Analysis Overview
SHA256
2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
Threat Level: Known bad
The file svchost.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Unsigned PE
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-30 22:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-30 22:02
Reported
2023-07-30 22:04
Platform
win7-20230712-en
Max time kernel
120s
Max time network
139s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2056 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2056 wrote to memory of 2500 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.209.161.189:80 | 185.209.161.189 | tcp |
Files
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 15560bc296ebe98275dab69f5513ae6a |
| SHA1 | 9538d8a6459771ac3bbdeedfd61d2cb29a1db415 |
| SHA256 | 9b47151586b062a33693c4f2b815042d0d92675f6a49ae8c89dee0954d09cb6b |
| SHA512 | e22a89a5f64d5837262cb0cd450c7c4bc512c6e46a702247806c68707d19b46cdf34cd5f6621aa5ea7bcb7bedfde3053d4d0f4f9b6f2d9e9279c602c4f0d7957 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 311452185ea5f73635dc04245bffd137 |
| SHA1 | 067a4dbab7612a60920811f4242a9077c9e14281 |
| SHA256 | 818b3c3898554f16c4ae48baa1e02cd7f1030e03787832a51f7f4f9c182eb9ea |
| SHA512 | f230f77031b181e07b2821522b52f5147560b27e1a44bb942e50fec5b59c78b92888a21bc8d28f9d7b38e49074bc4f1a131d18fcb36ed1b33dfba60d80e6f0fd |
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | e4dabe85058ba819c94d2cd8e28678a8 |
| SHA1 | 8a6f4229b7d786479709700fedb54ae0da3f0a42 |
| SHA256 | f1005820a8c55e9975075569ffb12b26fd3877a34b1b32cf5a01b4ded8798e3e |
| SHA512 | 503bda6c5313eb7e1094fd96cb0a113f45c6ef9a84c880bbb9f51b7469591daea3157e5ea437a1a8d8bfac4bc3f9a38188456871551f2602ae3af3edfb9c2465 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-30 22:02
Reported
2023-07-30 22:04
Platform
win10-20230703-en
Max time kernel
129s
Max time network
137s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4312 wrote to memory of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 4312 wrote to memory of 312 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.209.161.189:80 | 185.209.161.189 | tcp |
| US | 8.8.8.8:53 | 189.161.209.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | fadf22508bc4adf0aa23d76037b8abfb |
| SHA1 | 41427da2394a46c1f1379c5dcf7530ca105c363a |
| SHA256 | 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07 |
| SHA512 | 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | fadf22508bc4adf0aa23d76037b8abfb |
| SHA1 | 41427da2394a46c1f1379c5dcf7530ca105c363a |
| SHA256 | 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07 |
| SHA512 | 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0 |
Analysis: behavioral3
Detonation Overview
Submitted
2023-07-30 22:02
Reported
2023-07-30 22:04
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2780 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2780 wrote to memory of 3884 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 185.209.161.189:80 | 185.209.161.189 | tcp |
| US | 8.8.8.8:53 | 189.161.209.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | fadf22508bc4adf0aa23d76037b8abfb |
| SHA1 | 41427da2394a46c1f1379c5dcf7530ca105c363a |
| SHA256 | 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07 |
| SHA512 | 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | fadf22508bc4adf0aa23d76037b8abfb |
| SHA1 | 41427da2394a46c1f1379c5dcf7530ca105c363a |
| SHA256 | 963dba95f68b4cbaf0dd7d5e0fc7f002e1774c1cd120c7344964483b31af0c07 |
| SHA512 | 404b099b4d1082d49858c60fbb8976b70f6dc1229121ef4c41853f710b4891271676dab5922b02af83ccbe32e1495c2d7c6fd33b86652cd8b0a78a0cc76183c0 |