Analysis
-
max time kernel
133s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
24-08-2023 00:14
Static task
static1
Behavioral task
behavioral1
Sample
02208e4168793ef72942aa31c1ae8642.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
02208e4168793ef72942aa31c1ae8642.exe
Resource
win10v2004-20230703-en
General
-
Target
02208e4168793ef72942aa31c1ae8642.exe
-
Size
3.0MB
-
MD5
02208e4168793ef72942aa31c1ae8642
-
SHA1
449b579d0b642ca43419c0687cc799afe5aa9194
-
SHA256
22b198c5fc1e073ef00fc7a44ca20db5f44630f4e0e746abcf2060207d7129d9
-
SHA512
f50be51f1ff3da3da34d4c819021686842d024476993031e56313fde1aded427e9e81d0cb2956c98d29839fac140597a8e1b1cbd89a58c481be70ce88ce5507f
-
SSDEEP
49152:MY5UqJTec/w5ashu/usRTe2WjCJILmGsO8ASotjEH10DwJ4mQDewL11TAjZVwyb:MYUqI5aPXZJIpsr7VrJ4zDHL11byb
Malware Config
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2400 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 2488 02208e4168793ef72942aa31c1ae8642.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 02208e4168793ef72942aa31c1ae8642.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2488 02208e4168793ef72942aa31c1ae8642.exe 2400 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2488 wrote to memory of 2400 2488 02208e4168793ef72942aa31c1ae8642.exe 28 PID 2488 wrote to memory of 2400 2488 02208e4168793ef72942aa31c1ae8642.exe 28 PID 2488 wrote to memory of 2400 2488 02208e4168793ef72942aa31c1ae8642.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\02208e4168793ef72942aa31c1ae8642.exe"C:\Users\Admin\AppData\Local\Temp\02208e4168793ef72942aa31c1ae8642.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
726.0MB
MD5170cea7d169a63872e15a94abadf29bf
SHA1c4964e90f523bb7ded36116fce6adca82afecc4a
SHA256b69174da7d5e869253775f6feb3381ce5d4631988200d0ac335e7a8cef30d327
SHA512e0414eddc9070cfe63bd2a368740cd39fdb03974e8e91214ce4c85324ac4bf434fa87e3bf85870502a22f09936c5e4c827a04d87f9c51cb96d7af7575d67eda5
-
Filesize
726.0MB
MD5170cea7d169a63872e15a94abadf29bf
SHA1c4964e90f523bb7ded36116fce6adca82afecc4a
SHA256b69174da7d5e869253775f6feb3381ce5d4631988200d0ac335e7a8cef30d327
SHA512e0414eddc9070cfe63bd2a368740cd39fdb03974e8e91214ce4c85324ac4bf434fa87e3bf85870502a22f09936c5e4c827a04d87f9c51cb96d7af7575d67eda5