laplas | 747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00

Analysis

max time kernel
147s
max time network
102s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
11/03/2023, 08:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe
Size

269KB
MD5

2ec6b6e536979c66b851f54e55d936cf
SHA1

dc66788321acf7e368b40f07281d5f7ea77fbc13
SHA256

747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00
SHA512

fc299b1558a01dca518deeb0ab88d06b7d98d487699d3e47ee19b085a066fc28faa9febecf0162b46d9d0cb74c147ab672869e7bcf33482d63ddd785fa20b5da
SSDEEP

6144:KFnpIOJ5avLVgQdUcwx/XDpXtLl9xejvE/5Jz9:EpIOOzVH/YDZb94jvE/V

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1320	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1016	747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe
1016	747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe
1320	svcservice.exe
1320	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1320	1016	747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe	66
PID 1016 wrote to memory of 1320	1016	747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe	66
PID 1016 wrote to memory of 1320	1016	747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe	66

C:\Users\Admin\AppData\Local\Temp\747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe
"C:\Users\Admin\AppData\Local\Temp\747e415b2fdfc4def2b6d1b014605ad740c7a1c25743f25706391bdc54845d00.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
714.3MB

MD5
898e90b6dc90643bf08db60237258eef

SHA1
b868149a5f8c43345672685594ee25072fde5bf5

SHA256
9cf78bb50c9e904a44d6e1ff9ec0425060d4c6c3bee7be1826f883204174d2fb

SHA512
ae198d9caf6fb39cee2a906a078e5e0815cbfc64a56741e45105f82b11851364f0dbb8c0d8c2d1aa26c17dc05d0d981433fa1ef2078399c54e3f6828f3476796

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
714.3MB

MD5
898e90b6dc90643bf08db60237258eef

SHA1
b868149a5f8c43345672685594ee25072fde5bf5

SHA256
9cf78bb50c9e904a44d6e1ff9ec0425060d4c6c3bee7be1826f883204174d2fb

SHA512
ae198d9caf6fb39cee2a906a078e5e0815cbfc64a56741e45105f82b11851364f0dbb8c0d8c2d1aa26c17dc05d0d981433fa1ef2078399c54e3f6828f3476796

Download Submit
memory/1016-122-0x00000000021F0000-0x000000000222E000-memory.dmp

Filesize
248KB

Download
memory/1016-123-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1016-124-0x00000000021F0000-0x000000000222E000-memory.dmp

Filesize
248KB

Download
memory/1016-127-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1016-131-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1320-133-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1320-136-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download