Analysis
-
max time kernel
123s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
06-08-2023 16:33
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20230703-en
General
-
Target
tmp.exe
-
Size
4.0MB
-
MD5
d076c4b5f5c42b44d583c534f78adbe7
-
SHA1
c35478e67d490145520be73277cd72cd4e837090
-
SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
-
SHA512
b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638
-
SSDEEP
49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe
Malware Config
Extracted
laplas
http://185.209.161.189
-
api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 796 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 760 tmp.exe 760 tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" tmp.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 760 wrote to memory of 796 760 tmp.exe 30 PID 760 wrote to memory of 796 760 tmp.exe 30 PID 760 wrote to memory of 796 760 tmp.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:796
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
716.7MB
MD5efa8c406f6c9419d312f09e75eaad521
SHA1d1d6505bd03cfb2f86f6c57059efc22720be47e1
SHA25657952bb3e2a811e4cf3145a652d969c963d7aedb6798fbc82660284235302d98
SHA51288d3ff2dfd8238c45c487c39000216161a10d160a4c3d48e4610f6914d80eb942459b8cee096e91eaa3490a7c9a83c0ec7481105d1103183490be1636adccb4a
-
Filesize
702.4MB
MD54f7170a45250a6b5ae6f219bb0e06b5e
SHA1b917a5e4aa4bd84f5638b8a949fc75c078480ae0
SHA2565b23c6354d89a57678c0a57ad80a40e79d77d224fcd10d4d2cab013b341d12e7
SHA512f414aebef9b7289a99c43e736392138351aa2f02eb6f28607095fc54ebe7b6435a17e444415952b99494b1558102fb2a5ac4cc8ef3729c8b40e1d486d3d9382a
-
Filesize
703.2MB
MD515fe403893c0f5ffe2132e628162faa8
SHA14b583564be506eb62342a2c0b392f7c40bed7259
SHA256d81961a39ca2375ea52af26017929b476a5cc54efc2e9ba482c472ae4070ddce
SHA5129fb4c8a0e285c6fc7bdc2aaef2fdb88908fef9095b3538f4cff291bb5eac330e457426edaecd5eba78dd1ca0f202fdf0a85d5fb6257bb4db9222cfa8c6188778