Analysis Overview
SHA256
223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e
Threat Level: Known bad
The file 223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Checks BIOS information in registry
Themida packer
Executes dropped EXE
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-30 12:15
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-30 12:15
Reported
2023-07-30 12:18
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Laplas Clipper
RedLine
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Notepod.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1884 set thread context of 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe
"C:\Users\Admin\AppData\Local\Temp\223f8d67c784e3f6cc85c721dd718af53510f6884dbc1ea4dd328cc26da03f5e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
"C:\Users\Admin\AppData\Local\Temp\Notepod.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rc3007.tuktuk.ug | udp |
| NL | 85.209.3.9:11290 | rc3007.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 9.3.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/1884-133-0x0000000000AD0000-0x0000000001174000-memory.dmp
memory/1884-134-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-135-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-136-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-137-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-138-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-139-0x0000000077204000-0x0000000077206000-memory.dmp
memory/1884-143-0x0000000000AD0000-0x0000000001174000-memory.dmp
memory/1884-144-0x00000000058A0000-0x000000000593C000-memory.dmp
memory/1884-145-0x0000000000AD0000-0x0000000001174000-memory.dmp
memory/1884-146-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-147-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-148-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-150-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-151-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1884-152-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-153-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-155-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-157-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-159-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-161-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-163-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-165-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-167-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-169-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-171-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-173-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1884-175-0x00000000034B0000-0x00000000034C5000-memory.dmp
memory/1368-176-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1368-179-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1884-180-0x0000000000AD0000-0x0000000001174000-memory.dmp
memory/1884-181-0x0000000075870000-0x0000000075960000-memory.dmp
memory/1368-182-0x000000000B020000-0x000000000B638000-memory.dmp
memory/1368-183-0x000000000AB50000-0x000000000AC5A000-memory.dmp
memory/1368-184-0x0000000005570000-0x0000000005580000-memory.dmp
memory/1368-185-0x000000000AA90000-0x000000000AAA2000-memory.dmp
memory/1368-186-0x000000000AAF0000-0x000000000AB2C000-memory.dmp
memory/1368-187-0x000000000AE20000-0x000000000AE96000-memory.dmp
memory/1368-188-0x000000000AF40000-0x000000000AFD2000-memory.dmp
memory/1368-189-0x000000000BBF0000-0x000000000C194000-memory.dmp
memory/1368-190-0x000000000B780000-0x000000000B7E6000-memory.dmp
memory/1368-191-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/1368-192-0x0000000005570000-0x0000000005580000-memory.dmp
memory/1368-193-0x000000000C370000-0x000000000C532000-memory.dmp
memory/1368-194-0x000000000CA70000-0x000000000CF9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | b30e29bccabab032c27910210d9ccf76 |
| SHA1 | caa3927738b66c3ecc553943eabedcbbfbe4c0da |
| SHA256 | b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2 |
| SHA512 | ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8 |
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | b30e29bccabab032c27910210d9ccf76 |
| SHA1 | caa3927738b66c3ecc553943eabedcbbfbe4c0da |
| SHA256 | b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2 |
| SHA512 | ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8 |
C:\Users\Admin\AppData\Local\Temp\Notepod.exe
| MD5 | b30e29bccabab032c27910210d9ccf76 |
| SHA1 | caa3927738b66c3ecc553943eabedcbbfbe4c0da |
| SHA256 | b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2 |
| SHA512 | ce8348d0547de624b1bf19804c87b1e0379d29c5fe585d0ac602f51dd1bab90649654b87ebd236eef593829757d182ae16facbd5c2710bfecc87837c63a495a8 |
memory/4100-206-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/1368-208-0x00000000746F0000-0x0000000074EA0000-memory.dmp
memory/4100-209-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp
memory/4100-210-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-211-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-212-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-213-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-214-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-215-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-216-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-217-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-218-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-219-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-221-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-222-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-223-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 35d5fd2785fbed0c5f1bb13c9e66fa9d |
| SHA1 | ce1d2035def13bb5d8b0a5a90ce09ac0a71f557a |
| SHA256 | eaf33ae6b97334c4aff43aeb43014f231eac0ac911915334f99c90da1bb0a418 |
| SHA512 | 82a7b1d8329076956f503742d4ced67e83ed7fc048ef51d535933ab061db5b473e202d06ddd19072300ea7454a5cf753f4d3670ee53a53f6a0ed61dc675379c7 |
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 35d5fd2785fbed0c5f1bb13c9e66fa9d |
| SHA1 | ce1d2035def13bb5d8b0a5a90ce09ac0a71f557a |
| SHA256 | eaf33ae6b97334c4aff43aeb43014f231eac0ac911915334f99c90da1bb0a418 |
| SHA512 | 82a7b1d8329076956f503742d4ced67e83ed7fc048ef51d535933ab061db5b473e202d06ddd19072300ea7454a5cf753f4d3670ee53a53f6a0ed61dc675379c7 |
memory/4100-226-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/4100-228-0x0000000000FE0000-0x000000000187B000-memory.dmp
memory/2232-230-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/4100-229-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp
memory/2232-231-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp
memory/2232-232-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-233-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-234-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-235-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-237-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-239-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-241-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-242-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-243-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-244-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-245-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-246-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-247-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-248-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-250-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-251-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-252-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-253-0x00007FFA8E6B0000-0x00007FFA8E8A5000-memory.dmp
memory/2232-254-0x0000000000360000-0x0000000000BFB000-memory.dmp
memory/2232-255-0x0000000000360000-0x0000000000BFB000-memory.dmp