Overview

overview

10

Static

static

7

SecuriteIn...52.exe

windows7-x64

10

SecuriteIn...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2023 13:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Tedy.244458.5613.9552.exe

  • Size

    5.4MB

  • MD5

    610a076f83218b51b01a24e9c8eba3ae

  • SHA1

    7956cbd49823b35362f2244a350078f066873e65

  • SHA256

    fc06eb8ba18242f5a2dfb76d80ca1fe30e8df12f7c5f3d0092eb3d7fd4d51f08

  • SHA512

    bed36d4f8663e1c3e9b877367b64a2bf0ae95a86da0c02d74b29872137f370f8419359be2244e009039705f64d68eb9792dee7dd4ed1456bc54789c1ca82c707

  • SSDEEP

    98304:InGmlwPwuBvk1wu8JZfB7QJYfUbNM9VlE/V3VydE18wkcUrL5iKroh9Q4QGn7MO:InGmlgwgM18JPvCIU3V/+rLr29QUMO

Score
10/10
laplasclipperstealervmprotect

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    e967005093020788056c9d94da04435883edc18212f0de012679a229f024fdb6

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.244458.5613.9552.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.244458.5613.9552.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:764
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn DSPHwkOpIx /tr C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        3⤵
        • Creates scheduled task(s)
        PID:2840
  • C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
    C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
    1⤵
    • Executes dropped EXE
    PID:2372

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
    Filesize

    697.9MB

    MD5

    3d9be7e789eb4655722cf047d1a8b3c0

    SHA1

    0aa113c5d43719d9768fb6f00e1e51d023e85795

    SHA256

    75a9956e4ee17c7728b0fc5a9b79badb71115781fbb72f5ef03816c66de1a606

    SHA512

    f813950c4c708d32d27f10771a9a7ab821dcf11cd462f25145363a780ea57120b0a3e21e9d19ef0ae3d44b5616a1bd85a230d9587d51d05c1b26893aa853ac89

    Download Submit

  • C:\Users\Admin\AppData\Roaming\DSPHwkOpIx\udakqMngIV.exe
    Filesize

    697.9MB

    MD5

    3d9be7e789eb4655722cf047d1a8b3c0

    SHA1

    0aa113c5d43719d9768fb6f00e1e51d023e85795

    SHA256

    75a9956e4ee17c7728b0fc5a9b79badb71115781fbb72f5ef03816c66de1a606

    SHA512

    f813950c4c708d32d27f10771a9a7ab821dcf11cd462f25145363a780ea57120b0a3e21e9d19ef0ae3d44b5616a1bd85a230d9587d51d05c1b26893aa853ac89

    Download Submit

  • memory/764-132-0x0000000000240000-0x0000000000E13000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2372-140-0x0000000000940000-0x0000000001513000-memory.dmp

    Filesize

    11.8MB

    Download

  • memory/2556-136-0x0000000000000000-mapping.dmp

    Download

  • memory/2840-137-0x0000000000000000-mapping.dmp

    Download