Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
25-08-2023 01:13
Static task
static1
Behavioral task
behavioral1
Sample
836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe
Resource
win10v2004-20230703-en
General
-
Target
836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe
-
Size
4.0MB
-
MD5
35a38087ca29b3ad34f4bdc30621c409
-
SHA1
444b346f51169737596b497aac18a9d536b229ce
-
SHA256
836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24
-
SHA512
71ba2ad10bba8cd31480170d05c1e9b32c48280bfe50abc4348bffab51cbc1d919ae53d65fc058b81f3c6fad4c45a45302c6bdae7ce4716ef3a075a86c4b7969
-
SSDEEP
49152:oEjwvlIKv05z+UERnIcYmWjc3CdhT5E9UFiqeb0/B1:elhWzZ6hCEciqe
Malware Config
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2324 ntlhost.exe -
Loads dropped DLL 2 IoCs
pid Process 1392 836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe 1392 836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 2 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1392 wrote to memory of 2324 1392 836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe 28 PID 1392 wrote to memory of 2324 1392 836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe 28 PID 1392 wrote to memory of 2324 1392 836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe"C:\Users\Admin\AppData\Local\Temp\836844a9b401f82d1c13a5f96fa3b069ab5192f495bee7ca8e29c154ae265b24.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Executes dropped EXE
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
679.4MB
MD5269139d0666663525129395bc2aacfcd
SHA18cb71c8579e62cd9fd763f5fa61e38f65da784b7
SHA2564846dd688f6e38d93ba44f6fe9868e74cca9b946d092653d7e2610bc12e996b8
SHA512df8a95e11b592cff3c8faa9b8eeeaaabc1d5779252ea8a58dcec28d02f9abbb752749b0b4fea1253ca64033598c31e328917a20c894872b9285ab054a5eef30b
-
Filesize
674.8MB
MD539e6ad569d01781be9805ba3bffab65d
SHA131b8e7931e200902d5c8fdb6453b51f460f305c5
SHA256e7d2090fe40610642b859b640179377ca30a22846b34d3dd45ec917343febe8a
SHA512f39628e1c84c44e62bf955dd3d68a7c2ee69af1330cf7d71bf785931dbfd6aed0c53d55a70f35f68cfdc0c74a279f4d219598d940a42f44f9b02a8ab685a1f42
-
Filesize
681.2MB
MD591f8569d66ce071d94cdef17ae68c743
SHA13b9c5ce8f19d4ec8d1d4c08edcfbd3bb657f5db2
SHA256241ad2f23644aedd972e52ee8cf9c6a276d6615b9186a27bbdb4c372474d092a
SHA5122c9378efada41a5f737707827c7af360ddd1560d04976bab827f278f36a2c27bd7fc8292ab6735cf71553631feb873c2f74b38043bb46d11cd957ec0b279b38b