Analysis Overview
SHA256
b6e2f26fea81267dc7b39b4f919083c8c8be5ff233a5c3acca6e1339d5bb21e2
Threat Level: Known bad
The file b30e29bccabab032c27910210d9ccf76.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-31 07:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-31 07:25
Reported
2023-07-31 07:27
Platform
win7-20230712-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2236 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2236 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2236 wrote to memory of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe
"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
Files
memory/2236-54-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-55-0x0000000077C50000-0x0000000077DF9000-memory.dmp
memory/2236-56-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-57-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-58-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-59-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-60-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-61-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-62-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-63-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-64-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-65-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-67-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-68-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-69-0x0000000077C50000-0x0000000077DF9000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | bfb87a1f1c538ea46f6d7bf27209a569 |
| SHA1 | 3a5c83fbd953c5c3151d3e2e3257348922f2ca4e |
| SHA256 | 75b5a9691ee04870c1f839bfbd29a5a7366df72a6a43ad6d8b8b23fc4daf43ee |
| SHA512 | 6f717e47f3bb10d3e017b7e7a2b30c023fedf4da2488480a39d09033b7773f8f630f80694f59607d712de4a98210eed35a9a87ad3dca8e108392eae2cd57d093 |
memory/2236-73-0x00000000287C0000-0x000000002905B000-memory.dmp
memory/2236-75-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/2236-74-0x0000000001200000-0x0000000001A9B000-memory.dmp
memory/3068-76-0x0000000000140000-0x00000000009DB000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 8f320a6035f69581344c57721fac9a12 |
| SHA1 | d3bb8d942e3e0bd00707d410b8d0f364ae5b32ee |
| SHA256 | f11b63d8498c3601f5c5a5023c1e4640a1866c0932bdd1189ae5fdd3b33eb2e3 |
| SHA512 | e4f830fb88e4948dff7b7ec1d715288a172b832955737ce7dbdfeea4210555382afa48447f65710ba347ef011ac43758072847769d97de8e7b642d4bbcb61bd6 |
memory/2236-77-0x0000000077C50000-0x0000000077DF9000-memory.dmp
memory/3068-78-0x0000000077C50000-0x0000000077DF9000-memory.dmp
memory/3068-79-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-80-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-81-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-82-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-83-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-84-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-85-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-86-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-87-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-88-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-89-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-90-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-91-0x0000000077C50000-0x0000000077DF9000-memory.dmp
memory/3068-92-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-93-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-94-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-95-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-96-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-97-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-100-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-101-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-102-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-103-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-104-0x0000000000140000-0x00000000009DB000-memory.dmp
memory/3068-105-0x0000000000140000-0x00000000009DB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-31 07:25
Reported
2023-07-31 07:27
Platform
win10v2004-20230703-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Laplas Clipper
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 4624 wrote to memory of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe
"C:\Users\Admin\AppData\Local\Temp\b30e29bccabab032c27910210d9ccf76.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lpls.tuktuk.ug | udp |
| NL | 45.66.230.149:80 | lpls.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/4624-133-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-134-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp
memory/4624-135-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-136-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-137-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-138-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-139-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-140-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-141-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-142-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-143-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-144-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-146-0x00000000000F0000-0x000000000098B000-memory.dmp
memory/4624-147-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp
memory/4624-150-0x00000000000F0000-0x000000000098B000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | b71a746434cf121bc49b19759cca27c2 |
| SHA1 | c2e39f10194ba5f876b91371590e70d6bf9bd75f |
| SHA256 | 7fc0a1e1cd3e3245cf851477bfde98e4b1b5bc5c344dfa876b4a22c09ff9b898 |
| SHA512 | e8aee8f2697f069f9a9471565f91eb877714c2ccc08286ad233ac7631efff7023d9e488dfebbd24dac60472a25d8b05a25df363be671eb9550527edef9a2a5cd |
memory/2040-152-0x0000000000930000-0x00000000011CB000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | b71a746434cf121bc49b19759cca27c2 |
| SHA1 | c2e39f10194ba5f876b91371590e70d6bf9bd75f |
| SHA256 | 7fc0a1e1cd3e3245cf851477bfde98e4b1b5bc5c344dfa876b4a22c09ff9b898 |
| SHA512 | e8aee8f2697f069f9a9471565f91eb877714c2ccc08286ad233ac7631efff7023d9e488dfebbd24dac60472a25d8b05a25df363be671eb9550527edef9a2a5cd |
memory/4624-153-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp
memory/2040-154-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-155-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp
memory/2040-156-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-157-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-158-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-159-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-160-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-161-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-162-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-163-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-164-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-165-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-166-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-167-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-168-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-169-0x00007FF95DBF0000-0x00007FF95DDE5000-memory.dmp
memory/2040-170-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-171-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-173-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-174-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-175-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-176-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-177-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-178-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-179-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-180-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-181-0x0000000000930000-0x00000000011CB000-memory.dmp
memory/2040-182-0x0000000000930000-0x00000000011CB000-memory.dmp