Analysis
-
max time kernel
31s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-04-2023 13:27
Static task
static1
Behavioral task
behavioral1
Sample
conhost.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
conhost.exe
Resource
win10v2004-20230220-en
General
-
Target
conhost.exe
-
Size
4.0MB
-
MD5
feccda803ece2e7a3b7e9798714ad47e
-
SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
-
SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
-
SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287
-
SSDEEP
49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe
Malware Config
Extracted
laplas
http://185.223.93.251
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1648 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1360 conhost.exe 1360 conhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" conhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 1 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1360 wrote to memory of 1648 1360 conhost.exe 28 PID 1360 wrote to memory of 1648 1360 conhost.exe 28 PID 1360 wrote to memory of 1648 1360 conhost.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1648
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
725.0MB
MD530b6b695af0bf0f1480f57f3bb7202d2
SHA156a750f8204c2efea406322835780c62c1dcb0f7
SHA2560b2ea4379ab8b22e9b5f357b58a5cc2eb1b1dac6840081b6ae8e8205cb65619c
SHA51229bc10609a6fde3ef940e0e972fb76c50be0dcd92897c4b81c100b3a605e961e9fcc409138445901bc88623c442592d5a53e91bafdfda2ee37074cea4c05eb7e
-
Filesize
635.8MB
MD52bd3173dafd44c1e95036b82038f2481
SHA134614451d5e194f95712ca0fe24f52c74fdc013c
SHA2568dc1e441115e46009b62e725936a2611b42ca5a91492e4a1df13ba69d8477aba
SHA512b8ecc5ce9fb8763a6f344e2129fa6d88c90d8bdb7ef9325ace7f1210f93000a9777ba02e290681d4389a1c25e0c384571e0be530b01fb6c2cbc277fe730ca288
-
Filesize
667.8MB
MD50cadc2fc0fb6a1815b41705227389ccc
SHA140b37ddc54bf60e2304f6a2b48eed3e0ab971432
SHA256a300ced22e324c004da7732018a4d1df272abe080de0ba3b54cc5ef1c6763d7d
SHA512d7dce55a56d416bea771e5e10da8f307429881fa7e7dff81937b60f7379142f02241a459290dd738bcc0a419aa62f2f85a2a0f1a033f7d1dd3441b1d5bc23547