b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d

Analysis

max time kernel
99s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2023 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be30ec7ab19bfedb892fde3afb577603.exe
Size

1.8MB
MD5

be30ec7ab19bfedb892fde3afb577603
SHA1

e52f9dea4400166c4f489a5626df0008a6eed818
SHA256

b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d
SHA512

227460bb3ee54c526a1a99519d7d461db2bd513e291fa6aed26d3cbdb81b79816015a05b1cdd06598dc893267a26311a5646f7c077625c574134d4d856e72afe
SSDEEP

49152:FuXEnBSze5817TMBYpenuq5oncZS6K6h8DCM:MEnIwicZS7TC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2360	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	be30ec7ab19bfedb892fde3afb577603.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	22	Go-http-client/1.1
HTTP User-Agent header	43	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 2360	4332	be30ec7ab19bfedb892fde3afb577603.exe	81
PID 4332 wrote to memory of 2360	4332	be30ec7ab19bfedb892fde3afb577603.exe	81
PID 4332 wrote to memory of 2360	4332	be30ec7ab19bfedb892fde3afb577603.exe	81

C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe
"C:\Users\Admin\AppData\Local\Temp\be30ec7ab19bfedb892fde3afb577603.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
821.8MB

MD5
366589ae6830074185c82e6eaaaabe33

SHA1
a3570ec1b34388b8ca7ea09e061057effae6a7e3

SHA256
180f9598835544b87213c10a0f6df4d856e76c5348559961ea9814be9b18f62e

SHA512
ce73f60c77156f7c6844adcc10f4a4ae189de67b379386bc90c81153d5c6ba890da68acb9572ef6a52d81600d5ecd251a94eb0f7118f84e69a47d46e8af0bb90

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
821.8MB

MD5
366589ae6830074185c82e6eaaaabe33

SHA1
a3570ec1b34388b8ca7ea09e061057effae6a7e3

SHA256
180f9598835544b87213c10a0f6df4d856e76c5348559961ea9814be9b18f62e

SHA512
ce73f60c77156f7c6844adcc10f4a4ae189de67b379386bc90c81153d5c6ba890da68acb9572ef6a52d81600d5ecd251a94eb0f7118f84e69a47d46e8af0bb90

Download Submit
memory/2360-135-0x0000000000000000-mapping.dmp

Download
memory/2360-139-0x0000000002473000-0x000000000261D000-memory.dmp

Filesize
1.7MB

Download
memory/2360-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2360-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4332-132-0x0000000002656000-0x0000000002800000-memory.dmp

Filesize
1.7MB

Download
memory/4332-133-0x0000000002810000-0x0000000002BE0000-memory.dmp

Filesize
3.8MB

Download
memory/4332-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4332-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download