Analysis
-
max time kernel
132s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
01-05-2023 16:06
Static task
static1
Behavioral task
behavioral1
Sample
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe
Resource
win7-20230220-en
General
-
Target
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe
-
Size
3.5MB
-
MD5
f5548281bcdcec5c1d151d3417412042
-
SHA1
be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792
-
SHA256
3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac
-
SHA512
387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c
-
SSDEEP
98304:k4SaRf9WEiCfCO55VCKCwKmLE323hOViL6IEifjGV9J:k431WwDCbfj23hOViLZEif0
Malware Config
Extracted
laplas
http://89.23.97.128
-
api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1508 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2044 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2044 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe 1508 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1508 2044 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe 28 PID 2044 wrote to memory of 1508 2044 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe 28 PID 2044 wrote to memory of 1508 2044 3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe"C:\Users\Admin\AppData\Local\Temp\3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1508
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
772.5MB
MD58a1e950aeb8eaaf77ae4d527b738d782
SHA1bc4856d6dc2cc306f132abc6e57a59834ecc115f
SHA2568718a69cd83873c99d92abee89c3aaf538bb386f6db8f1231502d6293eae5e90
SHA512e66f81faaf0050d29f4d8bd864f0888a0e836762ae1faf8e863e458566869414df0795b8c1d4dfe4733597f12d79ed568379b12441eb98cc0cfb348a737de9a7
-
Filesize
772.5MB
MD58a1e950aeb8eaaf77ae4d527b738d782
SHA1bc4856d6dc2cc306f132abc6e57a59834ecc115f
SHA2568718a69cd83873c99d92abee89c3aaf538bb386f6db8f1231502d6293eae5e90
SHA512e66f81faaf0050d29f4d8bd864f0888a0e836762ae1faf8e863e458566869414df0795b8c1d4dfe4733597f12d79ed568379b12441eb98cc0cfb348a737de9a7