c481396f3c2527ff736d7c47c19603c06baea30f6128e2c0ed1732fab41f779f

General

Target

NTLite.exe
Size

8.3MB
MD5

cca72a4a4fd0dc2c2d8cec4ad740cc20
SHA1

1f94e470ea19d97ad6b730192e5ccfaa129d76bd
SHA256

c481396f3c2527ff736d7c47c19603c06baea30f6128e2c0ed1732fab41f779f
SHA512

28f002e5f244800751bb51a0450601a82b37e52623740302763eb8232ee6dcd48daf4052fcd5c283cd31cd0bc76536c88e8607fd975e8d220d0f0445fabb3d16
SSDEEP

196608:2qZXXEYRW/H0hbcsv23ouHCRZ5MRyM3NzM0zbEJV7dI2x:2qpEYsCcw23ouH+ZKzKV7+e

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

NTLite.exe

description ioc process

File opened for modification \??\PhysicalDrive0 NTLite.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

NTLite.exe

pid process

4812 NTLite.exe
4812 NTLite.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	NTLite.exe

pid	process
4812	NTLite.exe
4812	NTLite.exe

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NTLite.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	NTLite.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

NTLite.exe

pid process

4812 NTLite.exe
4812 NTLite.exe

pid	process
4812	NTLite.exe
4812	NTLite.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

NTLite.exe

description	pid	process
Token: SeRestorePrivilege	4812	NTLite.exe
Token: SeSecurityPrivilege	4812	NTLite.exe
Token: SeBackupPrivilege	4812	NTLite.exe
Token: SeShutdownPrivilege	4812	NTLite.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

NTLite.exe

pid process

4812 NTLite.exe
4812 NTLite.exe
4812 NTLite.exe
4812 NTLite.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

NTLite.exe

pid process

4812 NTLite.exe
4812 NTLite.exe
4812 NTLite.exe
4812 NTLite.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

NTLite.exe

pid process

4812 NTLite.exe
4812 NTLite.exe

pid	process
4812	NTLite.exe
4812	NTLite.exe
4812	NTLite.exe
4812	NTLite.exe

pid	process
4812	NTLite.exe
4812	NTLite.exe
4812	NTLite.exe
4812	NTLite.exe

pid	process
4812	NTLite.exe
4812	NTLite.exe

C:\Users\Admin\AppData\Local\Temp\NTLite.exe
"C:\Users\Admin\AppData\Local\Temp\NTLite.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NTLite.log
Filesize
126B

MD5
86a3eb2dae5424bdd5b550413e969f2c

SHA1
2b9f53594d67160b24a5260972dbe8f1576bc304

SHA256
b5983ffe8ed97dc1232efb1b6e3e0b469910b8ea00690d2e778d343f71fd3aaa

SHA512
6596f06fce744fd0be8506bcfc5e3f91933018bc324e2d2d4fff30846c06867ea2e74e64c4d733adad50ad1b2e3a8acf20c449b9d8ffd98b72c978bc18d61e29

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTLite.log
Filesize
304B

MD5
bf9f7e667ce4456bbeac7b7571e00b3d

SHA1
d8cc694afbf6435d606fa7919c3001a1855a5aff

SHA256
27a56bc1529db113b307750485fa87238305c4035a4f57d5bd4ca4143025dd5f

SHA512
48e08a95e6714e5ea039b91c1891a49266a3edbacddb68efe958e8b5ba9d2cfe7db6b4a62c72f5b7417f10cb69ccba9e5a025b47ae5ed0cf914f389cf642cda2

Download Submit
memory/4812-133-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-134-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-135-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-137-0x00000000020E0000-0x00000000022F3000-memory.dmp

Filesize
2.1MB

Download
memory/4812-136-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-138-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-139-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-140-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-141-0x00000000020E0000-0x00000000022F3000-memory.dmp

Filesize
2.1MB

Download
memory/4812-142-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-143-0x00000000020E0000-0x00000000022F3000-memory.dmp

Filesize
2.1MB

Download
memory/4812-147-0x00007FF91BDF0000-0x00007FF91BE08000-memory.dmp

Filesize
96KB

Download
memory/4812-148-0x00007FF91B8E0000-0x00007FF91B91B000-memory.dmp

Filesize
236KB

Download
memory/4812-149-0x00007FF91EA70000-0x00007FF91EB0E000-memory.dmp

Filesize
632KB

Download
memory/4812-150-0x00007FF91C510000-0x00007FF91C537000-memory.dmp

Filesize
156KB

Download
memory/4812-151-0x00007FF91E8C0000-0x00007FF91EA61000-memory.dmp

Filesize
1.6MB

Download
memory/4812-152-0x00007FF91BF00000-0x00007FF91BF27000-memory.dmp

Filesize
156KB

Download
memory/4812-153-0x00007FF90EFD0000-0x00007FF90F009000-memory.dmp

Filesize
228KB

Download
memory/4812-154-0x00007FF91CE40000-0x00007FF91CE6B000-memory.dmp

Filesize
172KB

Download
memory/4812-155-0x00007FF901970000-0x00007FF9019A8000-memory.dmp

Filesize
224KB

Download
memory/4812-156-0x00007FF9013B0000-0x00007FF9013D7000-memory.dmp

Filesize
156KB

Download
memory/4812-157-0x0000000002040000-0x0000000002049000-memory.dmp

Filesize
36KB

Download
memory/4812-158-0x00007FF91A140000-0x00007FF91A16F000-memory.dmp

Filesize
188KB

Download
memory/4812-168-0x0000000000410000-0x000000000041F000-memory.dmp

Filesize
60KB

Download
memory/4812-183-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-184-0x00007FF91EDF0000-0x00007FF91EFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4812-185-0x00007FF91E300000-0x00007FF91E3BE000-memory.dmp

Filesize
760KB

Download
memory/4812-186-0x00007FF91CA30000-0x00007FF91CCF9000-memory.dmp

Filesize
2.8MB

Download
memory/4812-187-0x00007FF91E8C0000-0x00007FF91EA61000-memory.dmp

Filesize
1.6MB

Download
memory/4812-188-0x00007FF91C540000-0x00007FF91C562000-memory.dmp

Filesize
136KB

Download
memory/4812-190-0x00007FF91C770000-0x00007FF91C870000-memory.dmp

Filesize
1024KB

Download
memory/4812-191-0x00007FF91DA00000-0x00007FF91DAAC000-memory.dmp

Filesize
688KB

Download
memory/4812-193-0x00007FF91DC40000-0x00007FF91DCDB000-memory.dmp

Filesize
620KB

Download
memory/4812-194-0x00007FF91DCE0000-0x00007FF91DE0A000-memory.dmp

Filesize
1.2MB

Download
memory/4812-195-0x00007FF91DE10000-0x00007FF91E165000-memory.dmp

Filesize
3.3MB

Download
memory/4812-192-0x00007FF91EA70000-0x00007FF91EB0E000-memory.dmp

Filesize
632KB

Download
memory/4812-196-0x00007FF91EB10000-0x00007FF91EBDD000-memory.dmp

Filesize
820KB

Download
memory/4812-197-0x00007FF91CED0000-0x00007FF91CF7D000-memory.dmp

Filesize
692KB

Download
memory/4812-198-0x00007FF91E1D0000-0x00007FF91E2FA000-memory.dmp

Filesize
1.2MB

Download
memory/4812-199-0x00007FF90DBD0000-0x00007FF90DC55000-memory.dmp

Filesize
532KB

Download
memory/4812-201-0x00007FF91B8E0000-0x00007FF91B91B000-memory.dmp

Filesize
236KB

Download
memory/4812-203-0x00007FF91CD00000-0x00007FF91CD4E000-memory.dmp

Filesize
312KB

Download
memory/4812-202-0x00007FF91E430000-0x00007FF91E8A2000-memory.dmp

Filesize
4.4MB

Download
memory/4812-204-0x00007FF91C510000-0x00007FF91C537000-memory.dmp

Filesize
156KB

Download
memory/4812-206-0x00007FF91CE70000-0x00007FF91CEC5000-memory.dmp

Filesize
340KB

Download
memory/4812-208-0x00007FF90FFF0000-0x00007FF90FFF7000-memory.dmp

Filesize
28KB

Download
memory/4812-210-0x00007FF908FE0000-0x00007FF909046000-memory.dmp

Filesize
408KB

Download
memory/4812-211-0x00007FF900680000-0x00007FF900829000-memory.dmp

Filesize
1.7MB

Download
memory/4812-213-0x00007FF91C610000-0x00007FF91C766000-memory.dmp

Filesize
1.3MB

Download
memory/4812-214-0x00007FF91A140000-0x00007FF91A16F000-memory.dmp

Filesize
188KB

Download
memory/4812-215-0x00007FF918530000-0x00007FF918AF0000-memory.dmp

Filesize
5.8MB

Download
memory/4812-216-0x00007FF912460000-0x00007FF9126E3000-memory.dmp

Filesize
2.5MB

Download
memory/4812-217-0x0000000000410000-0x000000000041F000-memory.dmp

Filesize
60KB

Download
memory/4812-218-0x0000000140000000-0x000000014112F000-memory.dmp

Filesize
17.2MB

Download
memory/4812-219-0x00007FF91EDF0000-0x00007FF91EFE5000-memory.dmp

Filesize
2.0MB

Download
memory/4812-221-0x00007FF91CA30000-0x00007FF91CCF9000-memory.dmp

Filesize
2.8MB

Download
memory/4812-222-0x00007FF91E8C0000-0x00007FF91EA61000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing