Analysis
-
max time kernel
133s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
31-07-2023 07:25
Static task
static1
Behavioral task
behavioral1
Sample
b30e29bccabab032c27910210d9ccf76.exe
Resource
win7-20230712-en
General
-
Target
b30e29bccabab032c27910210d9ccf76.exe
-
Size
4.1MB
-
MD5
b30e29bccabab032c27910210d9ccf76
-
SHA1
caa3927738b66c3ecc553943eabedcbbfbe4c0da
-
SHA256
b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
-
SHA512
ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8
-
SSDEEP
98304:BTq01m8gyX4fG9VNFJgAvUvc7uqBbDKxh4vU:BG0tgyoelMv+FAhwU
Malware Config
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ b30e29bccabab032c27910210d9ccf76.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion b30e29bccabab032c27910210d9ccf76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion b30e29bccabab032c27910210d9ccf76.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe -
Executes dropped EXE 1 IoCs
pid Process 3068 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2236 b30e29bccabab032c27910210d9ccf76.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" b30e29bccabab032c27910210d9ccf76.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA b30e29bccabab032c27910210d9ccf76.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2236 b30e29bccabab032c27910210d9ccf76.exe 3068 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2236 wrote to memory of 3068 2236 b30e29bccabab032c27910210d9ccf76.exe 30 PID 2236 wrote to memory of 3068 2236 b30e29bccabab032c27910210d9ccf76.exe 30 PID 2236 wrote to memory of 3068 2236 b30e29bccabab032c27910210d9ccf76.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668.4MB
MD58f320a6035f69581344c57721fac9a12
SHA1d3bb8d942e3e0bd00707d410b8d0f364ae5b32ee
SHA256f11b63d8498c3601f5c5a5023c1e4640a1866c0932bdd1189ae5fdd3b33eb2e3
SHA512e4f830fb88e4948dff7b7ec1d715288a172b832955737ce7dbdfeea4210555382afa48447f65710ba347ef011ac43758072847769d97de8e7b642d4bbcb61bd6
-
Filesize
667.3MB
MD5bfb87a1f1c538ea46f6d7bf27209a569
SHA13a5c83fbd953c5c3151d3e2e3257348922f2ca4e
SHA25675b5a9691ee04870c1f839bfbd29a5a7366df72a6a43ad6d8b8b23fc4daf43ee
SHA5126f717e47f3bb10d3e017b7e7a2b30c023fedf4da2488480a39d09033b7773f8f630f80694f59607d712de4a98210eed35a9a87ad3dca8e108392eae2cd57d093