Analysis Overview
SHA256
f2cde4100fdbb5841b0f68e1c5dbba912b38478e64698c0238edb62415d1ad70
Threat Level: Likely malicious
The file payload.bin.exe was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Enumerates physical storage devices
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-06 04:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-06 04:24
Reported
2023-02-06 04:26
Platform
win7-20221111-en
Max time kernel
31s
Max time network
33s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-06 04:24
Reported
2023-02-06 04:26
Platform
win10v2004-20220901-en
Max time kernel
91s
Max time network
151s
Command Line
Signatures
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\payload.bin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payload.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payload.bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\payload.bin.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3564 wrote to memory of 4192 | N/A | C:\Users\Admin\AppData\Local\Temp\payload.bin.exe | C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe |
| PID 3564 wrote to memory of 4192 | N/A | C:\Users\Admin\AppData\Local\Temp\payload.bin.exe | C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe |
| PID 4192 wrote to memory of 3632 | N/A | C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 4192 wrote to memory of 3632 | N/A | C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\payload.bin.exe
"C:\Users\Admin\AppData\Local\Temp\payload.bin.exe"
C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe
"C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.15.156.50:80 | 45.15.156.50 | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| US | 104.193.254.97:80 | 104.193.254.97 | tcp |
| NL | 185.223.93.251:80 | 185.223.93.251 | tcp |
| NL | 87.248.202.1:80 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | dbf4f8dcefb8056dc6bae4b67ff810ce |
| SHA1 | bbac1dd8a07c6069415c04b62747d794736d0689 |
| SHA256 | 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68 |
| SHA512 | b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1 |
C:\Users\Admin\AppData\LocalLow\nss3.dll
| MD5 | f67d08e8c02574cbc2f1122c53bfb976 |
| SHA1 | 6522992957e7e4d074947cad63189f308a80fcf2 |
| SHA256 | c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e |
| SHA512 | 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5 |
C:\Users\Admin\AppData\LocalLow\mozglue.dll
| MD5 | f07d9977430e762b563eaadc2b94bbfa |
| SHA1 | da0a05b2b8d269fb73558dfcf0ed5c167f6d3877 |
| SHA256 | 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862 |
| SHA512 | 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf |
memory/4192-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe
| MD5 | feccda803ece2e7a3b7e9798714ad47e |
| SHA1 | e97182adccf8a7692e6ad2614b0fb7fd3898a1a2 |
| SHA256 | 14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320 |
| SHA512 | dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287 |
C:\Users\Admin\AppData\Local\Temp\xshOTgxL.exe
| MD5 | feccda803ece2e7a3b7e9798714ad47e |
| SHA1 | e97182adccf8a7692e6ad2614b0fb7fd3898a1a2 |
| SHA256 | 14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320 |
| SHA512 | dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287 |
memory/3632-138-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 935d83bc82e1701554c0d043b8e6f5d3 |
| SHA1 | 29afd4afefd81c4c1e92485ba9c973f56bb43923 |
| SHA256 | a2a784bf2c4297e3eafbeda42bdc17918945ce86455be7c00c02ca1c89b866a4 |
| SHA512 | 550cecba09ac6959a48ba9f1fe0fa197ba8563e06bcd2dc625d624cfb66abf5b5826e1ecba8191e1f63134d464172ced641f309dc7a31d2dafb18c4fea352be0 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 29fa67f2053eacb25c980f675ee3adc1 |
| SHA1 | 69e1be26fa20b4dbe29b5db58b29cf831b045a62 |
| SHA256 | cd00962410e054f245fb8e9521b4bcedb919de2676edc9bfdadbacdb7cdf6425 |
| SHA512 | 43c318816bb5fc5f444a54f8bc656fa69a95da377beb6d4414063504f234d2028a964d21b28532fd93387b42b299637378f60e54d8cd497273b3cbd696e63669 |