laplas | 82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150

Analysis

max time kernel
79s
max time network
181s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
27/11/2022, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
Size

5.2MB
MD5

65bc10aa24d76ec1b02a151a16d053c0
SHA1

81bfa89a47ef789ea1cc5c98f02df2bc2a038a4e
SHA256

82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150
SHA512

b0e22e0050090d6f8bc9ae8291005e406d3ab3ea60976aa9394f2c37f59645d8df0ddca7dfe927b0f604428092778da3a3a968da11bc73ea042dfc87d7b9d298
SSDEEP

98304:VXISESTXsUp7ZcjxlqSs/eAFe6WgdLzjnezZED:Vr5sjjxcz20pz6zZm

Score

10^/10

laplas stealer

Malware Config

Extracted

Family

laplas

clipper.guru

Attributes

api_key
c25400a81a220bbbc3cb779c59ab8b74c7b58ae3a99f465520cbd86c53bd630b

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with two variants written in Golang and C#.
stealer laplas

Executes dropped EXE 1 IoCs

pid	Process
1496	quegego fatilila voy boji.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4372	schtasks.exe
1764	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3172	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 4372	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	66
PID 2732 wrote to memory of 4372	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	66
PID 2732 wrote to memory of 4372	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	66
PID 2732 wrote to memory of 1496	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	68
PID 2732 wrote to memory of 1496	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	68
PID 2732 wrote to memory of 1496	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	68
PID 2732 wrote to memory of 3816	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	69
PID 2732 wrote to memory of 3816	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	69
PID 2732 wrote to memory of 3816	2732	82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe	69
PID 3816 wrote to memory of 4316	3816	cmd.exe	71
PID 3816 wrote to memory of 4316	3816	cmd.exe	71
PID 3816 wrote to memory of 4316	3816	cmd.exe	71

C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe
"C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4372
- C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe
  "C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe"
  2⤵
  - Executes dropped EXE
  PID:1496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
    3⤵
    PID:4600
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C schtasks /create /tn kqZiVKBcGO /tr C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      PID:4832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn kqZiVKBcGO /tr C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:1764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\82126fc4fd73e4fea6ee032f156572af9986acdc8c22f1f69253289a3b39b150.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3816
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3172

C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe
1⤵
PID:852

C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe
1⤵
PID:2204

C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IaXkWQxCbj.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe

Filesize
434.2MB

MD5
fefc07aa5f5ffa5fdf5d7395818ea16d

SHA1
ab6421bef9b7d216fc93751c32377e1d83596e93

SHA256
76005f01bdc7d12ae68f637f9db612c10292d60a9e2d76086539c26b84e1b577

SHA512
0b7514aed2a4d317d96c43cdce1716f471867ff13364b2a20c847b706eff7c544ceca17133d6931249108ed516762f4bb8ac57b171fe78c0766f4e7320beae4a

Download Submit
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe

Filesize
421.4MB

MD5
185c8f21150f611ef43f67abdec9cc56

SHA1
4c1b2d937f5933e56d8eafeb4c5b5ccc8a97d73f

SHA256
5ab756e6b6766fa7824be2f9ca7c6d737df339361b02a3d060f6219a81bf2881

SHA512
ebbf541cbba567874959e67d7fb313383c0d65482a1152b5ee57fa53343b929bec833534ec035ca29a543bf62a8258f5fb28755a2a6e90337904d0bb0df3f670

Download Submit
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe

Filesize
272.9MB

MD5
f6225e0d2246287123ee324633977dd0

SHA1
29c05b2cb84caf4bae6d227535d3b2983734cdee

SHA256
96eb2cc093fd75182a56ec249c0d350325e50999e00c086068df011cbcbbac80

SHA512
dbb9c017571ad8ede0d502f88926f2ab2e51894d749c16e8ff5ef0f83f105cb046fd5f1dd05e7e7b81027a8c8c524fb600cf143d00fcb7305224e96e0871ba1d

Download Submit
C:\Users\Admin\AppData\Roaming\kqZiVKBcGO\IaXkWQxCbj.exe

Filesize
60.9MB

MD5
b13e10207c9caaa2efa4adbe6e4afa01

SHA1
09f91b99daf67488a01a0b42b3860dffee9e3720

SHA256
22c3fdb8817979ffbec23cff8c1239d0370f4f3c1e0bb3fe63cd64f62d3aab48

SHA512
60e925e061fdf79abd3c0d8cf95f96daa6296e845f1d74e0260927a47f2dbde7e668a23d4ef13ef59e28c74a588cfbfdb76bad3ad87cbf6efad7a3618d2e97a7

Download Submit
C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
772.2MB

MD5
0939679fdca391f954cb7b3db9626631

SHA1
8963ba235460e589cfd20b642d315599a8628897

SHA256
0b6e307505420ef08aa4ef29b9bd75660fabc254624201b43c0ddcff7fc27023

SHA512
55bb1bb33d00d0377222016e6185086cf942525a6372282c5e589163fa956aeaeb538c6d9113b2030110ca3ec163784983c65473ca18db893961bd3b1ac98377

Download Submit
C:\Users\Admin\vivaca loc kevilena xatequij nocolok_gijafe meci dokinori kikojiyi\quegego fatilila voy boji.exe

Filesize
772.2MB

MD5
0939679fdca391f954cb7b3db9626631

SHA1
8963ba235460e589cfd20b642d315599a8628897

SHA256
0b6e307505420ef08aa4ef29b9bd75660fabc254624201b43c0ddcff7fc27023

SHA512
55bb1bb33d00d0377222016e6185086cf942525a6372282c5e589163fa956aeaeb538c6d9113b2030110ca3ec163784983c65473ca18db893961bd3b1ac98377

Download Submit
memory/852-405-0x00000000005D0000-0x00000000005E6000-memory.dmp

Filesize
88KB

Download
memory/1496-311-0x00000000101F0000-0x0000000012A8F000-memory.dmp

Filesize
40.6MB

Download
memory/1496-310-0x00000000044A0000-0x00000000049A0000-memory.dmp

Filesize
5.0MB

Download
memory/1496-309-0x00000000101F0000-0x0000000012A8F000-memory.dmp

Filesize
40.6MB

Download
memory/1496-289-0x00000000044A0000-0x00000000049A0000-memory.dmp

Filesize
5.0MB

Download
memory/1496-274-0x0000000002BA0000-0x0000000004498000-memory.dmp

Filesize
25.0MB

Download
memory/1496-248-0x0000000002BA0000-0x0000000004498000-memory.dmp

Filesize
25.0MB

Download
memory/2732-144-0x0000000002C20000-0x000000000451E000-memory.dmp

Filesize
25.0MB

Download
memory/2732-175-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-138-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-139-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-140-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-141-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-142-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-120-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-146-0x0000000004520000-0x0000000004A24000-memory.dmp

Filesize
5.0MB

Download
memory/2732-147-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-148-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-149-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-150-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-151-0x0000000002C20000-0x000000000451E000-memory.dmp

Filesize
25.0MB

Download
memory/2732-152-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-153-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-154-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-155-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-156-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-157-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-158-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-159-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-160-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-161-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-162-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-163-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-164-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-165-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-166-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-167-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-168-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-169-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-170-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-171-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-172-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-173-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-174-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-137-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-176-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-177-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-178-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-179-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-180-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-181-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-182-0x0000000004520000-0x0000000004A24000-memory.dmp

Filesize
5.0MB

Download
memory/2732-183-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-184-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-185-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-186-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-121-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-122-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-123-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-124-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-136-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-135-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-134-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-125-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-126-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-133-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-127-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-132-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-131-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-130-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-129-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/2732-128-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-190-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-189-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/4372-188-0x00000000772C0000-0x000000007744E000-memory.dmp

Filesize
1.6MB

Download
memory/4600-328-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4600-343-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/4600-369-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download