Analysis Overview
SHA256
1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05
Threat Level: Known bad
The file 1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05 was found to be: Known bad.
Malicious Activity Summary
RedLine
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Themida packer
Executes dropped EXE
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
GoLang User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-25 12:36
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-25 12:36
Reported
2023-07-25 12:39
Platform
win10-20230703-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1766410430-2870137818-4067673745-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2672 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe
"C:\Users\Admin\AppData\Local\Temp\1ed33d760f151b33b3d20bf9e6d0b722fe39cbd302ecebb5c6e3d0ee09e4ee05.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rcam25.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rcam25.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.2.0.0.0.0.f.6.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 9.3.209.85.in-addr.arpa | udp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.192.11.51.in-addr.arpa | udp |
Files
memory/2672-117-0x0000000000990000-0x0000000001042000-memory.dmp
memory/2672-118-0x0000000075B60000-0x0000000075D22000-memory.dmp
memory/2672-119-0x0000000073A70000-0x0000000073B40000-memory.dmp
memory/2672-120-0x0000000075B60000-0x0000000075D22000-memory.dmp
memory/2672-121-0x0000000075B60000-0x0000000075D22000-memory.dmp
memory/2672-125-0x0000000000990000-0x0000000001042000-memory.dmp
memory/2672-126-0x00000000051B0000-0x000000000524C000-memory.dmp
memory/2672-127-0x0000000000990000-0x0000000001042000-memory.dmp
memory/2672-128-0x0000000075B60000-0x0000000075D22000-memory.dmp
memory/2672-129-0x0000000073A70000-0x0000000073B40000-memory.dmp
memory/2672-131-0x0000000002E40000-0x0000000002E5C000-memory.dmp
memory/2672-132-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-133-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-135-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-137-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-139-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-141-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-143-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-145-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-147-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-149-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-151-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-153-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/2672-155-0x0000000002E40000-0x0000000002E55000-memory.dmp
memory/4864-156-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2672-161-0x0000000075B60000-0x0000000075D22000-memory.dmp
memory/2672-163-0x0000000073A70000-0x0000000073B40000-memory.dmp
memory/2672-165-0x0000000000990000-0x0000000001042000-memory.dmp
memory/4864-164-0x0000000006AC0000-0x0000000006AC6000-memory.dmp
memory/4864-166-0x00000000731C0000-0x00000000738AE000-memory.dmp
memory/4864-167-0x000000000EAA0000-0x000000000F0A6000-memory.dmp
memory/4864-168-0x000000000E5E0000-0x000000000E6EA000-memory.dmp
memory/4864-169-0x0000000009100000-0x0000000009110000-memory.dmp
memory/4864-170-0x000000000E510000-0x000000000E522000-memory.dmp
memory/4864-171-0x000000000E570000-0x000000000E5AE000-memory.dmp
memory/4864-172-0x000000000E6F0000-0x000000000E73B000-memory.dmp
memory/4864-177-0x000000000E8A0000-0x000000000E916000-memory.dmp
memory/4864-178-0x000000000E9C0000-0x000000000EA52000-memory.dmp
memory/4864-179-0x000000000F5B0000-0x000000000FAAE000-memory.dmp
memory/4864-182-0x000000000F0B0000-0x000000000F116000-memory.dmp
memory/4864-187-0x000000000FE30000-0x000000000FFF2000-memory.dmp
memory/4864-188-0x0000000010530000-0x0000000010A5C000-memory.dmp
memory/4864-303-0x00000000731C0000-0x00000000738AE000-memory.dmp
memory/4864-568-0x0000000009100000-0x0000000009110000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | 18658dec7775fa53f081b892d6a2b027 |
| SHA1 | fa8d901c7aac70e2c37544883ce087e48c6302d1 |
| SHA256 | 17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554 |
| SHA512 | cae5c6041b22b507ce66cb3b6509ff692b359748791aa93e006e1a700ff3cd439314823d070ff869ca4aac8fb8c2ac41d8de134bd1802693833b6cec7464f56d |
memory/4964-582-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4864-585-0x00000000731C0000-0x00000000738AE000-memory.dmp
memory/4964-586-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-587-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-588-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-589-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-590-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-591-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-592-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-593-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-594-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-595-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-596-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/4964-598-0x0000000000350000-0x0000000000AD5000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | ad1349b73cd80792cbefac472b86a1b5 |
| SHA1 | 84cd400ed80c249d977b361a078cd49a0b42134f |
| SHA256 | 40da06497a31c3953eac678a4f3928fcd8ff45f02c8ff68cff55235616152689 |
| SHA512 | 7a8dab7503b44f156a625677c0286b66df557f1105ca41fe6d8b1aed510d39f38fba1566066943dddf509c3b2b0e148550bb6dea6c51b40463e1ea32ea07dbb1 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 4ac4b0f3872c341ba0fb235799be72bc |
| SHA1 | a2172f6a80e514f769c7fc1aa1a38c5ca6af5199 |
| SHA256 | 7e632f97d194174dc85b5c0c0288dc1c3907128650b78db680fdcd0ddddb99c0 |
| SHA512 | 7d9bf8e31bb92c97cff48c32ec588a2f4b73d4e9ff6049a6508b933f27d863a61c9ac2e810998b1c2b70d2990f854f22875fd9af8dcc8e5e0eacb0d2be86ce95 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | ec2509e3fb8e0ab52691ddc31452c5d3 |
| SHA1 | 7e19e4c8c20139f071fda4ae097ab8524fda25b3 |
| SHA256 | 98182fe5f3d58cc90d79ec5902769a0162d54bb56a8b0bb529ed48b85bb9bf3c |
| SHA512 | cb9fcc066a680594ed2a95ed96e82e0a3121fad5d88c8d968a9faba8d4f2c3ad675ca72e5799aef7884cafd7665ab3735df719e088719b6f27776709c5ddba3f |
memory/4964-603-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/4964-601-0x0000000000350000-0x0000000000AD5000-memory.dmp
memory/4964-605-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/4340-604-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-607-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/4340-608-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-609-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-606-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-610-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-611-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-612-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-613-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-615-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-616-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-618-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-619-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-621-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-622-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-623-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-624-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-625-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-626-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-627-0x0000000000050000-0x00000000007D5000-memory.dmp
memory/4340-628-0x00007FF97B890000-0x00007FF97BA6B000-memory.dmp
memory/4340-629-0x0000000000050000-0x00000000007D5000-memory.dmp