ac876fa82614f79dc3bf1b95ffdf
-
Filesize
186.1MB
MD5163b55aa982f429788be7420b6347df6
SHA1797de434923e4d708af270f1db9c09f614fc93ae
SHA2560678334206bd38020092f39a2c98f66899bcfed7f7bcda397db18e1c2a8ec66a
SHA5127090a8f7329f1456f72e9cf8da41c3ce18630698f08c7bb5e23e453650842c005e712cbba4f470188d3648ba2332ef7e062f8d291d29f38258eb34f74563d2c3
-
Filesize
188.2MB
MD59aed5d3f43947e367b4548d4021b54c6
SHA1a4f3cc8c6f0ba8b58884609817507519ba52ba47
SHA256c1ca07dcbeb0edd3a5d2e3942b397a39e4ce672a23645ca6fc359ea609bf435a
SHA5120f6858ca8c9e11fc19e797f1a5e95381ebea8b9218189149a0d6a9fe66d215c2b68276def2d307bd8479c5f0ab95d95a570729b3d8ea1158ab83496b7795dba6