b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d

Analysis

max time kernel
82s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/02/2023, 20:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.8MB
MD5

be30ec7ab19bfedb892fde3afb577603
SHA1

e52f9dea4400166c4f489a5626df0008a6eed818
SHA256

b398065ab48ca2a1900c2192c2883330b414f5f74fa04ecf2b6ae99698b8e63d
SHA512

227460bb3ee54c526a1a99519d7d461db2bd513e291fa6aed26d3cbdb81b79816015a05b1cdd06598dc893267a26311a5646f7c077625c574134d4d856e72afe
SSDEEP

49152:FuXEnBSze5817TMBYpenuq5oncZS6K6h8DCM:MEnIwicZS7TC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1732	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	tmp.exe
2028	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	tmp.exe

GoLang User-Agent 2 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	2	Go-http-client/1.1
HTTP User-Agent header	4	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1732	2028	tmp.exe	27
PID 2028 wrote to memory of 1732	2028	tmp.exe	27
PID 2028 wrote to memory of 1732	2028	tmp.exe	27
PID 2028 wrote to memory of 1732	2028	tmp.exe	27

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
481.8MB

MD5
872e0e2bc2cdc8fb6a2d120bf2c7e7a5

SHA1
6adec0bd683b37c765b16c83bc6f7447a4994c01

SHA256
15920b653de56e23e5fa411c3fa0b0c43cd118b4becd5b5a129c7e0d3a8b79cb

SHA512
6e81b42d46bda1b3b4a47c98cf348c34e7e1c248b40b50c4708fb222bf8772c0d294da6c71438f8241d134e58e2109e3afab37a3cfc03ab244a5ab801e32678a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
344.2MB

MD5
dc84ef16b98dd7b264decc60837245c6

SHA1
b3111ecc6035f956a274f5641ca9205db1ecf630

SHA256
09a22deb3d23d05325d90e0ba98f3f5a6ab939acf5d63d3b4f60c54fa782ea0a

SHA512
7a50b9513680cfb2efe201dfd8bb017489c2cc2e644423d860ee8c34f7878ed9c83029048a87f1e53eedee05d494dc3ffb209aa09f6640651e5092f2e6d7507a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
349.8MB

MD5
079a2bf90f48de0285e5cc8bc22c22b2

SHA1
5e07c3401b1ddf59ac47c0b99deea6783d844283

SHA256
60dcc58e2026d53d0484704c817ae25af84f85e5ab60bbe15f0b5372be53e583

SHA512
4e82e972f9849f808bbcf8550fe0d10a74f18ff1e141648bd53970ec97748ed1f0403c9c66d4243ec78d257d8f412f972846f6a121f7ab38bbf199169885ee8b

Download Submit
memory/1732-63-0x0000000002150000-0x00000000022FA000-memory.dmp

Filesize
1.7MB

Download
memory/1732-64-0x0000000002150000-0x00000000022FA000-memory.dmp

Filesize
1.7MB

Download
memory/1732-65-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1732-66-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2028-57-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2028-56-0x00000000023A0000-0x0000000002770000-memory.dmp

Filesize
3.8MB

Download
memory/2028-55-0x00000000021F0000-0x000000000239A000-memory.dmp

Filesize
1.7MB

Download
memory/2028-62-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2028-54-0x00000000021F0000-0x000000000239A000-memory.dmp

Filesize
1.7MB

Download