d0a2d72ad5570d56d784d8af83fdda4bf8ad84e908808d86112a2bd0682bb905

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2023, 01:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d.exe
Size

4.0MB
MD5

0adbb09dda76079a7feb122cabbe73d2
SHA1

457f937186e2a1aeda234f774d3e086713de8122
SHA256

b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d
SHA512

e1d18b678cdaf0832ee905bf54bc0aef7d3dc1b2cde6cebed0a28be08e2b975e1f311333a32d0af8793bef104fcb18f95565541494e3ef7ad8384fb47604d274
SSDEEP

49152:pEjwvlIKv05z+UERnIcYmWjc3CdhR5E9UFiqeb0/B1:flhWzZ6hcEciqe

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
928	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	19	Go-http-client/1.1

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 928	1288	b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d.exe	86
PID 1288 wrote to memory of 928	1288	b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d.exe	86

C:\Users\Admin\AppData\Local\Temp\b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d.exe
"C:\Users\Admin\AppData\Local\Temp\b6661f7b4329d525ea3aea934cc7a4c3be369491d1427fe045820c42b52f797d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
727.0MB

MD5
4fa23052ab5e9954ddac618d564dcb00

SHA1
c76484d07f47e4a151a44efa693d35c6513110dd

SHA256
24e46af5f6d82975b56b3680ee4c5355e7bb88e7c83eb9c9a90ed9e8cf2b026a

SHA512
2ad8fd29c8a91111083abb016b8ccb1e907cb10fcfdf3e3b1db4b2a1a4e9cf12f040539cd2004f587c3454281014f5b5eefda2350d4471bb79e96e5e0f2dfc1a

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
727.0MB

MD5
4fa23052ab5e9954ddac618d564dcb00

SHA1
c76484d07f47e4a151a44efa693d35c6513110dd

SHA256
24e46af5f6d82975b56b3680ee4c5355e7bb88e7c83eb9c9a90ed9e8cf2b026a

SHA512
2ad8fd29c8a91111083abb016b8ccb1e907cb10fcfdf3e3b1db4b2a1a4e9cf12f040539cd2004f587c3454281014f5b5eefda2350d4471bb79e96e5e0f2dfc1a

Download Submit