Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
09/03/2023, 23:00
General
-
Target
e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d.exe
-
Size
330KB
-
MD5
2a18774f6e9cfb896bce930f24ff0402
-
SHA1
3678c97cc3d8bec04670494fb80bf80fc906f30d
-
SHA256
e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d
-
SHA512
a8e210e3a617badc7a8e2dd97d03e31ac1d51d47c4979cf86bd625ed1073e044a50b91758d606b1518c24da8302a2c98b50ca9dd0068bda4dd2b31d4a318e010
-
SSDEEP
6144:YILU3r5Kw0ysBrQt/kD+yUuKomudSX4LCIV:fg3rr0Z4MqyUluQi
Malware Config
Extracted
laplas
http://45.159.189.105
-
api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d.exe"C:\Users\Admin\AppData\Local\Temp\e2279ce8c31ce3ff250d0942cbfd52a3ec6b04437e8ee7facf8c4f68a131328d.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3316 -s 11162⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3316 -ip 33161⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
773.3MB
MD512063e4a787bdaa88f082741f1bd8b0b
SHA153bf7e8393b5ad956eb76dc8187880b83dd163bb
SHA2565dfff1e4cf34011fbd30c028fb8f06a15965b3b3b28fdcca05d617d5317d70b8
SHA512747268ce2899d34b07d060ff369763ef7a6c43b92e6e31babc9c7b6572ec2724722b708aebc5c866ccda1ce60d119a7cc31ac310d09565c3fb82f4db7389312b
-
Filesize
773.3MB
MD512063e4a787bdaa88f082741f1bd8b0b
SHA153bf7e8393b5ad956eb76dc8187880b83dd163bb
SHA2565dfff1e4cf34011fbd30c028fb8f06a15965b3b3b28fdcca05d617d5317d70b8
SHA512747268ce2899d34b07d060ff369763ef7a6c43b92e6e31babc9c7b6572ec2724722b708aebc5c866ccda1ce60d119a7cc31ac310d09565c3fb82f4db7389312b
-
Filesize
773.3MB
MD512063e4a787bdaa88f082741f1bd8b0b
SHA153bf7e8393b5ad956eb76dc8187880b83dd163bb
SHA2565dfff1e4cf34011fbd30c028fb8f06a15965b3b3b28fdcca05d617d5317d70b8
SHA512747268ce2899d34b07d060ff369763ef7a6c43b92e6e31babc9c7b6572ec2724722b708aebc5c866ccda1ce60d119a7cc31ac310d09565c3fb82f4db7389312b
-
Filesize
852KB
-
Filesize
240KB
-
Filesize
852KB
-
Filesize
852KB