Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2023 16:54
Static task
static1
Behavioral task
behavioral1
Sample
f2028b4fb0b43abc5a062bd35_JC.exe
Resource
win7-20230712-en
General
-
Target
f2028b4fb0b43abc5a062bd35_JC.exe
-
Size
257KB
-
MD5
2f28772b3cf7328df4f249e872568c2d
-
SHA1
dd4d410c55d413c4794eb0c4f60d179613ab6bc0
-
SHA256
f2028b4fb0b43abc5a062bd359622b254dbf0e301f2a8b842d062896ca24692b
-
SHA512
b96de652ed787364696128c6b81643f7c86db350c1f0544c1b0d79f09e68f29c4df751a591cbf6d5aa4de29ced2ad56e9589109142a3d692f654dd1a54d88485
-
SSDEEP
6144:EtvxnwCJczsk0zhh3a+Rpaur08m8mQOw0O:EpV1Jczr+h7L9Q8mYz
Malware Config
Extracted
laplas
http://45.159.189.33
-
api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ HDGCGHIJKE.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion HDGCGHIJKE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion HDGCGHIJKE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\Control Panel\International\Geo\Nation f2028b4fb0b43abc5a062bd35_JC.exe -
Executes dropped EXE 2 IoCs
pid Process 388 HDGCGHIJKE.exe 2228 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" HDGCGHIJKE.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA HDGCGHIJKE.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 388 HDGCGHIJKE.exe 2228 ntlhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f2028b4fb0b43abc5a062bd35_JC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f2028b4fb0b43abc5a062bd35_JC.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 55 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe 1880 f2028b4fb0b43abc5a062bd35_JC.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1880 wrote to memory of 3884 1880 f2028b4fb0b43abc5a062bd35_JC.exe 95 PID 1880 wrote to memory of 3884 1880 f2028b4fb0b43abc5a062bd35_JC.exe 95 PID 1880 wrote to memory of 3884 1880 f2028b4fb0b43abc5a062bd35_JC.exe 95 PID 3884 wrote to memory of 388 3884 cmd.exe 97 PID 3884 wrote to memory of 388 3884 cmd.exe 97 PID 388 wrote to memory of 2228 388 HDGCGHIJKE.exe 100 PID 388 wrote to memory of 2228 388 HDGCGHIJKE.exe 100
Processes
-
C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"C:\Users\Admin\AppData\Local\Temp\f2028b4fb0b43abc5a062bd35_JC.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"C:\Users\Admin\AppData\Local\Temp\HDGCGHIJKE.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:388 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2228
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
3.2MB
MD5299a2d8412301a6c84f2da3c446943c2
SHA10f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA25651a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a
-
Filesize
3.2MB
MD5299a2d8412301a6c84f2da3c446943c2
SHA10f4b455e8a8f0fc278a7fe91db90fafaccfe04fc
SHA25651a7a57fe94c2dce32f7125d2c9827e208e38b8f7b57bd5b0b09f188f656e37f
SHA512751a7fa958d96c91e49da893fbf33d4d066dd32f95d10106764064154c11dc9ce7b782e83d96118e0599501974890d311d1d35a34f67843242baffdbdeb6df1a
-
Filesize
573.4MB
MD51862c7f8b120b2f0a9133ff4b0ad7f64
SHA12a2122d841257e9b671abcaf2cfda3dc358c2021
SHA25673927744d7a575ee4ebe651661976e182f50d5028e18e47ef498ed423c2d4702
SHA512cbc299c6b0d68c8d9671f0942febe131ad34e27a936d561224fd4ad08c11b9ae1622cbf84bc28769b16645c0568996672cf413e33589363b469e603333472d01
-
Filesize
528.1MB
MD52d2887985dd73f786a95d2b7043cc770
SHA1a222655555866b1c73377d7cc9665fd487c4e342
SHA256df56c0a98ad39f3c83956465e56d87225ebc76fc15a1e3157d20f9f87626ace3
SHA512e430f7433ceef83b89da25b8baeaa58f439ab1e9d50c95b5d544f80228e484f97975fe3beeba2079b1806e3b3e881fbee53a41f9c0e350e019a39983dac5c89b
-
Filesize
567.2MB
MD5efb14643318e7f89c29c0e7330075b8b
SHA179e62d0707f005632d9b93df68adf9f8c6a849bd
SHA256b9513c15d6d94f864c85067d46a943f8418a68a42d8a82d4e7df9902c19a6b68
SHA5124a6836db5bd3046b8eef2c4cf7e3820e3a27f123a8f7651c636f95606e640610b16aa5b52f107823a907b4a9b9f786df4b4d218478f32064fc5656f556ab1090