Analysis
-
max time kernel
32s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2023 22:58
Static task
static1
Behavioral task
behavioral1
Sample
svchost.exe
Resource
win10v2004-20230703-en
General
-
Target
svchost.exe
-
Size
4.0MB
-
MD5
d076c4b5f5c42b44d583c534f78adbe7
-
SHA1
c35478e67d490145520be73277cd72cd4e837090
-
SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
-
SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
SSDEEP
49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe
Malware Config
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1636 ntlhost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" svchost.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 22 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3932 taskmgr.exe Token: SeSystemProfilePrivilege 3932 taskmgr.exe Token: SeCreateGlobalPrivilege 3932 taskmgr.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe 3932 taskmgr.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1636 2200 svchost.exe 89 PID 2200 wrote to memory of 1636 2200 svchost.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
662.8MB
MD5b44581e5c6b16f3d75dbb9c735a0d5b2
SHA182e7d86c91cc7735bd7a59355c943c334ab615c8
SHA2560b33bd9efe958eb414f1780ed3837bc4f7aa648d7e9a512bde416a0c70fffdb9
SHA512d5cd3f975adcbc64b55cdf905d4ca3dfe21a36b4f553f4b6cdb8beccc65ac22cf7483df79a6733afcdd95731db55135bd0f88092a4c42e369c513bb6c12f60d8
-
Filesize
661.2MB
MD5f2f547fe91e285152e33d01244ac076b
SHA1520f9829b7ed3c91eb7b465871be97d55cd81f3e
SHA25650e1f9e65da3b3bba975a685ccfbc6e13b04244f3e1629cf71b20d80c4c50250
SHA512287b2f6b9b5ac0038a10d0f129291c946738b74c6e8627decfd14b7345575f80bae42bd0bd6a56a75b4326d6e71871ce19a19a4f89aac0d78470743057dd5ee3