Analysis
-
max time kernel
134s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
20-07-2023 08:11
Static task
static1
Behavioral task
behavioral1
Sample
f4695fd70f1ed48d7e31f7ba81380059.exe
Resource
win7-20230712-en
General
-
Target
f4695fd70f1ed48d7e31f7ba81380059.exe
-
Size
4.9MB
-
MD5
f4695fd70f1ed48d7e31f7ba81380059
-
SHA1
960a03052f1b240e9f44ea416ff7e65358d8a41a
-
SHA256
626a5e1642d856a65b62dc2dff5b1369fa3bd66b000278db83d2d5d67e8289ed
-
SHA512
04a5b544869cc408b66e0f2e9e669b6bc5f366bf9acd2f3d792176e8506f8808dd0cef27d7d3b8c52542566529e0dcec2d1fa0467e96f46a9013a663dff2fc59
-
SSDEEP
98304:zomYgKWWA1fGjzpSmL7CfDbHsATgXCagCpSP/0aJ67k0w6wdTM:ELgKWfQzDLWTcClCpwyk0w9M
Malware Config
Extracted
laplas
http://168.100.10.236
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f4695fd70f1ed48d7e31f7ba81380059.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f4695fd70f1ed48d7e31f7ba81380059.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f4695fd70f1ed48d7e31f7ba81380059.exe -
Executes dropped EXE 1 IoCs
pid Process 2264 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1712 f4695fd70f1ed48d7e31f7ba81380059.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" f4695fd70f1ed48d7e31f7ba81380059.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA f4695fd70f1ed48d7e31f7ba81380059.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1712 f4695fd70f1ed48d7e31f7ba81380059.exe 2264 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1712 wrote to memory of 2264 1712 f4695fd70f1ed48d7e31f7ba81380059.exe 28 PID 1712 wrote to memory of 2264 1712 f4695fd70f1ed48d7e31f7ba81380059.exe 28 PID 1712 wrote to memory of 2264 1712 f4695fd70f1ed48d7e31f7ba81380059.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4695fd70f1ed48d7e31f7ba81380059.exe"C:\Users\Admin\AppData\Local\Temp\f4695fd70f1ed48d7e31f7ba81380059.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2264
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
743.9MB
MD52faa01fc52878bb114c02b6a4a0f3c61
SHA16773a6aec12b637a5bef685ba6e2a4aa1fce03ed
SHA25698472d39d475029a07d624b3f30d4910d8ece295380ce6a3150186c57fa3fb19
SHA512ace541b522e86af316087fb3fe02fea3079ba48643ae485631c0f579303d5135e9d52d93b853f263b6130dda47f7c3daf9ad1947858c22bf7b42933297273d6c
-
Filesize
743.9MB
MD52faa01fc52878bb114c02b6a4a0f3c61
SHA16773a6aec12b637a5bef685ba6e2a4aa1fce03ed
SHA25698472d39d475029a07d624b3f30d4910d8ece295380ce6a3150186c57fa3fb19
SHA512ace541b522e86af316087fb3fe02fea3079ba48643ae485631c0f579303d5135e9d52d93b853f263b6130dda47f7c3daf9ad1947858c22bf7b42933297273d6c