Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    189s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-02-2023 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    197KB

  • MD5

    7ff972b22c38b488c9bd8faaee20f191

  • SHA1

    70cc8dfd8fb9a70acf149627ca0a5af48bc869cb

  • SHA256

    7fbdcce122af8b4fe1638f1ddf87c738a7499d89d52db78d3f86a812171b6454

  • SHA512

    a61b8a175591de0aa9fb70a69f98cd01cd2524b706a3885750c5d3ea6e8bf4753b3ea13cce774a8f71ebf0db60ee40cc0528c5d9d64fa3df230624be53fcf8f7

  • SSDEEP

    3072:nGsO7VZUS5qUw1LmblWuzd5TaXC7v6lTj8ViAXFj6rBQWL:nGschoL2lXSD5jwHj6n

Score
10/10
laplassmokeloaderbackdoorclipperstealertrojan

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ad75d4e2e9636ca662a337b6e798d36159f23acfc89bbe9400d0d451bd8d69fd

Signatures

  • Detects Smokeloader packer 1 IoCs
  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3772
  • C:\Users\Admin\AppData\Local\Temp\F84A.exe
    C:\Users\Admin\AppData\Local\Temp\F84A.exe
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /tn "svcupdater" /tr "C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • Creates scheduled task(s)
      PID:1936
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 1152
      2⤵
      • Program crash
      PID:4900
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4972 -ip 4972
    1⤵
      PID:1472
    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      1⤵
      • Executes dropped EXE
      PID:3668

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\F84A.exe
      Filesize

      378KB

      MD5

      b141bc58618c537917cc1da179cbe8ab

      SHA1

      c76d3f5eeae9493e41a272a974b5dfec5f4e4724

      SHA256

      fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

      SHA512

      5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\F84A.exe
      Filesize

      378KB

      MD5

      b141bc58618c537917cc1da179cbe8ab

      SHA1

      c76d3f5eeae9493e41a272a974b5dfec5f4e4724

      SHA256

      fd999e4a07d8b3d95f9d9231fd496b0125b56094f1b03ddca7a7b074c1d8c03e

      SHA512

      5c72f63124a394602a36a4f985e33a41e8159f54653f431c270b8f0fa8e13131517c31b497a936d5f5d3d27397f40fc7909efc4bfd04c01bcca7f306860c3114

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      Filesize

      414.8MB

      MD5

      a069f39ddd851cfb271d6e0421b4c7f2

      SHA1

      1382783b69813af03de900acb1dd1878d7e4259e

      SHA256

      fbf82c2c060efd1ba96ae60b1b10589d653ab966c10617727805ac2f7db967b1

      SHA512

      c738dc98f9eff8ba7b50c4fc329ebb09e98440d9652d1f30bf3886e8c6df75c330cce8054454aac0f73bcdd7741ebe017e9eb34e4eeac7ba293f0e2d83b94be1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32Sync\svcupdater.exe
      Filesize

      419.6MB

      MD5

      c786ade3edb8b04a5f8a7f121433362e

      SHA1

      554442906818b4a6920442531ce67dfb64b4339e

      SHA256

      e0102c7f2a071d2dda722f9f3c5aea37d86654f94fc8e34d2e101aadabbb67d6

      SHA512

      eb15b215b0e89391fd5d3682edcefa4d74f48a577c1a413c9357330adc63bcda7f8b13c1602424898e99a7d1b694084f0087ce04d218b72a4d9fc4574e258325

      Download Submit

    • memory/1936-142-0x0000000000000000-mapping.dmp

      Download

    • memory/3668-148-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/3668-147-0x0000000000817000-0x0000000000841000-memory.dmp

      Filesize

      168KB

      Download

    • memory/3772-133-0x0000000000630000-0x0000000000639000-memory.dmp

      Filesize

      36KB

      Download

    • memory/3772-134-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3772-135-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/3772-132-0x000000000069D000-0x00000000006B0000-memory.dmp

      Filesize

      76KB

      Download

    • memory/4972-140-0x00000000005F0000-0x0000000000637000-memory.dmp

      Filesize

      284KB

      Download

    • memory/4972-144-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4972-143-0x00000000006E9000-0x0000000000713000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4972-141-0x0000000000400000-0x000000000047A000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4972-139-0x00000000006E9000-0x0000000000713000-memory.dmp

      Filesize

      168KB

      Download

    • memory/4972-136-0x0000000000000000-mapping.dmp

      Download