Analysis Overview
SHA256
17ca2de661fa07dd83a55a5005c61eb8aee1e9cab56e9a13bc36a27f4b785554
Threat Level: Known bad
The file 18658dec7775fa53f081b892d6a2b027.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-25 18:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-25 18:26
Reported
2023-07-25 18:28
Platform
win7-20230712-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1632 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1632 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 1632 wrote to memory of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe
"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
Files
memory/1632-54-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-55-0x0000000077170000-0x0000000077319000-memory.dmp
memory/1632-56-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-57-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-59-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-58-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-60-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-61-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-62-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-64-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-63-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-65-0x0000000000010000-0x0000000000795000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8bf956a7e2563b9d7da937485d01b77c |
| SHA1 | 14bfd31f2f4dd71e20d9912b5adc3d3be60a04f2 |
| SHA256 | b1d42b6b932e0542ee16ad3ee61ebe698d132d5ac49a82892f89955921a29183 |
| SHA512 | c82bed37eb6a93a8c5d5f25e1dce97383b8b18234870bd8e4d35cf63f67ced20c17b12d76bbd59e6fd83fef6b970dee7f85b032e847256f60dd2359c89f64928 |
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8bf956a7e2563b9d7da937485d01b77c |
| SHA1 | 14bfd31f2f4dd71e20d9912b5adc3d3be60a04f2 |
| SHA256 | b1d42b6b932e0542ee16ad3ee61ebe698d132d5ac49a82892f89955921a29183 |
| SHA512 | c82bed37eb6a93a8c5d5f25e1dce97383b8b18234870bd8e4d35cf63f67ced20c17b12d76bbd59e6fd83fef6b970dee7f85b032e847256f60dd2359c89f64928 |
memory/1632-70-0x0000000028670000-0x0000000028DF5000-memory.dmp
memory/2072-72-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/1632-73-0x0000000000010000-0x0000000000795000-memory.dmp
memory/1632-74-0x0000000077170000-0x0000000077319000-memory.dmp
memory/2072-75-0x0000000077170000-0x0000000077319000-memory.dmp
memory/2072-76-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-77-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-78-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-79-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-80-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-81-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-82-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-83-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-84-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-85-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-86-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-87-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-88-0x0000000077170000-0x0000000077319000-memory.dmp
memory/2072-89-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-90-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-91-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-92-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-93-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-94-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-97-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-98-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-99-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-100-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-101-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-102-0x0000000000A40000-0x00000000011C5000-memory.dmp
memory/2072-103-0x0000000000A40000-0x00000000011C5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-25 18:26
Reported
2023-07-25 18:28
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3492 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 3492 wrote to memory of 380 | N/A | C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe
"C:\Users\Admin\AppData\Local\Temp\18658dec7775fa53f081b892d6a2b027.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/3492-133-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-134-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-135-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-136-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-137-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-138-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-139-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-140-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-141-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-142-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-143-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-144-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp
memory/3492-146-0x0000000000430000-0x0000000000BB5000-memory.dmp
memory/3492-148-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | ae919c6d9908bdb9de550f741b11c598 |
| SHA1 | 89a6d400794ab29593cdb343f55444ad23dab0ac |
| SHA256 | 59747edc68011449b7d8141240db614e5bbb101054a9e785465135a9e8589d59 |
| SHA512 | 55bbef3b5476838a67936c614d91207f759b2f01e3ee43cf8e6be690d8f833f49686b721fec83dbe78456cea073f52456045ae8fdf055218f54e93b28cc8febb |
memory/3492-151-0x0000000000430000-0x0000000000BB5000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | ae919c6d9908bdb9de550f741b11c598 |
| SHA1 | 89a6d400794ab29593cdb343f55444ad23dab0ac |
| SHA256 | 59747edc68011449b7d8141240db614e5bbb101054a9e785465135a9e8589d59 |
| SHA512 | 55bbef3b5476838a67936c614d91207f759b2f01e3ee43cf8e6be690d8f833f49686b721fec83dbe78456cea073f52456045ae8fdf055218f54e93b28cc8febb |
memory/380-153-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/3492-154-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp
memory/380-155-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-156-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-157-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-158-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-159-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-160-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-161-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-162-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-163-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-164-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-165-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-166-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp
memory/380-167-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-168-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-169-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-170-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-171-0x00007FFD3E4F0000-0x00007FFD3E6E5000-memory.dmp
memory/380-172-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-174-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-175-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-176-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-177-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-178-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-179-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-180-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-181-0x0000000000BD0000-0x0000000001355000-memory.dmp
memory/380-182-0x0000000000BD0000-0x0000000001355000-memory.dmp