Analysis
-
max time kernel
32s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2023 22:58
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20230703-en
General
-
Target
svchost.exe
-
Size
4.0MB
-
MD5
d076c4b5f5c42b44d583c534f78adbe7
-
SHA1
c35478e67d490145520be73277cd72cd4e837090
-
SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
-
SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
SSDEEP
49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe
Malware Config
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ntlhost.exepid process 1636 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" svchost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 22 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
taskmgr.exepid process 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
taskmgr.exedescription pid process Token: SeDebugPrivilege 3932 taskmgr.exe Token: SeSystemProfilePrivilege 3932 taskmgr.exe Token: SeCreateGlobalPrivilege 3932 taskmgr.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
Processes:
taskmgr.exepid process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
Processes:
taskmgr.exepid process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
svchost.exedescription pid process target process PID 2200 wrote to memory of 1636 2200 svchost.exe ntlhost.exe PID 2200 wrote to memory of 1636 2200 svchost.exe ntlhost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1636
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662.8MB
MD5b44581e5c6b16f3d75dbb9c735a0d5b2
SHA182e7d86c91cc7735bd7a59355c943c334ab615c8
SHA2560b33bd9efe958eb414f1780ed3837bc4f7aa648d7e9a512bde416a0c70fffdb9
SHA512d5cd3f975adcbc64b55cdf905d4ca3dfe21a36b4f553f4b6cdb8beccc65ac22cf7483df79a6733afcdd95731db55135bd0f88092a4c42e369c513bb6c12f60d8
-
Filesize
661.2MB
MD5f2f547fe91e285152e33d01244ac076b
SHA1520f9829b7ed3c91eb7b465871be97d55cd81f3e
SHA25650e1f9e65da3b3bba975a685ccfbc6e13b04244f3e1629cf71b20d80c4c50250
SHA512287b2f6b9b5ac0038a10d0f129291c946738b74c6e8627decfd14b7345575f80bae42bd0bd6a56a75b4326d6e71871ce19a19a4f89aac0d78470743057dd5ee3