Analysis
-
max time kernel
276s -
max time network
291s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
02-08-2023 02:36
Static task
static1
Behavioral task
behavioral1
Sample
soft.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
soft.exe
Resource
win10v2004-20230703-en
General
-
Target
soft.exe
-
Size
4.2MB
-
MD5
da89628d89735a5320da0513608b2fd4
-
SHA1
44b8b35ff51a2e1c7a67c03b243ca467b21b3bb4
-
SHA256
d398d687d76426465501c32c830c6c3298d471bab4223bc6f9ac7d4b30ae558b
-
SHA512
9dbe9849c77262227a5a75348a164e6246a8d52a2e65907ef9681687d119a59b40dfd6f8f5b8fcf0f77509a11a7fb8f54b6990814c1958a5e28607e6c896540a
-
SSDEEP
98304:JQCHegVO9xselnvc9DzG7xxBFKyfmtKNP0R2h7b2:JjHhIxjvc9cxrKHtyc4b2
Malware Config
Extracted
laplas
http://45.159.189.33
-
api_key
d1a05de376c0be1daa56dfb2715c8a0c5df8a111b8b31decc886df1e48db7c9c
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1812 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2312 soft.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" soft.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2312 soft.exe 1812 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2312 wrote to memory of 1812 2312 soft.exe 28 PID 2312 wrote to memory of 1812 2312 soft.exe 28 PID 2312 wrote to memory of 1812 2312 soft.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\soft.exe"C:\Users\Admin\AppData\Local\Temp\soft.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1812
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
791.2MB
MD513147cce55e392288aa0b48916075fcc
SHA140c8c339e57931e986c455a1eb6a99f74181d799
SHA256557a3f6c5eedd1a16cba39f0d6713bce1c4881459ebb930132f767cf1e23a272
SHA512a0c351d8be2b3eae7eabb8e0d3bfe9c9cedd4f696a14b4594cbe6ef386adf02cd8833e8bef9d2d7b02a0b2816c6bdc4aa7dd9f5de15aa20586874b6f8dbd2cde
-
Filesize
791.2MB
MD513147cce55e392288aa0b48916075fcc
SHA140c8c339e57931e986c455a1eb6a99f74181d799
SHA256557a3f6c5eedd1a16cba39f0d6713bce1c4881459ebb930132f767cf1e23a272
SHA512a0c351d8be2b3eae7eabb8e0d3bfe9c9cedd4f696a14b4594cbe6ef386adf02cd8833e8bef9d2d7b02a0b2816c6bdc4aa7dd9f5de15aa20586874b6f8dbd2cde