Analysis
-
max time kernel
133s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
03-09-2023 07:25
Static task
static1
Behavioral task
behavioral1
Sample
062fe47e8efc9041880ed273eda7c8f3.exe
Resource
win7-20230831-en
General
-
Target
062fe47e8efc9041880ed273eda7c8f3.exe
-
Size
3.5MB
-
MD5
062fe47e8efc9041880ed273eda7c8f3
-
SHA1
b77fffa5fce64689758a7180477ffa25bd62f509
-
SHA256
589b49a8e56beb55dcdacec0cdc3e04949eaa678df53d720ba940c7193130344
-
SHA512
67a4536375b34d77b3e61314ab5a6ffbbab11ff5bc4e2dd62c4b141f2b8727aef93438fd0ac74a60b55da92d54e40ee2868a9cacb2e80a60061d324940f5cb80
-
SSDEEP
98304:Qs1IP7M+tBbnp5KsWEjGnT6iWB7cXWvdeMl+0WyC6oxgfMapH:VoA+3n7KsWEQTUqX8dedyXw2pH
Malware Config
Extracted
laplas
http://lpls.tuktuk.ug
-
api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 062fe47e8efc9041880ed273eda7c8f3.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 062fe47e8efc9041880ed273eda7c8f3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 062fe47e8efc9041880ed273eda7c8f3.exe -
Executes dropped EXE 1 IoCs
pid Process 2304 ntlhost.exe -
Loads dropped DLL 1 IoCs
pid Process 1744 062fe47e8efc9041880ed273eda7c8f3.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" 062fe47e8efc9041880ed273eda7c8f3.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 062fe47e8efc9041880ed273eda7c8f3.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1744 062fe47e8efc9041880ed273eda7c8f3.exe 2304 ntlhost.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 3 Go-http-client/1.1 -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1744 wrote to memory of 2304 1744 062fe47e8efc9041880ed273eda7c8f3.exe 28 PID 1744 wrote to memory of 2304 1744 062fe47e8efc9041880ed273eda7c8f3.exe 28 PID 1744 wrote to memory of 2304 1744 062fe47e8efc9041880ed273eda7c8f3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\062fe47e8efc9041880ed273eda7c8f3.exe"C:\Users\Admin\AppData\Local\Temp\062fe47e8efc9041880ed273eda7c8f3.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2304
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768.5MB
MD5b1bdfa529351d483be6e500f4b9ca278
SHA1f2750a98edcc1987bb239fba4e289ef796cfa5ac
SHA25620a544b7f355869ad3d938a0cf707036b51d626b6b6c2277a30c9ac17af5a2ea
SHA512508e11a6820ac11a23c1e6140ecb30df81e4e43c920d5d60d200823717595b2f4077e64df35a1d2604bbc612d642c5ccabb51b5d252e76186304e5f1f7edd4bf
-
Filesize
768.5MB
MD5b1bdfa529351d483be6e500f4b9ca278
SHA1f2750a98edcc1987bb239fba4e289ef796cfa5ac
SHA25620a544b7f355869ad3d938a0cf707036b51d626b6b6c2277a30c9ac17af5a2ea
SHA512508e11a6820ac11a23c1e6140ecb30df81e4e43c920d5d60d200823717595b2f4077e64df35a1d2604bbc612d642c5ccabb51b5d252e76186304e5f1f7edd4bf