Overview

overview

7

Static

static

1

file.exe

windows7-x64

7

file.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    103s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    09-02-2023 04:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.9MB

  • MD5

    69fcca0d67ac4be82b5eed6ce4f155bc

  • SHA1

    64e0406663e0355b75a29220ee4490fb25725a90

  • SHA256

    291003d022e462dc6ece1e0d6cf6a636520060358683596b71623f1c71a539c3

  • SHA512

    21a3a7ca680adcb17b9fcb5b7b6ca01406d0305048dba6ad4b97f1002f8b3023122c770a76ded66eb37d7d0a1732a90f2ceb0b278e60919525e88523c7aa981c

  • SSDEEP

    49152:6zDL7X+Yep6nskNEUCeneZa6Hy4vn78HQSUkXe:mteApNEdeeZa6dYokO

Score
7/10
persistence

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1556

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    437.2MB

    MD5

    e28dc728bcb44d38dcf0a86f65c36c16

    SHA1

    b6a43232001077930f8948f14b5ff5eae0d88c15

    SHA256

    dd587093598e44409a387d8e2ad274433c26dd9168dae61484ef8f99a5b123af

    SHA512

    d0175f024ecaec60b2a089bc65fed46973582fa96e7047173935b4983bd723fe313a6daa491fe220dd1198d2ad23807b227bdfecaffdff4ca5bd3e7a24a332d6

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    543.1MB

    MD5

    4c121bc2bf6e19e3926b380604ac5de7

    SHA1

    aa0d6cbd0f102127b1bc733462642b1e17f16940

    SHA256

    e4c14760980afe60c2d33d666d2d0fc3ad16ff90bbf48a810a8a89365bb13843

    SHA512

    86e032b6b5f5ab4effeb4cc69ffd66c143948d18dc609d10ffef095caea2c5433ff91a14d3a61b7b10161d3945ddcc972c07a8b56d9010df69976513ceca8150

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    458.1MB

    MD5

    5fd5680699483d0aab5ddbbc1ec05eaf

    SHA1

    0d3b82cee9ccbb5f2550bac85c2b0f07abd65841

    SHA256

    99a835a8c8ffb4668bd3b767c33cd42034f2ae8c68b4ac702a83d12135761659

    SHA512

    32b971bfdab13785eb6527defb54871fb08125d9bca3e161d376701b325b434ef2fcff99f3d5089987c1a7439f5598f1ef04ef0465d6d27983b9df1f023c2c23

    Download Submit

  • memory/1120-57-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1120-58-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1120-54-0x00000000020A0000-0x000000000224A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1120-56-0x0000000002250000-0x0000000002620000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1120-55-0x00000000020A0000-0x000000000224A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1120-64-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1556-63-0x00000000021B0000-0x000000000235A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1556-65-0x00000000021B0000-0x000000000235A000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1556-66-0x0000000002360000-0x0000000002730000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1556-67-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1556-68-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download