laplas | c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82

Resubmissions

07/02/2023, 12:49

230207-p2pxdabg29 10

25/12/2022, 22:20

221225-186dgscc23 8

Analysis

max time kernel
139s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/02/2023, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe
Size

6.4MB
MD5

4a75f7dda9143bb7d91023698154c3b6
SHA1

75474a0111a61ec35fc3a2138a9bfb00a066fb6b
SHA256

c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82
SHA512

3e0fb0b6176b833d1ffe26d3b39d373e8c4725fd69a0182441a544a7d68b3693b7b6da434cd6b452ce709c603e293d29fa3c904791a56c4b029b5c230504235b
SSDEEP

196608:t7n9Rg39ZnwUTA7/T0R7aYERaXmH1YNXc:tzTYZntTak7a9ILN

Score

10^/10

laplas clipper stealer

Malware Config

Extracted

Family

laplas

http://clipper.guru

Attributes

api_key
dd611369e3344bc4aad751531e739d725fb32f33363f67a0bf7a4ea33213af63

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe

Executes dropped EXE 1 IoCs

pid	Process
4564	svcupdater.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4304	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3576	c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe
3576	c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe
4564	svcupdater.exe
4564	svcupdater.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4304	3576	c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe	80
PID 3576 wrote to memory of 4304	3576	c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe	80
PID 3576 wrote to memory of 4304	3576	c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe	80

C:\Users\Admin\AppData\Local\Temp\c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe
"C:\Users\Admin\AppData\Local\Temp\c78d7e44e0997c3dc22b3a81ce8964e4069ce2dceb020dbfacad153d2e9a4e82.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
  2⤵
  - Creates scheduled task(s)
  PID:4304

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

Filesize
653.1MB

MD5
d47d8b85d81461d808f6042660f5f7f2

SHA1
878df26768f771f856aa33f32c66c63882f08b0a

SHA256
3aac97131d60fc761a5516905a887ef0658d2ce609df9d148bebdfeeeb468de6

SHA512
19edb2defa5e9e692aa21b6d97dd9556af63e978fc948348bb6be998e6d9deb5cbb8b4b9925bf66119badc961f13d80d56df6fae20fd098055a4527cac893f1c

Download Submit
C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe

Filesize
653.0MB

MD5
da110f2ee00aa6b742993a3ed2f225a1

SHA1
c51d24bad5d934b92d1b9313d1575dc6d2c4f5de

SHA256
3b19505601bc7da0bea1b5b16b639ab80741cb74fc8ddf5f4ade2d20de530f45

SHA512
f8efb2be15f1327d5db5ecae3203c9030f732db9e50e2105923901c8e87e6a8237b710cc75e88bc1ca7beeddffe01dd7e690fbb41a3b86a20c7cc1d38a5851bb

Download Submit
memory/3576-132-0x0000000000530000-0x0000000000F3E000-memory.dmp

Filesize
10.1MB

Download
memory/3576-134-0x0000000000530000-0x0000000000F3E000-memory.dmp

Filesize
10.1MB

Download
memory/3576-136-0x0000000000530000-0x0000000000F3E000-memory.dmp

Filesize
10.1MB

Download
memory/4564-139-0x00000000004E0000-0x0000000000EEE000-memory.dmp

Filesize
10.1MB

Download
memory/4564-141-0x00000000004E0000-0x0000000000EEE000-memory.dmp

Filesize
10.1MB

Download