6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c

Analysis

max time kernel
105s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2023, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe
Size

1.9MB
MD5

f1c2717d810d6f5ab1272124ee529001
SHA1

c21904890ae6b5a6a1a8f85240d0d93277a128db
SHA256

6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c
SHA512

dff6b56fb3c0c5c3ee8fc9a9c119885f658c843cbebd2a667b3a98151a9984fe9c3d41f42c2215431ea4eca0c541c637e48611fe13d5bb0a1abb6be4a30ce718
SSDEEP

49152:YU3A8z0La9dXyM1GGvCNxWG+rNudXk5HjLtU2TezV5M42S:lA8zlXj11WYVueHj62sF2

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2388	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	38	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2388	5036	6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe	85
PID 5036 wrote to memory of 2388	5036	6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe	85
PID 5036 wrote to memory of 2388	5036	6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe	85

C:\Users\Admin\AppData\Local\Temp\6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe
"C:\Users\Admin\AppData\Local\Temp\6a7e7099c98caacce2b7cb3e43f6bb88bb57e589f4c8541ae911067d4313680c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
764.9MB

MD5
c3a6ba56a463bc706b2ba82f87c18e97

SHA1
60fd1e27e7f9046332615c00de7397a9f122d4a3

SHA256
66ed5eb3220d2d698bbdca2ecc85f2c5a639c5fbcc6537eb84e72117d0911dad

SHA512
8d46b5f137a1d9122597a0d9378d1e77b9c701066bc02a8235c89484a5e3c20870fed3ea8b3e9b3a90af5f01b04520c831da1f520f38d1f9140397c63f356fc5

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
764.9MB

MD5
c3a6ba56a463bc706b2ba82f87c18e97

SHA1
60fd1e27e7f9046332615c00de7397a9f122d4a3

SHA256
66ed5eb3220d2d698bbdca2ecc85f2c5a639c5fbcc6537eb84e72117d0911dad

SHA512
8d46b5f137a1d9122597a0d9378d1e77b9c701066bc02a8235c89484a5e3c20870fed3ea8b3e9b3a90af5f01b04520c831da1f520f38d1f9140397c63f356fc5

Download Submit
memory/2388-139-0x0000000002463000-0x000000000260D000-memory.dmp

Filesize
1.7MB

Download
memory/2388-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2388-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/5036-132-0x000000000278D000-0x0000000002937000-memory.dmp

Filesize
1.7MB

Download
memory/5036-133-0x0000000002940000-0x0000000002D10000-memory.dmp

Filesize
3.8MB

Download
memory/5036-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/5036-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download