9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999

General

Target

9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Size

2.7MB
MD5

20974e780438e87cf0fab2e4c10aa72a
SHA1

577e4d37c6897e550abe430d58577b595ed6d2a9
SHA256

9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999
SHA512

c40c222c127d002ea647f3a447426099c7e20f2c9cee48d60f626222e27123406f18e84a2e0774f1725dde001691525487f37e753c5c1dd026b84c958d017e61
SSDEEP

49152:izUKp+KxzGMns8LyGuD7wdwrYvihsZqkWo9pG7XnkMcfWzE65Gl9R/4xEozse:iYKpbxZDyGuDkdRiOZRd9e5KW4aGd/6N

Score

9^/10

evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2880	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4240	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
2880	ntlhost.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 2880	4240	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe	89
PID 4240 wrote to memory of 2880	4240	9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe	89

C:\Users\Admin\AppData\Local\Temp\9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe
"C:\Users\Admin\AppData\Local\Temp\9f35ecf414df4f8e3d0bfa41cea9ebf0827a271941555cabaf22530d774bd999.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
284.2MB

MD5
c63b7ebe15daf42b6af83174bb3487b4

SHA1
de8522524bf2337542e2237acebb4379b752caa0

SHA256
603a06177369c062e850cea822f451fffb3c2ceca0fedbc0389f1b0821efe80a

SHA512
7b71aa20991cee78d6a2b8fb0a2f4c05294167e4d7cc531bf26c3fcd6cdd0c5aaf3882fd400daade28ee59477248c34df794bd3b6f2e4fccb75024813664619d

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
290.6MB

MD5
5c7373a479487a511899dd8c1a3a013a

SHA1
28a5470896a2ed0de446a69305e0bf30b2479532

SHA256
5a07de39d319c1d691a41170e026660acd0e828fe66f7e178384b79d03696a25

SHA512
19cd3ce6509d0889afa347fe63fd71c09ac36d03a3460363871aa6a791ea5cc9349015bd3936408b662796f1f12a18683899cc2f67d6ed4f196724cc1354002e

Download Submit
memory/2880-167-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-166-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-165-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-164-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-163-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-162-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-161-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-160-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-159-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/2880-158-0x0000000000140000-0x00000000009B8000-memory.dmp

Filesize
8.5MB

Download
memory/4240-142-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-145-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-148-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-149-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-150-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-151-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-153-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-146-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-156-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-147-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-144-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-143-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-134-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-141-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-140-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-139-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-138-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-137-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-136-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download
memory/4240-135-0x0000000000920000-0x0000000001198000-memory.dmp

Filesize
8.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads