b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d

Analysis

max time kernel
42s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08/02/2023, 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be30ec7ab19bfedb892fde3afb577603.exe
Size

1.8MB
MD5

be30ec7ab19bfedb892fde3afb577603
SHA1

e52f9dea4400166c4f489a5626df0008a6eed818
SHA256

b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d
SHA512

227460bb3ee54c526a1a99519d7d461db2bd513e291fa6aed26d3cbdb81b79816015a05b1cdd06598dc893267a26311a5646f7c077625c574134d4d856e72afe
SSDEEP

49152:FuXEnBSze5817TMBYpenuq5oncZS6K6h8DCM:MEnIwicZS7TC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1388	be30ec7ab19bfedb892fde3afb577603.exe
1388	be30ec7ab19bfedb892fde3afb577603.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	be30ec7ab19bfedb892fde3afb577603.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2036	1388	be30ec7ab19bfedb892fde3afb577603.exe	28
PID 1388 wrote to memory of 2036	1388	be30ec7ab19bfedb892fde3afb577603.exe	28
PID 1388 wrote to memory of 2036	1388	be30ec7ab19bfedb892fde3afb577603.exe	28
PID 1388 wrote to memory of 2036	1388	be30ec7ab19bfedb892fde3afb577603.exe	28

C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe
"C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
664.2MB

MD5
8b28414864806cf051a8291ecb9ee9a8

SHA1
3d2959d9c70486f99422dee44558a8ca2c9f40b3

SHA256
4666dafb67a52e37c14ab3a466c5a865978ee684efea1ccda4dd508c6cfae2f9

SHA512
67e6726ee75dbbc0c4bab9cc7d18772a7fa00786550b92b23b05f579ea97782cd2b0b2e0e302dc3147f3b5e115d9743a65dc27681bd5e95c552e857b8f04ebb2

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
652.2MB

MD5
5c4f5184fd5616848b5bdccfcbd55ea9

SHA1
9e0f42db72c770f476a0a75d0b8bc29f232d6b58

SHA256
eb66fc0c02ff447ff472667535d1ab1844e198820d9d08b2e4cc3219f95977ff

SHA512
60b1d1a480c6ffdd9b8034947cc1960383af46b8b10f81a1ee0093391f9f4cd399417916c32a3a61a1bed931d4c2013b7801193537fe0a1b52ba12e77d20b575

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
659.1MB

MD5
781fccc98b943af53f954097db7b1166

SHA1
495d04ff3aff128bbf5d2732290d9ec89e141a6e

SHA256
d873eadb0dfee25a11a8a0b0ef3bcb8fff6b89f8b58ed533a463fa13fe87adba

SHA512
e1af95edca7d17abca87552f79feed8afed5a6b4a995549d0299156486258c538efa049799ababccbe38aef66b9098a75e178999570d001abcb0f1bf6cd773d1

Download Submit
memory/1388-57-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1388-54-0x0000000002300000-0x00000000024AA000-memory.dmp

Filesize
1.7MB

Download
memory/1388-56-0x00000000024B0000-0x0000000002880000-memory.dmp

Filesize
3.8MB

Download
memory/1388-55-0x0000000002300000-0x00000000024AA000-memory.dmp

Filesize
1.7MB

Download
memory/1388-62-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2036-63-0x00000000020C0000-0x000000000226A000-memory.dmp

Filesize
1.7MB

Download
memory/2036-64-0x00000000020C0000-0x000000000226A000-memory.dmp

Filesize
1.7MB

Download
memory/2036-65-0x0000000002270000-0x0000000002640000-memory.dmp

Filesize
3.8MB

Download
memory/2036-66-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2036-67-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download