1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105

Analysis

max time kernel
592s
max time network
579s
platform
windows10-2004_x64
resource
win10v2004-20230220-es
resource tags

arch:x64arch:x86image:win10v2004-20230220-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
19-03-2023 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add_attack/goland.exe
Size

2.6MB
MD5

fc6d40512829e36687854cb0118a5a1e
SHA1

cf801f9dad93b5ebbcef79b093b034b45aa75a1e
SHA256

58c0d2f945207a56f5baefbb320d7ddbd01089205025de05133db173281e65e2
SHA512

8545d6e56ab77e28e416b013a2836307616d8c00dc26216c35fba8bc1ec0b8c8503f8d7cb55e8dd1d5aaa08875e9172f7259082a4f6756c4722be9c4e3f96e6f
SSDEEP

49152:6EE4S6KbgMczZ3kXz64kU4r6mN2udLglBA9iHZN9OXOMbK:VEV6Kbmhkj14rzUMnibX

Score

9^/10

evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	goland.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	goland.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	goland.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
212	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	goland.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	goland.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
408	goland.exe
212	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	35	Go-http-client/1.1

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 212	408	goland.exe	87
PID 408 wrote to memory of 212	408	goland.exe	87

C:\Users\Admin\AppData\Local\Temp\add_attack\goland.exe
"C:\Users\Admin\AppData\Local\Temp\add_attack\goland.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:408
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
790.6MB

MD5
ea5a61f2842181ef7722e344bdca4438

SHA1
1d5a5356e5c37a8b96cd8cec913019922f0d6ef9

SHA256
82a6a7dc706e459f9756d694863f58ec8cf2f658c3e692fe93cfacdba1113c35

SHA512
82df870f4d7064ea8d9c7bd7135efd070c6eed7c9a2d50ce255927166d5e211d515491da6a97484c36f014fdaa277a5f216d73540cc844ce48727b9797379e7f

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
790.6MB

MD5
ea5a61f2842181ef7722e344bdca4438

SHA1
1d5a5356e5c37a8b96cd8cec913019922f0d6ef9

SHA256
82a6a7dc706e459f9756d694863f58ec8cf2f658c3e692fe93cfacdba1113c35

SHA512
82df870f4d7064ea8d9c7bd7135efd070c6eed7c9a2d50ce255927166d5e211d515491da6a97484c36f014fdaa277a5f216d73540cc844ce48727b9797379e7f

Download Submit
memory/212-174-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-154-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-150-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-205-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-204-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-203-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-202-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-201-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-200-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-199-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-151-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-152-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-153-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-175-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-155-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-156-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-157-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-158-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-159-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-161-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-162-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-163-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-164-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-165-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-176-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-167-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-168-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-169-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-170-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-171-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-172-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-173-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-182-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-149-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-166-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-177-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-178-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-179-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-180-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-181-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-148-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-183-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-184-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-185-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-186-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-187-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-188-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-189-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-190-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-191-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-192-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-193-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-194-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-195-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-196-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-197-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/212-198-0x0000000000AA0000-0x00000000012DF000-memory.dmp

Filesize
8.2MB

Download
memory/408-139-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-138-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-137-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-136-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-134-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-135-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-133-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-140-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-141-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-143-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download
memory/408-146-0x0000000000B10000-0x000000000134F000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads