Analysis Overview
SHA256
ccd1cde08e07f3be31008ea2b7ace4190317f179c3a75e0b9e88670aa70626cb
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Downloads MZ/PE file
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Loads dropped DLL
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
GoLang User-Agent
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-17 17:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-17 17:38
Reported
2023-03-17 17:40
Platform
win7-20230220-en
Max time kernel
134s
Max time network
140s
Command Line
Signatures
Laplas Clipper
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
"C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| LV | 45.87.154.30:80 | 45.87.154.30 | tcp |
| N/A | 185.119.196.167:80 | 185.119.196.167 | tcp |
| LV | 45.87.154.105:80 | 45.87.154.105 | tcp |
Files
memory/1992-55-0x00000000002A0000-0x00000000002B5000-memory.dmp
memory/1992-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/1992-106-0x0000000000400000-0x0000000002AFB000-memory.dmp
memory/1992-115-0x0000000000400000-0x0000000002AFB000-memory.dmp
memory/1992-124-0x0000000000400000-0x0000000002AFB000-memory.dmp
\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
| MD5 | d433fee70e60de32de4608f07bed7d2a |
| SHA1 | 8b84224c8319705317340392ad99bc529183a7db |
| SHA256 | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7 |
| SHA512 | ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8 |
C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
| MD5 | d433fee70e60de32de4608f07bed7d2a |
| SHA1 | 8b84224c8319705317340392ad99bc529183a7db |
| SHA256 | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7 |
| SHA512 | ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8 |
\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
| MD5 | d433fee70e60de32de4608f07bed7d2a |
| SHA1 | 8b84224c8319705317340392ad99bc529183a7db |
| SHA256 | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7 |
| SHA512 | ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8 |
C:\Users\Admin\AppData\Local\Temp\DAKEBAKFHC.exe
| MD5 | d433fee70e60de32de4608f07bed7d2a |
| SHA1 | 8b84224c8319705317340392ad99bc529183a7db |
| SHA256 | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7 |
| SHA512 | ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8 |
memory/1928-129-0x0000000002020000-0x00000000021CA000-memory.dmp
memory/1928-130-0x00000000021D0000-0x00000000025A0000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | dccdb86427b178939198ae966505ead9 |
| SHA1 | 092f5380fc345721367cc2edfe21a3bd3f2ace18 |
| SHA256 | 2eddde87be5e063b678e444eb874fdc8be1069b53a9a7b2e69a332f5c4f8e56c |
| SHA512 | d6b090a971ece58ba3fd64733d569f22949c197cf392ef8c032aeed4ade3cd396c3443dcce9f2f7e5e8f5265d8935e67e87d183aa4ff37130ae357b9929211e4 |
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 48f0cc71200a739c01a4bd5ad4f77220 |
| SHA1 | 28888d8e522a81481ad6faa634ea54b67947364a |
| SHA256 | 48656b19b71b535a0358a17a437250e0ea37daa3658ad054d632caa7eb9f7368 |
| SHA512 | d2160d2b4236d789ced239d9f079d00a57d97ac8e2ace69733fdbc249c5a508c4910edf0db5bf7405f655821629871acb4c92efe384b38b244f01936870fced4 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 5ee1ce178fc66274194fa269c2a40415 |
| SHA1 | 10a3ef8222529c0192e4abe25fec71d7edda20a1 |
| SHA256 | a8075acb48c453e6b8bc7f06387a45883dad577305dd2a89aa8734135bfa1a8d |
| SHA512 | bdea9f6dc55418156c1c8786e7bde050a17b38e400de90557e399c28865419d2157b504704596a73002725a0fd4e4c5dffea0bc509cd9103e9f62007bb62bb54 |
memory/1928-139-0x0000000000400000-0x0000000000803000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8283783bcca6c637ace3df0c28f4780f |
| SHA1 | 19f773bf796eae1376f349f4a5ffaec800bb8291 |
| SHA256 | 57fa5992d5bdf744b355102aeb58798ea669291a6c8b135b3e5c28e4854959d9 |
| SHA512 | 401040ef31c9ee169706fdbc4bc2e787ce3053679214a79bdf606c7866245497054b6edfd12bfd40a42b1d1fcbc03f679e73f2fb8be94482462e48c7481f457c |
memory/1928-140-0x00000000021D0000-0x00000000025A0000-memory.dmp
memory/756-141-0x00000000021A0000-0x000000000234A000-memory.dmp
memory/756-142-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-143-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-144-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-147-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-148-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-149-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-150-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-151-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-152-0x0000000000400000-0x0000000000803000-memory.dmp
memory/756-153-0x0000000000400000-0x0000000000803000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-17 17:38
Reported
2023-03-17 17:40
Platform
win10v2004-20230221-en
Max time kernel
147s
Max time network
155s
Command Line
Signatures
Laplas Clipper
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2564 -ip 2564
C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe
"C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe"
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 2284
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| LV | 45.87.154.30:80 | 45.87.154.30 | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.154.87.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.38.195.152.in-addr.arpa | udp |
| N/A | 185.119.196.167:80 | 185.119.196.167 | tcp |
| US | 8.8.8.8:53 | 167.196.119.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 20.189.173.10:443 | tcp | |
| LV | 45.87.154.105:80 | 45.87.154.105 | tcp |
| US | 8.8.8.8:53 | 105.154.87.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.77.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 199.176.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.104.205.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
Files
memory/2564-134-0x0000000004840000-0x0000000004855000-memory.dmp
memory/2564-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe
| MD5 | d433fee70e60de32de4608f07bed7d2a |
| SHA1 | 8b84224c8319705317340392ad99bc529183a7db |
| SHA256 | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7 |
| SHA512 | ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8 |
C:\Users\Admin\AppData\Local\Temp\GIDHDGCBFB.exe
| MD5 | d433fee70e60de32de4608f07bed7d2a |
| SHA1 | 8b84224c8319705317340392ad99bc529183a7db |
| SHA256 | 0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7 |
| SHA512 | ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8 |
memory/1908-214-0x0000000002810000-0x0000000002BE0000-memory.dmp
memory/2564-215-0x0000000000400000-0x0000000002AFB000-memory.dmp
memory/1908-217-0x0000000000400000-0x0000000000803000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | e0bfbe15e46cea779c24009b69fb4a75 |
| SHA1 | d9b919358c54365f092b939137bfc5b266fd3759 |
| SHA256 | 2a20a959bbe9fd0eb2d44a0d268ed8619dfee735a6a214a3b20cdf53f9f71562 |
| SHA512 | 331dd86219e57e05b8c234a597107d8d2df90ae989649d207a70f8ab5e0f815848a37687c472430ed3ec918ebc883eb85221820145e21a0e6d43be6bd1384103 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | e2e50ac1922cc98da8b08ffa2279f15a |
| SHA1 | c70e2f5018f4fe4e30bbaf84414732380e8dadbe |
| SHA256 | 2fcc9d972e19d33436a05afc19b2bd1b502e8193179317bc1f3c8abae336da52 |
| SHA512 | c72f576cb007fc31c2aa722fd8a7eb441952ff96c3ac959200b4717b0e0fdb116bf1002a65454e8827b14f864c189c0d6bd7a4ec05bec89cfe9d6cd06a5be1bf |
memory/1908-220-0x0000000000400000-0x0000000000803000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | bb0c13f605cfe5ec08ddae9c2dff2833 |
| SHA1 | e639dc7fe022c74999f667782209acce77743624 |
| SHA256 | 735699bae2c3d0ba49c014c8c29d67a87f4cca3b4c3baa4b5bfa09f1646b572f |
| SHA512 | 90c8997153ff5f349e8196309d12b6c95f1df2c84d64db35456a192c455a2d34c77e75a3e24878336f8361f4decacab96b6d0709ffb6545dc1c976fb1c5e99ab |
memory/3176-223-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-224-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-225-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-227-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-228-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-229-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-230-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-231-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-232-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-233-0x0000000000400000-0x0000000000803000-memory.dmp
memory/3176-234-0x0000000000400000-0x0000000000803000-memory.dmp