Malware Analysis Report

2024-10-19 01:12

Sample ID 230730-2x5s9acf5s
Target svchost.exe
SHA256 2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8
Tags
laplas clipper persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

laplas clipper persistence stealer

Laplas Clipper

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-30 22:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-30 22:58

Reported

2023-07-30 23:00

Platform

win10v2004-20230703-en

Max time kernel

32s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 2200 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 185.209.161.189:80 185.209.161.189 tcp
US 8.8.8.8:53 189.161.209.185.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.195.216:443 assets.msn.com tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 216.195.19.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 b44581e5c6b16f3d75dbb9c735a0d5b2
SHA1 82e7d86c91cc7735bd7a59355c943c334ab615c8
SHA256 0b33bd9efe958eb414f1780ed3837bc4f7aa648d7e9a512bde416a0c70fffdb9
SHA512 d5cd3f975adcbc64b55cdf905d4ca3dfe21a36b4f553f4b6cdb8beccc65ac22cf7483df79a6733afcdd95731db55135bd0f88092a4c42e369c513bb6c12f60d8

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 f2f547fe91e285152e33d01244ac076b
SHA1 520f9829b7ed3c91eb7b465871be97d55cd81f3e
SHA256 50e1f9e65da3b3bba975a685ccfbc6e13b04244f3e1629cf71b20d80c4c50250
SHA512 287b2f6b9b5ac0038a10d0f129291c946738b74c6e8627decfd14b7345575f80bae42bd0bd6a56a75b4326d6e71871ce19a19a4f89aac0d78470743057dd5ee3

memory/3932-137-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-138-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-139-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-143-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-144-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-145-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-146-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-147-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-149-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

memory/3932-148-0x000001F893FD0000-0x000001F893FD1000-memory.dmp