laplas | fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08

Analysis

max time kernel
69s
max time network
286s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
25-11-2022 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
Size

5.4MB
MD5

610a076f83218b51b01a24e9c8eba3ae
SHA1

7956cbd49823b35362f2244a350078f066873e65
SHA256

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08
SHA512

bed36d4f8663e1c3e9b877367b64a2bf0ae95a86da0c02d74b29872137f370f8419359be2244e009039705f64d68eb9792dee7dd4ed1456bc54789c1ca82c707
SSDEEP

98304:InGmlwPwuBvk1wu8JZfB7QJYfUbNM9VlE/V3VydE18wkcUrL5iKroh9Q4QGn7MO:InGmlgwgM18JPvCIU3V/+rLr29QUMO

Score

10^/10

laplas stealer vmprotect

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
e967005093020788056c9d94da04435883edc18212f0de012679a229f024fdb6

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas
Executes dropped EXE 1 IoCs

Processes:

udakqMngIV.exe

pid process

1300 udakqMngIV.exe

pid	process
1300	udakqMngIV.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/1980-126-0x0000000001090000-0x0000000001C63000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe	vmprotect
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe	vmprotect
behavioral2/memory/1300-184-0x0000000000B80000-0x0000000001753000-memory.dmp	vmprotect

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2188 schtasks.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 7 Go-http-client/1.1

pid	process
2188	schtasks.exe

description	flow	ioc
HTTP User-Agent header	7	Go-http-client/1.1

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.execmd.exe

description	pid	process	target process
PID 1980 wrote to memory of 3484	1980	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	cmd.exe
PID 1980 wrote to memory of 3484	1980	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	cmd.exe
PID 1980 wrote to memory of 3484	1980	fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe	cmd.exe
PID 3484 wrote to memory of 2188	3484	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 2188	3484	cmd.exe	schtasks.exe
PID 3484 wrote to memory of 2188	3484	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe
"C:\Users\Admin\AppData\Local\Temp\fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
    3⤵
    - Creates scheduled task(s)
    PID:2188

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
1⤵
- Executes dropped EXE
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
715.8MB

MD5
bd098ef3580a51c7a3f77693e4fd51bc

SHA1
ba28a368f62a6fcc484017431c67d889e47320a1

SHA256
1a89d3d0db738b4540fe0f74dbb9c6ab336ecbbd937741e7b3fb3d5cdb4e82db

SHA512
1068f966d512a7cbb4925f31b10843990489c85558f054043d411872aee131b14d64628238c7713d34b82f4819b250ce5e3a8bab3c098d7378ce067de7af1c60

Download Submit
C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe

Filesize
715.8MB

MD5
bd098ef3580a51c7a3f77693e4fd51bc

SHA1
ba28a368f62a6fcc484017431c67d889e47320a1

SHA256
1a89d3d0db738b4540fe0f74dbb9c6ab336ecbbd937741e7b3fb3d5cdb4e82db

SHA512
1068f966d512a7cbb4925f31b10843990489c85558f054043d411872aee131b14d64628238c7713d34b82f4819b250ce5e3a8bab3c098d7378ce067de7af1c60

Download Submit
memory/1300-184-0x0000000000B80000-0x0000000001753000-memory.dmp

Filesize
11.8MB

Download
memory/1300-177-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-178-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-179-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-180-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-181-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1300-182-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-141-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-145-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-134-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-135-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-136-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-137-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-138-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-139-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-140-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-120-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-142-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-143-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-144-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-133-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-146-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-147-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-148-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-149-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-150-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-132-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-131-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-130-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-126-0x0000000001090000-0x0000000001C63000-memory.dmp

Filesize
11.8MB

Download
memory/1980-125-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-124-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-123-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-122-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/1980-121-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-168-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-161-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-162-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-163-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-164-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-165-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-166-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-167-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-159-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-169-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-170-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-171-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-172-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-173-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-174-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-175-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-160-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-158-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/2188-157-0x0000000000000000-mapping.dmp

Download
memory/3484-156-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3484-155-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3484-154-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3484-153-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3484-152-0x0000000077460000-0x00000000775EE000-memory.dmp

Filesize
1.6MB

Download
memory/3484-151-0x0000000000000000-mapping.dmp

Download