Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
27-07-2023 11:52
Static task
static1
Behavioral task
behavioral1
Sample
taskhostclp.exe
Resource
win7-20230712-en
General
-
Target
taskhostclp.exe
-
Size
3.8MB
-
MD5
9b79f724b8ed77f9e3ce6a71b4cf909d
-
SHA1
455751b77ffb738d260c6388f191aa590c40eb50
-
SHA256
b95ae0c815dc8fc44d8c8bbde1e853b96c3e1389fb30bcdf1d68f8e6a74b3106
-
SHA512
0feb6c94b6c8fbceb8e63b0629e33d72c6080003203080b7d376a0bdf3f1a3a170bd19e1ce81ba284ea15d96414f57031361ac3dbbadf3c13090d86798906fad
-
SSDEEP
98304:egg3eNxij7+KwZL+iHkrzLSAu1SEJVARl0080jeG3KshnA:hguNxZB/RSE4W2ys5A
Malware Config
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostclp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 1484 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1664 taskhostclp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" taskhostclp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostclp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1664 taskhostclp.exe 1484 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1664 wrote to memory of 1484 1664 taskhostclp.exe 29 PID 1664 wrote to memory of 1484 1664 taskhostclp.exe 29 PID 1664 wrote to memory of 1484 1664 taskhostclp.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\taskhostclp.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
765.8MB
MD56b3381a04b3c25380a49308e56937abb
SHA122a054745c6fcd0a19890df72cd4e079e4553cf6
SHA2561b6285d9f6f887a5b565280afed136c4d33cded05a18c5f906f61a1cc6c88d4e
SHA512c6bd7be8676a8e2974e9fac9ded00e5c68bbef5cf43048f89058b7886436ca8199a1f4ad151561e1d395f01b7c627dae0c8dab43523c5508c4dcc626819d00c2
-
Filesize
765.8MB
MD56b3381a04b3c25380a49308e56937abb
SHA122a054745c6fcd0a19890df72cd4e079e4553cf6
SHA2561b6285d9f6f887a5b565280afed136c4d33cded05a18c5f906f61a1cc6c88d4e
SHA512c6bd7be8676a8e2974e9fac9ded00e5c68bbef5cf43048f89058b7886436ca8199a1f4ad151561e1d395f01b7c627dae0c8dab43523c5508c4dcc626819d00c2