Analysis Overview
SHA256
6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f
Threat Level: Known bad
The file 6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Loads dropped DLL
Checks BIOS information in registry
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-22 22:13
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-22 22:13
Reported
2023-07-22 22:18
Platform
win7-20230712-en
Max time kernel
270s
Max time network
281s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1508 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1508 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1508 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe
"C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
Files
memory/1508-54-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-55-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/1508-56-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-57-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-58-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-59-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-60-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-61-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-62-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-63-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-64-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-65-0x0000000000E50000-0x0000000001742000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | ce498ed5533a00e29b88e8111186dbd7 |
| SHA1 | fd39271a61c786fdf47feb4f80935554835b44e7 |
| SHA256 | d761cc365e5cde907122d738e607b226795740c4d7f1b01194894ff67c68e967 |
| SHA512 | a4499605605235a63a77e1b1cc3101840fe771f6d55c4402a98d3d078dd151ecdb45c44cb4650906d4dd4fa8df39c2dd0eb20bf82a7e60ab4b0266c14def7f5b |
memory/1508-70-0x0000000000E50000-0x0000000001742000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | ce498ed5533a00e29b88e8111186dbd7 |
| SHA1 | fd39271a61c786fdf47feb4f80935554835b44e7 |
| SHA256 | d761cc365e5cde907122d738e607b226795740c4d7f1b01194894ff67c68e967 |
| SHA512 | a4499605605235a63a77e1b1cc3101840fe771f6d55c4402a98d3d078dd151ecdb45c44cb4650906d4dd4fa8df39c2dd0eb20bf82a7e60ab4b0266c14def7f5b |
memory/1508-72-0x00000000284E0000-0x0000000028DD2000-memory.dmp
memory/1508-71-0x0000000000E50000-0x0000000001742000-memory.dmp
memory/1508-74-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/1248-73-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-75-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/1248-76-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-77-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-78-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-79-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-80-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-81-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-82-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-83-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-84-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-85-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-86-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-87-0x00000000777B0000-0x0000000077959000-memory.dmp
memory/1248-88-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-89-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-90-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-91-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-92-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-93-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-94-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-97-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-98-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-99-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-100-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-101-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-102-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-103-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-104-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-105-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-106-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-107-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-108-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-109-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-110-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-111-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-112-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-113-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-114-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-115-0x0000000000810000-0x0000000001102000-memory.dmp
memory/1248-116-0x0000000000810000-0x0000000001102000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-22 22:13
Reported
2023-07-22 22:18
Platform
win10-20230703-en
Max time kernel
300s
Max time network
257s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4340 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 4340 wrote to memory of 4976 | N/A | C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe
"C:\Users\Admin\AppData\Local\Temp\6bbcf743fa00cfa33aa60a923d319850111d610b44cfdbe1b5dc6c672f177a8f.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/4340-117-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-118-0x00007FFDCEDB0000-0x00007FFDCEF8B000-memory.dmp
memory/4340-119-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-120-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-121-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-122-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-123-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-124-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-125-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-126-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-127-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-128-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-130-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4340-131-0x00007FFDCEDB0000-0x00007FFDCEF8B000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8a6527e423b12a2de151e79112b71081 |
| SHA1 | e54fd7bea1fe5c4f0a6ca06a577c21aca2f525ab |
| SHA256 | b5c741dbebca3bfeab8fe6430bc938cc10f93a36c6f818e0f6645f67adae55cb |
| SHA512 | 20d277d42f90be8d0e8db9ce5c822cce2825b25f12945aae130475327499cd1fea5b7f46bcd204821a4c61a5b3376c712a682b4710cca665346a48cc06a1832d |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8a6527e423b12a2de151e79112b71081 |
| SHA1 | e54fd7bea1fe5c4f0a6ca06a577c21aca2f525ab |
| SHA256 | b5c741dbebca3bfeab8fe6430bc938cc10f93a36c6f818e0f6645f67adae55cb |
| SHA512 | 20d277d42f90be8d0e8db9ce5c822cce2825b25f12945aae130475327499cd1fea5b7f46bcd204821a4c61a5b3376c712a682b4710cca665346a48cc06a1832d |
memory/4340-135-0x0000000000FA0000-0x0000000001892000-memory.dmp
memory/4976-136-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4340-137-0x00007FFDCEDB0000-0x00007FFDCEF8B000-memory.dmp
memory/4976-138-0x00007FFDCEDB0000-0x00007FFDCEF8B000-memory.dmp
memory/4976-139-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-140-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-141-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-142-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-144-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-145-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-146-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-147-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-148-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-149-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-150-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-151-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-152-0x00007FFDCEDB0000-0x00007FFDCEF8B000-memory.dmp
memory/4976-153-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-154-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-155-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-157-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-158-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-159-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-160-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-161-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-162-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-163-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-164-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-165-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-166-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-167-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-168-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-169-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-170-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-171-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-172-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-173-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-174-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-175-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-176-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-177-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-178-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-179-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-180-0x0000000000240000-0x0000000000B32000-memory.dmp
memory/4976-181-0x0000000000240000-0x0000000000B32000-memory.dmp