d30e2337e87b5bad478d20dea2fa51d38a4a9506542bdaaea7640dcc68a4432c

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2023, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

4.0MB
MD5

ee194a0b6f6c6c28740a697a5466c44f
SHA1

6408895a89575bc618094c785ec3e5720ce455a0
SHA256

d30e2337e87b5bad478d20dea2fa51d38a4a9506542bdaaea7640dcc68a4432c
SHA512

b930974fa1af1f3fb4cbb31161501e135a612a705555dadc16374fe21d193952dc4837f7ab75fcca05c65daad18afe9a1ae724bd2a1862add27693db476ddaad
SSDEEP

98304:ql0TOAthBZtr+BHIvMZPEmZpHvYXMheVNyDqiGdS3q1/3:WAtrbrwtZpHg8e6Cf3

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
980	ntlhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3596	tmp.exe
980	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	19	Go-http-client/1.1

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3596 wrote to memory of 980	3596	tmp.exe	81
PID 3596 wrote to memory of 980	3596	tmp.exe	81

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
641.1MB

MD5
4cd3f96ec881acfcd03ecabd6cc91a91

SHA1
9d09c50d97ea897f0c0f29db816225cef3357557

SHA256
6d1a5d8f59c9ebae18ad599c792553d463d6380048717faa94b34d3f1f0c2821

SHA512
72e197695a53a968e78da12b20b47e14cbf1a7e1a0324832e6c88d588ed8cd40e211d6ed408f8cd8117b5e2464ad302a7d647051a6699e92af0754806f1e5648

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
644.5MB

MD5
9ef7ff00e0e1a60fabc0a6fbd5cf9865

SHA1
10605b0193e060bb2e39f492bdfd4b8450268a22

SHA256
8a20b5deb2847c057082154af43ef43c8ab3cf3572d78b9d5b93aa9f38a62b59

SHA512
b34fc868201c276e31ee0f0c9f04777aa68ccb053d8b925cc5d4e8ac3387dd8ec2eefdb7e82d65dbf4981c4072fbe8757b83b739fc6badeb7eb45a2eeabd07f9

Download Submit
memory/980-181-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/980-183-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-195-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-194-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-193-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-192-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-191-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-168-0x00007FFA00030000-0x00007FFA00031000-memory.dmp

Filesize
4KB

Download
memory/980-189-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-169-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-187-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-186-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-185-0x00007FFA75A10000-0x00007FFA75C05000-memory.dmp

Filesize
2.0MB

Download
memory/980-184-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-167-0x00007FFA00000000-0x00007FFA00002000-memory.dmp

Filesize
8KB

Download
memory/980-173-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-182-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-180-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-179-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-178-0x00007FFA75A10000-0x00007FFA75C05000-memory.dmp

Filesize
2.0MB

Download
memory/980-177-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-162-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-176-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-164-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-165-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/980-166-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/980-175-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-190-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-174-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-170-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-171-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/980-172-0x0000000000A80000-0x0000000001383000-memory.dmp

Filesize
9.0MB

Download
memory/3596-152-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-147-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-139-0x00007FFA00000000-0x00007FFA00002000-memory.dmp

Filesize
8KB

Download
memory/3596-163-0x00007FFA75A10000-0x00007FFA75C05000-memory.dmp

Filesize
2.0MB

Download
memory/3596-161-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/3596-156-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-137-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/3596-138-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/3596-136-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-155-0x00007FFA75A10000-0x00007FFA75C05000-memory.dmp

Filesize
2.0MB

Download
memory/3596-154-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-151-0x00007FFA73290000-0x00007FFA73559000-memory.dmp

Filesize
2.8MB

Download
memory/3596-150-0x00007FFA75A10000-0x00007FFA75C05000-memory.dmp

Filesize
2.0MB

Download
memory/3596-149-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-148-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-146-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-145-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-144-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-143-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-142-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-141-0x00000000002F0000-0x0000000000BF3000-memory.dmp

Filesize
9.0MB

Download
memory/3596-140-0x00007FFA00030000-0x00007FFA00031000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads