Analysis
-
max time kernel
139s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-07-2023 18:26
Static task
static1
Behavioral task
behavioral1
Sample
18658dec7775fa53f081b892d6a2b027.exe
Resource
win7-20230712-en
General
-
Target
18658dec7775fa53f081b892d6a2b027.exe
-
Size
3.1MB
-
MD5
18658dec7775fa53f081b892d6a2b027
-
SHA1
fa8d901c7aac70e2c37544883ce087e48c6302d1
-
SHA256
17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
-
SHA512
cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d
-
SSDEEP
98304:F28fuEzm1Q1n5oIVb0cCU/8j+okSprZHm87mv2B9:swm1o5pF4U/UhkSprZHJT
Malware Config
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 18658dec7775fa53f081b892d6a2b027.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 18658dec7775fa53f081b892d6a2b027.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 18658dec7775fa53f081b892d6a2b027.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 2072 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1632 18658dec7775fa53f081b892d6a2b027.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 18658dec7775fa53f081b892d6a2b027.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 18658dec7775fa53f081b892d6a2b027.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1632 18658dec7775fa53f081b892d6a2b027.exe 2072 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1632 wrote to memory of 2072 1632 18658dec7775fa53f081b892d6a2b027.exe 28 PID 1632 wrote to memory of 2072 1632 18658dec7775fa53f081b892d6a2b027.exe 28 PID 1632 wrote to memory of 2072 1632 18658dec7775fa53f081b892d6a2b027.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2072
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
841.1MB
MD58bf956a7e2563b9d7da937485d01b77c
SHA114bfd31f2f4dd71e20d9912b5adc3d3be60a04f2
SHA256b1d42b6b932e0542ee16ad3ee61ebe698d132d5ac49a82892f89955921a29183
SHA512c82bed37eb6a93a8c5d5f25e1dce97383b8b18234870bd8e4d35cf63f67ced20c17b12d76bbd59e6fd83fef6b970dee7f85b032e847256f60dd2359c89f64928
-
Filesize
841.1MB
MD58bf956a7e2563b9d7da937485d01b77c
SHA114bfd31f2f4dd71e20d9912b5adc3d3be60a04f2
SHA256b1d42b6b932e0542ee16ad3ee61ebe698d132d5ac49a82892f89955921a29183
SHA512c82bed37eb6a93a8c5d5f25e1dce97383b8b18234870bd8e4d35cf63f67ced20c17b12d76bbd59e6fd83fef6b970dee7f85b032e847256f60dd2359c89f64928