Analysis Overview
SHA256
a82b9eff2dde393899dfa05985773fc9d124816b675019a0a8c551d9bb6d4d99
Threat Level: Known bad
The file tmp was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Program crash
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-17 20:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-17 20:25
Reported
2023-03-17 20:27
Platform
win7-20230220-en
Max time kernel
138s
Max time network
145s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1972 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1972 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1972 wrote to memory of 1316 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 45.159.189.105:80 | 45.159.189.105 | tcp |
Files
memory/1972-54-0x0000000004590000-0x000000000473A000-memory.dmp
memory/1972-55-0x0000000004740000-0x0000000004B10000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | a0baa2d4e477eb3efa90ec2a61087aae |
| SHA1 | 2802d4ba3c7c06642814f7355e4ba91bdabc0149 |
| SHA256 | 708763265421beb6f2065784633359ad042c26cd3d4951793c697efeb5a78036 |
| SHA512 | ee22f242edead83f8eac3ed55056cb75be2ed1aa2ee6ccc9e55f5761ab8bcef6f2f343e0b77fd0ba1d24aa2dde15e6ca91f328000e06253c26ae55b614e6c0d0 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 5725055b7265abc35258f17fd78b3ef9 |
| SHA1 | 0352eb25a57af1950636df651e5288f60b7a6758 |
| SHA256 | b29a85bca1723a7cd5fc5b922241010b1f41616c838a36fdde0d992468fd52dc |
| SHA512 | cd2387e648ee74e5ad6208a3d0991d3e2c34fabf04c75db17c2b45d57e340bef5fc04babc37889e81f1ced0e1f4407cdedfa2bbc53f263b088128220909d17d7 |
memory/1316-64-0x0000000004550000-0x00000000046FA000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 2ceedbfac70dbb9765733f5289a47742 |
| SHA1 | 591860b2eef6756fe60c558258bcbc9d63fd2d50 |
| SHA256 | 745ed34927ef54400d11081f85df47c2870f48e0ca7bbb8b4f377d51dbe4d0c8 |
| SHA512 | 8623df44062c54905571a9bee177559e46b6071012892198b3b4b616ef81679bbf24ccdb762a22f5a9bb872c1d01a83b70d728bd67637a9f235a3aa4a8d24af6 |
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | df1ce70355778c74b30b6b87fb476446 |
| SHA1 | 63b7c45c48d0e11149e97e2d394379069072f903 |
| SHA256 | 61b2dc5fa1768117abeadbbca982ebf57217b74dae8bb12fcaf6648c67518469 |
| SHA512 | 7640b68fc81665f8387b13905033b857e57c165a381b3f51ad2951896c9b726dac376e04fc10ab12ab526e36906b9f3f2ef2ad2b698ad5fd6c6d49cf97ac2d6e |
memory/1316-66-0x0000000004700000-0x0000000004AD0000-memory.dmp
memory/1972-65-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-67-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-68-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-69-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-72-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-73-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-74-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-75-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-76-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-77-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-78-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-79-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-80-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1316-81-0x0000000000400000-0x0000000002C8E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-17 20:25
Reported
2023-03-17 20:28
Platform
win10v2004-20230220-en
Max time kernel
153s
Max time network
159s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\tmp.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\tmp.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1604 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1604 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1604 wrote to memory of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\tmp.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1604 -ip 1604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1604 -s 480
Network
| Country | Destination | Domain | Proto |
| DE | 162.19.139.184:2222 | tcp | |
| US | 8.8.8.8:53 | 210.81.184.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| NL | 45.159.189.105:80 | 45.159.189.105 | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.189.159.45.in-addr.arpa | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 33.18.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.108.74.40.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.154.139.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
Files
memory/1604-134-0x0000000004C40000-0x0000000005010000-memory.dmp
memory/1604-135-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1604-137-0x0000000000400000-0x0000000002C8E000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | f64d800c5b626846bdc6527ec2574ad5 |
| SHA1 | ae333064b24138b51c84084f543249e5e238c2e6 |
| SHA256 | ea15d2e1ff530b925f6ef6aad7c1c3cc6851efb58400a85b524d508fc4942c4a |
| SHA512 | dd8138fecb6f8bb9165e2686937ce826b6e226f0becfb3c18a77644cbed35a907d0b435704828be21e2c65f661b916c4bbeefb9a4c703338222e74abad638030 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 3cb8de55db567e5b04a46dc240d29fa8 |
| SHA1 | d3840a7d22395ac41451fe56a47242a39db72e4d |
| SHA256 | 0f4437e7667a8e36ecd60f8b439baf40360d451b134de9630dd525d6ead1ad7d |
| SHA512 | 62017f91fae75fbfffc93d458a4b49e7830cf16b508f8e61e4c1922fc2690c83bf7b094577cef22ce0da417be4ade279bdc3021482f5f5484064ab393d263e5d |
memory/1268-142-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1604-143-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-144-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-145-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-146-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-147-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-148-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-150-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-151-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-152-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-153-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-154-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-155-0x0000000000400000-0x0000000002C8E000-memory.dmp
memory/1268-156-0x0000000000400000-0x0000000002C8E000-memory.dmp