Analysis
-
max time kernel
273s -
max time network
291s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
02-08-2023 02:37
Static task
static1
Behavioral task
behavioral1
Sample
Lang.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
Lang.exe
Resource
win10v2004-20230703-en
General
-
Target
Lang.exe
-
Size
3.9MB
-
MD5
2aa0fe002aeee888c33dbb6864580e6c
-
SHA1
e10a14cede8f2e48ccd6fb5111583fcf5156030a
-
SHA256
e522454c7fb915cb65e42e67ea9890df5ead1356053e563c43a1603f669c6fa2
-
SHA512
0598092827b729fa9720f4fbd61087323fce6fb7318fb286784fcc125c5e64d69a0d9cdb57ee11ca0f7474dffd17b7af647ef71affafdb0fc608b705bd66d1fd
-
SSDEEP
98304:LdD7hTCd16KI1cqLrUmolDD/0z+lzZQ57j:LJ7F4wcYUdRzI7j
Malware Config
Extracted
laplas
http://185.209.161.89
-
api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 584 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2476 Lang.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" Lang.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2476 Lang.exe 584 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2476 wrote to memory of 584 2476 Lang.exe 28 PID 2476 wrote to memory of 584 2476 Lang.exe 28 PID 2476 wrote to memory of 584 2476 Lang.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Lang.exe"C:\Users\Admin\AppData\Local\Temp\Lang.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:584
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
829.9MB
MD5becbb2dead5fab74005e4244954f31be
SHA17c52bfb95c89e5c32288cda274b53a94e5cb5f55
SHA25670f15d5c96a04071b34ae3c719527567529271bb50a088d8b0460d6d35bbf392
SHA5128afbd263d5cf535ed4b5bd88eab22ac5374ba1145f1ceba42ab39e01ccdd61282397040fb526a524a9390b02238e3fd72a7940b349d9795d77ebd5cd49d77716
-
Filesize
829.9MB
MD5becbb2dead5fab74005e4244954f31be
SHA17c52bfb95c89e5c32288cda274b53a94e5cb5f55
SHA25670f15d5c96a04071b34ae3c719527567529271bb50a088d8b0460d6d35bbf392
SHA5128afbd263d5cf535ed4b5bd88eab22ac5374ba1145f1ceba42ab39e01ccdd61282397040fb526a524a9390b02238e3fd72a7940b349d9795d77ebd5cd49d77716