1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105

Analysis

max time kernel
540s
max time network
590s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
19-03-2023 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add_attack/goland.exe
Size

2.6MB
MD5

fc6d40512829e36687854cb0118a5a1e
SHA1

cf801f9dad93b5ebbcef79b093b034b45aa75a1e
SHA256

58c0d2f945207a56f5baefbb320d7ddbd01089205025de05133db173281e65e2
SHA512

8545d6e56ab77e28e416b013a2836307616d8c00dc26216c35fba8bc1ec0b8c8503f8d7cb55e8dd1d5aaa08875e9172f7259082a4f6756c4722be9c4e3f96e6f
SSDEEP

49152:6EE4S6KbgMczZ3kXz64kU4r6mN2udLglBA9iHZN9OXOMbK:VEV6Kbmhkj14rzUMnibX

Score

9^/10

evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	goland.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	goland.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	goland.exe

Executes dropped EXE 1 IoCs

pid	Process
1756	ntlhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1324	goland.exe
1324	goland.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	goland.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	goland.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1324	goland.exe
1756	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1756	1324	goland.exe	28
PID 1324 wrote to memory of 1756	1324	goland.exe	28
PID 1324 wrote to memory of 1756	1324	goland.exe	28

C:\Users\Admin\AppData\Local\Temp\add_attack\goland.exe
"C:\Users\Admin\AppData\Local\Temp\add_attack\goland.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
837.6MB

MD5
6187c1defceed5e5ef91105ad34d024f

SHA1
21ce77387e4782c34137edddc5978f41bb0df8ad

SHA256
e593944cd32c4c57aec3b9a3f239f52b2843afd99e66e1078bbcc50117eab9bb

SHA512
f7d0d5a857da1f0b4e22c5edd5e0b8dfc76f57cb285eba5bedb320145061cdb0761748339a06eca7b48096687565542261b2231aa11c84ce8f4ebf81841f4ea7

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
837.6MB

MD5
6187c1defceed5e5ef91105ad34d024f

SHA1
21ce77387e4782c34137edddc5978f41bb0df8ad

SHA256
e593944cd32c4c57aec3b9a3f239f52b2843afd99e66e1078bbcc50117eab9bb

SHA512
f7d0d5a857da1f0b4e22c5edd5e0b8dfc76f57cb285eba5bedb320145061cdb0761748339a06eca7b48096687565542261b2231aa11c84ce8f4ebf81841f4ea7

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
837.6MB

MD5
6187c1defceed5e5ef91105ad34d024f

SHA1
21ce77387e4782c34137edddc5978f41bb0df8ad

SHA256
e593944cd32c4c57aec3b9a3f239f52b2843afd99e66e1078bbcc50117eab9bb

SHA512
f7d0d5a857da1f0b4e22c5edd5e0b8dfc76f57cb285eba5bedb320145061cdb0761748339a06eca7b48096687565542261b2231aa11c84ce8f4ebf81841f4ea7

Download Submit
memory/1324-54-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-55-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-56-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-57-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-59-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-58-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-61-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-60-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-70-0x0000000028730000-0x0000000028F6F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-69-0x0000000000B60000-0x000000000139F000-memory.dmp

Filesize
8.2MB

Download
memory/1324-80-0x0000000028730000-0x0000000028F6F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-71-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-72-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-73-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-74-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-75-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-76-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-77-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-78-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-79-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-81-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-82-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-83-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-86-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-87-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-88-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-89-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-90-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-91-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-92-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-93-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-94-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-95-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-96-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-97-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-98-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-99-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-100-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-101-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-102-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-103-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-104-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-105-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-106-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-107-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-108-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-109-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-110-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-111-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-112-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-113-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-114-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-115-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-116-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-117-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-118-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-119-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-120-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-121-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-122-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-123-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-124-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-125-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-126-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-127-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-128-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-129-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-130-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download
memory/1756-131-0x0000000000AF0000-0x000000000132F000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads