6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe

Analysis

max time kernel
42s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/02/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.0MB
MD5

c4377d5563d3c6b6af68a0a103a69c59
SHA1

302a6299b0550510514f26df2d91f88c66248770
SHA256

6fb43252ffec27bc90f9a92d995290ad67156a73288a5cbd054c4059f6c8e0fe
SHA512

4e3cc901c864c2aa326a6abe2d97ae244bb91b86dfba50b1d7671c04d48211a126781e641f8cec91300bfd624ec2ba2eea044f811b25808c1d10cdbbee4297d8
SSDEEP

49152:cylves1KfQtrRtGHzdyVSNO41wrkQPPAquD+t03T8:tf0ot6pw613Qwq4+t03T8

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1264	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
980	tmp.exe
980	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	tmp.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	1	Go-http-client/1.1

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 1264	980	tmp.exe	28
PID 980 wrote to memory of 1264	980	tmp.exe	28
PID 980 wrote to memory of 1264	980	tmp.exe	28
PID 980 wrote to memory of 1264	980	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:980
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
610.9MB

MD5
b4a8089b223a177e56bc550bf479bd71

SHA1
6ca9a8f082fabde11efa08e503cf3578fbfe6232

SHA256
dcc7f43d29e32051eb0a7fe84a0e6d7771fa9d16e05aef0126a9a971b4e95507

SHA512
76f75e2cc32a5069221a3f43b4a1c13d249f6ed0ca783f420f2090b68c805b817b8ecd4e6278abd92eb91d339548e77d27230121ffe36348ef1e4800bef47372

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
618.4MB

MD5
7ce5aae43726925dbcc6d3cc9ffdf77d

SHA1
bbb088f9230822db653b8fb51ae09609e54d3c16

SHA256
c957cd3a224ad0cae7347737c6146aa92966c88747861d94a3ace4fbb2ee20bc

SHA512
694a6df65b9031824dfe0f0e18df4bbe2ec2a66c0b2ff21b29d815b294c186f8cdc6a753079bf6ea1e5108da04cb75271ca8eaa04a65394810c1fad1bf09e1c9

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
637.8MB

MD5
d287d013ca5a751d6f5e1810185c7db4

SHA1
8216efb82e0b2574b8857198d31be41257fcd4de

SHA256
04eac2f29c8f20666ec98f67ed016b398255ac151f6436dede7fba2a2c2e834a

SHA512
f376cdadc6ce8ebdf13d4fdd06b8ca37599c8ff35c05df0a2a5fe11b9ae51da40c44a2200befd3f442c01cbe3d6b9ab3cfb347946d3da092a01c1dea0935c24c

Download Submit
memory/980-63-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/980-57-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/980-56-0x00000000022B0000-0x0000000002680000-memory.dmp

Filesize
3.8MB

Download
memory/980-55-0x0000000002100000-0x00000000022AA000-memory.dmp

Filesize
1.7MB

Download
memory/980-54-0x0000000002100000-0x00000000022AA000-memory.dmp

Filesize
1.7MB

Download
memory/1264-62-0x0000000002170000-0x000000000231A000-memory.dmp

Filesize
1.7MB

Download
memory/1264-64-0x0000000002170000-0x000000000231A000-memory.dmp

Filesize
1.7MB

Download
memory/1264-65-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1264-66-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download