2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0

Analysis

max time kernel
51s
max time network
129s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
10/02/2023, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe
Size

1.9MB
MD5

d66265fee59a1c1ae4d516905110244c
SHA1

43bb6557a1a3a2c10f806e679a5f157c0c0e0f49
SHA256

2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0
SHA512

4bc2c4df10c6dd45a018908f5e5256fe7888b10ef4cf7c2025a642c7d0f520ef8b7bb5ca6cb94a0ec433f165803c19692a5e6ee0d641157b4f7434545ff2f80f
SSDEEP

49152:YFiHHqOho7ILVDK0PBuPpVMHxSchBiNvj0FrO9Ng:IiqOzI+OwxSchqgQbg

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3444	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2368682536-4045190062-1465778271-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3444	2652	2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe	66
PID 2652 wrote to memory of 3444	2652	2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe	66
PID 2652 wrote to memory of 3444	2652	2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe	66

C:\Users\Admin\AppData\Local\Temp\2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe
"C:\Users\Admin\AppData\Local\Temp\2b9e545eec4b581f7cc869bd4ebbfe37635ccca40c863a371fa491afb6a9f7e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:3444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
647.5MB

MD5
b4b2b0e6778c740267a364df6fb28049

SHA1
df5a0d9abfac93c7f87c98ed9c9c4743e4b01ab8

SHA256
317d86a0731e3b8688ca871c3ed03b33f5785796ff9d09ee28d0733999a1a582

SHA512
7fd203961308c314980ace203f6832642b2a2626510e448e60d9189633741dca236c1efbaef96439c6514b72a6ef97f0a0b6e13f8f9a50b369c186a3454a447b

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
619.6MB

MD5
8c7053dff61535e2a8ef0c279efe3add

SHA1
58e3e6247f68d3e9eee1da260018d84cc55a02ae

SHA256
97948823308641e7cf4362f7d8869e65e763abb10d8ec360803c1cb0959f6785

SHA512
4afd8cf02e0e2c9839d2c4ac3df50f7c4007b11c7f0ee075262123fd8629641b399cb547cfa2b8c9c65e0e44f35a944f5645ddb032ff00a83bac9e57617d069d

Download Submit
memory/2652-120-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-121-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-122-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-123-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-124-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-125-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-126-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-127-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-128-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-129-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-130-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-132-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-133-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-134-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-131-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-135-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-136-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-137-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-138-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-139-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-140-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-141-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-142-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-144-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-145-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-146-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-147-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-148-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-150-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-149-0x0000000002710000-0x00000000028C5000-memory.dmp

Filesize
1.7MB

Download
memory/2652-151-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-152-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/2652-153-0x00000000028D0000-0x0000000002CA0000-memory.dmp

Filesize
3.8MB

Download
memory/2652-154-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2652-161-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3444-157-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-158-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-159-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-160-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-162-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-163-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-164-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-166-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-167-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-168-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-170-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-169-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-171-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-172-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-173-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-174-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-175-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-176-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-177-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-178-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-179-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-180-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-181-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-183-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-184-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-186-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-185-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-187-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-188-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-189-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-191-0x0000000002630000-0x00000000027DE000-memory.dmp

Filesize
1.7MB

Download
memory/3444-190-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-192-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/3444-193-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-194-0x0000000077BA0000-0x0000000077D2E000-memory.dmp

Filesize
1.6MB

Download
memory/3444-202-0x0000000002630000-0x00000000027DE000-memory.dmp

Filesize
1.7MB

Download
memory/3444-203-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download