Analysis
-
max time kernel
143s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
01-08-2023 22:03
Static task
static1
Behavioral task
behavioral1
Sample
3258deefff3ca70f3dfa3e67067ca611.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
3258deefff3ca70f3dfa3e67067ca611.exe
Resource
win10v2004-20230703-en
General
-
Target
3258deefff3ca70f3dfa3e67067ca611.exe
-
Size
4.0MB
-
MD5
3258deefff3ca70f3dfa3e67067ca611
-
SHA1
a28ec103c22b03f381dd72073cf620b11881b7b7
-
SHA256
11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
-
SHA512
541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
SSDEEP
98304:kIk6g0kDf8CFjiD+THrrTfmqWAfheTYC521KuM96+/xnVA:3K0skC1k+THrrTf/c5ekwgVA
Malware Config
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2792 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2104 3258deefff3ca70f3dfa3e67067ca611.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 3258deefff3ca70f3dfa3e67067ca611.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2104 3258deefff3ca70f3dfa3e67067ca611.exe 2792 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2792 2104 3258deefff3ca70f3dfa3e67067ca611.exe 30 PID 2104 wrote to memory of 2792 2104 3258deefff3ca70f3dfa3e67067ca611.exe 30 PID 2104 wrote to memory of 2792 2104 3258deefff3ca70f3dfa3e67067ca611.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
728.2MB
MD55ba75ce6ecf569afb75c533738515f93
SHA1fc0badd0d6d211522dc4d67cc3f1b6161e016b72
SHA2560ad5512b6c0a5b66dc6c11336038aaa33daf47d0aad504413f64fcf74ef7159d
SHA5125ef10532ab5343bfe597fa4e098f005e37ee49c2db821f8ee53cec3edfbda4226e5fb4bf838bee82350fc64126c2ec9c30c92ae15569d554055803626de31b1b
-
Filesize
723.1MB
MD5d56b265b9b9d9cffc7dbb2b03abc25e7
SHA133b6d7b53f32a9cf573f02e5f9c2be3e71acc6db
SHA2563fe1dea9ff1fcf9e686d10c0903c7839da6fa77f35700f8a64e8be9d87c5a3a2
SHA512142ff17a31fefa4189da1960b35b2bd43e7e19302eaf6967b5a2281334673c86546df7576f46d9bca55e0d5ec63ba0f88e2058c8f1fe37da2e927409bfde5863