Analysis Overview
SHA256
11c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
Threat Level: Known bad
The file 3258deefff3ca70f3dfa3e67067ca611.exe was found to be: Known bad.
Malicious Activity Summary
Laplas Clipper
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
GoLang User-Agent
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-01 22:03
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-01 22:03
Reported
2023-08-01 22:05
Platform
win7-20230712-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2104 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2104 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 2104 wrote to memory of 2792 | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe
"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 206.189.229.43:80 | 206.189.229.43 | tcp |
Files
memory/2104-53-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-54-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2104-55-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-56-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-57-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-58-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-59-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-60-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-61-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-62-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-63-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-64-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-65-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-66-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-67-0x0000000077480000-0x0000000077629000-memory.dmp
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | d56b265b9b9d9cffc7dbb2b03abc25e7 |
| SHA1 | 33b6d7b53f32a9cf573f02e5f9c2be3e71acc6db |
| SHA256 | 3fe1dea9ff1fcf9e686d10c0903c7839da6fa77f35700f8a64e8be9d87c5a3a2 |
| SHA512 | 142ff17a31fefa4189da1960b35b2bd43e7e19302eaf6967b5a2281334673c86546df7576f46d9bca55e0d5ec63ba0f88e2058c8f1fe37da2e927409bfde5863 |
memory/2104-70-0x0000000028AE0000-0x0000000029423000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 5ba75ce6ecf569afb75c533738515f93 |
| SHA1 | fc0badd0d6d211522dc4d67cc3f1b6161e016b72 |
| SHA256 | 0ad5512b6c0a5b66dc6c11336038aaa33daf47d0aad504413f64fcf74ef7159d |
| SHA512 | 5ef10532ab5343bfe597fa4e098f005e37ee49c2db821f8ee53cec3edfbda4226e5fb4bf838bee82350fc64126c2ec9c30c92ae15569d554055803626de31b1b |
memory/2104-74-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-73-0x0000000000370000-0x0000000000CB3000-memory.dmp
memory/2104-75-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2792-76-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-77-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2792-78-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-79-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-80-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-81-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-82-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-83-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-84-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-85-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-86-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-87-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-88-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-89-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-90-0x0000000077480000-0x0000000077629000-memory.dmp
memory/2792-91-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-92-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-93-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-94-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-95-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-96-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-99-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-100-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-101-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-102-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-103-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-104-0x0000000000E60000-0x00000000017A3000-memory.dmp
memory/2792-105-0x0000000000E60000-0x00000000017A3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-01 22:03
Reported
2023-08-01 22:05
Platform
win10v2004-20230703-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Laplas Clipper
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4176143399-3250363947-192774652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4988 wrote to memory of 3120 | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
| PID 4988 wrote to memory of 3120 | N/A | C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe | C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe
"C:\Users\Admin\AppData\Local\Temp\3258deefff3ca70f3dfa3e67067ca611.exe"
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 206.189.229.43:80 | 206.189.229.43 | tcp |
| US | 8.8.8.8:53 | 43.229.189.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.157.241.8.in-addr.arpa | udp |
Files
memory/4988-133-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-134-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp
memory/4988-135-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-136-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-137-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-138-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-139-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-140-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-141-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-142-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-143-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-144-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-146-0x0000000000920000-0x0000000001263000-memory.dmp
memory/4988-148-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 87759c8f27ca9d3a5e37aecc1388bc49 |
| SHA1 | 07c8f639fcdc180ae8bb56460119cb2efd6a4e13 |
| SHA256 | 06f00ad51afc936be935d4f522a3cf10a9e4bc0f1d70aa5f0ab8ac520effc993 |
| SHA512 | f27989c280b65e2c4feb83a795383b296bb7cbe7d54311300349493b34dd9fb428cdb4b35b3dc14b33ecefbfe56583282f069440e5b3d36742be98d172430da8 |
memory/4988-151-0x0000000000920000-0x0000000001263000-memory.dmp
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
| MD5 | 87759c8f27ca9d3a5e37aecc1388bc49 |
| SHA1 | 07c8f639fcdc180ae8bb56460119cb2efd6a4e13 |
| SHA256 | 06f00ad51afc936be935d4f522a3cf10a9e4bc0f1d70aa5f0ab8ac520effc993 |
| SHA512 | f27989c280b65e2c4feb83a795383b296bb7cbe7d54311300349493b34dd9fb428cdb4b35b3dc14b33ecefbfe56583282f069440e5b3d36742be98d172430da8 |
memory/3120-153-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/4988-154-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp
memory/3120-155-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-156-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp
memory/3120-157-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-158-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-159-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-160-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-161-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-162-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-163-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-164-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-165-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-166-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-167-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-168-0x00007FF953BF0000-0x00007FF953DE5000-memory.dmp
memory/3120-169-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-170-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-171-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-172-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-173-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-174-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-175-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-177-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-178-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-179-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-180-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-181-0x0000000000E50000-0x0000000001793000-memory.dmp
memory/3120-182-0x0000000000E50000-0x0000000001793000-memory.dmp