Analysis
-
max time kernel
147s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2023 17:15
Static task
static1
Behavioral task
behavioral1
Sample
4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe
Resource
win10v2004-20230220-en
General
-
Target
4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe
-
Size
1.9MB
-
MD5
66cb9bf8324c1de0e44b0f376b60ab1c
-
SHA1
59709e524dd2a2d589a9f548530bb5a682368a01
-
SHA256
4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e
-
SHA512
a511be876646d3956d1facad8b5371c26533aaa4e101db3cc974dcdbb2159562bd70d0fdceba12cea08ad00cd14b45d7367d98ba7e8087d19018145dfdb141a6
-
SSDEEP
24576:GyekufYPXnljXYjIAu/pbifU4EvOAzfVz0dTMA8Ej06EvdxMnJlZXzk0PHDawz6f:G5gPl0CxObEWuIdITEj0XMnTZhLF6
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ntlhost.exepid process 1220 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 40 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exedescription pid process target process PID 3800 wrote to memory of 1220 3800 4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe ntlhost.exe PID 3800 wrote to memory of 1220 3800 4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe ntlhost.exe PID 3800 wrote to memory of 1220 3800 4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe ntlhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe"C:\Users\Admin\AppData\Local\Temp\4cacc59732f82d1c1f2d3b1c327981b23438f7f47aa326e4298bee763226e85e.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
778.9MB
MD5a4fe146dfd28b54574fa0717198832e8
SHA127c842117fb915e835656c4616211ee6d250b1f1
SHA256c9f6542455e55dd5934e1b30be3815453cbb45d8767275b11789b17f11205302
SHA512b54489c60571233e16f489ced1312107672ec0c4bdc0261017b7fa4d1b4feb9e6c2416b05cb28615d8807c5794e3ca65c9267dd180c7252da594f92426b8ab7c
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
778.9MB
MD5a4fe146dfd28b54574fa0717198832e8
SHA127c842117fb915e835656c4616211ee6d250b1f1
SHA256c9f6542455e55dd5934e1b30be3815453cbb45d8767275b11789b17f11205302
SHA512b54489c60571233e16f489ced1312107672ec0c4bdc0261017b7fa4d1b4feb9e6c2416b05cb28615d8807c5794e3ca65c9267dd180c7252da594f92426b8ab7c
-
memory/1220-150-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-147-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-154-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-142-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-143-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-144-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-146-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-153-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-148-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-149-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-152-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1220-151-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/3800-134-0x00000000026C0000-0x0000000002A90000-memory.dmpFilesize
3.8MB
-
memory/3800-136-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/3800-139-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB