Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 19:10
Static task
static1
Behavioral task
behavioral1
Sample
406a0e14b6569ebc5f1086801e043fe1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
406a0e14b6569ebc5f1086801e043fe1.exe
Resource
win10v2004-20230220-en
General
-
Target
406a0e14b6569ebc5f1086801e043fe1.exe
-
Size
1.8MB
-
MD5
406a0e14b6569ebc5f1086801e043fe1
-
SHA1
b15c199f31dcddcd37f10f143b62f2ff998324c6
-
SHA256
5502d7c1c81714b998f594e523274a828d919f69dc08bffde5fe118918a8f43b
-
SHA512
f367e8c6a84192925cad8d7de697435220835de2068bf66fa6e29f59680ea4f74dc42b92a6ba16e27bd71194a4104c0a3e06ecd5a2e484473e8ec9669b1ae65a
-
SSDEEP
49152:VJGty7g6F2SKtEjjbgitUonmkXhDbl0nXj5:VJzpF2SKtEjfBUChTm5
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1956 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1996 406a0e14b6569ebc5f1086801e043fe1.exe 1996 406a0e14b6569ebc5f1086801e043fe1.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 406a0e14b6569ebc5f1086801e043fe1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1956 1996 406a0e14b6569ebc5f1086801e043fe1.exe 28 PID 1996 wrote to memory of 1956 1996 406a0e14b6569ebc5f1086801e043fe1.exe 28 PID 1996 wrote to memory of 1956 1996 406a0e14b6569ebc5f1086801e043fe1.exe 28 PID 1996 wrote to memory of 1956 1996 406a0e14b6569ebc5f1086801e043fe1.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\406a0e14b6569ebc5f1086801e043fe1.exe"C:\Users\Admin\AppData\Local\Temp\406a0e14b6569ebc5f1086801e043fe1.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1956
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681.8MB
MD5a402fafc74cd13a536985b1d58c09df9
SHA1f808a7f96341a1051c623d79dade3cf19a5f4179
SHA2565fa382892f38948025b77809615926577dc30e7a07b4611910541ec473a85d3b
SHA512ab7d62a00fd4ecacc8133cbdbe34136e97d5e2b2cf63f96abadf9551b9488ddb69ac7f2d013dcbda0e8494fb1f4f3405aac57a81b3a2f2ae4d22dfc62cce2bc1
-
Filesize
565.0MB
MD51f4a05f6faa1b97df5da73a84fab64a3
SHA14714963ece691b66c8c01f69ba27dde53482e285
SHA256d78022050381e6a1c35f639a32d6b3783b46967afe242f31cd52f65d2b2cc14e
SHA512bbaefb408a363b586f8a24929ed70f0a53bf4032f65bc1da2f4151ce00eaa817c494ebb733c638973f8e3094c1cfd216bc88f336d44ebacdba3e890f6232d1c0
-
Filesize
426.5MB
MD5301a20b245f6ca786da889ad613d2104
SHA12626cb7a68f8fbfdc89ddf74bb3150c854d82f18
SHA256f044a4cdd3e42576615b9e7497487f94776b41424c5d5c84f3bc8cb752e2a715
SHA51250b0d74d09e6d2e91ce56d2c3059efefc8dd4890b21100bed7295800fe304337074f3972c5ba4b4a8d83d484e74d1e7ec9da84bda7c4723368e12a608b6395c6
-
Filesize
662.9MB
MD5e303ea028b64c086ca91264ec1c01bba
SHA12ef02ca7a75eec79709145f30e5664e1dea05c73
SHA256c6dcbb9548e73d7979d8ae319b8511d49da35b8e7aa89a5a75c6533341a95c77
SHA512ce6c1aa74bcedcd271c3838b1da6e72ce0ec1d73e795f1427f28af19e6355b2a14ce7aa7e3ae7cf1883473597ccce98daf31ad782dbdde044d69ed7e8bfcc999