Analysis Overview
SHA256
a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951
Threat Level: Known bad
The file a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951 was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Executes dropped EXE
Adds Run key to start application
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-17 19:20
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-17 19:20
Reported
2023-03-17 19:22
Platform
win10-20230220-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1604 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1604 wrote to memory of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe
"C:\Users\Admin\AppData\Local\Temp\a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| LV | 45.87.154.105:80 | 45.87.154.105 | tcp |
| US | 8.8.8.8:53 | 105.154.87.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 62.13.109.52.in-addr.arpa | udp |
Files
memory/1604-122-0x0000000004B50000-0x0000000004F20000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 07401a9e721605db5a17d00d9bf58e2a |
| SHA1 | dbdb00f88bfff661e6ca754c55ad7068ccf93fd2 |
| SHA256 | b336e61f13b2b7488801e369065e681270a86b4834220e96a9061a8b78359d7a |
| SHA512 | 97a44772d753f31a3fd96539d6fbbe37f7733e18c1e664c8b74d72982535141c544fb672cd86548b2696c1315ef3643d99fb692b6bd85b1fe735317d4ff9adf1 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 22ab87ce33d709bc1320ebe30363ebbe |
| SHA1 | 36fb0b5006dce17ed5eda305fdd796ee49c61d6b |
| SHA256 | 8eff538637551ad45a67a2230e33636fce248d0badf9df0b0cfba00fe0c52dc6 |
| SHA512 | 737a591930a33e9a2078f33b0bd3adb0c0a9ef877eebfe13093a074acfe7d474b1f6e541cabaca867b031d79979f86674ae47f70575a815b168e56a54de6afea |
memory/1604-128-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-129-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-130-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-131-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-133-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-134-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-135-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-136-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-137-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-138-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-139-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-140-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-141-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-142-0x0000000000400000-0x0000000002C8F000-memory.dmp
memory/2016-143-0x0000000000400000-0x0000000002C8F000-memory.dmp