Analysis
-
max time kernel
151s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
12-03-2023 11:00
General
-
Target
465af88feb490f93acea92ec180b916d03bb788956c078bfee031cc08f2c41c8.exe
-
Size
255KB
-
MD5
20c262348a0700400d14ea53936509d8
-
SHA1
e26adbee5171256c6b21aec785ba694c53587cfe
-
SHA256
465af88feb490f93acea92ec180b916d03bb788956c078bfee031cc08f2c41c8
-
SHA512
3c2f2141bf9d2b7db0f6b1dffd0912c7fadb11785ba055221f0359254f471ae335b40ac887b4e8aff709910c9fdd1679df9bed2367a6e9247eb9c9cc26f1c7fe
-
SSDEEP
3072:7RrqxlaiY9Ceax5L7FUt03BKzX2AK4OfG2sTBg0vW0F9oFa74umGcX0N59/hr2X1:FqXaiY9gFUt03BWiG2QBui+FaHNHhya
Malware Config
Extracted
laplas
http://45.159.189.105
-
api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\465af88feb490f93acea92ec180b916d03bb788956c078bfee031cc08f2c41c8.exe"C:\Users\Admin\AppData\Local\Temp\465af88feb490f93acea92ec180b916d03bb788956c078bfee031cc08f2c41c8.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 12242⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1412 -ip 14121⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
754.2MB
MD57d6378a6f9debbbcbf23ec9b7c3426b4
SHA1e2f6c30e1a80c6429aa9946f7361c042041d8fc8
SHA256b0304763d9bde68e96c94f0a5b7871fdc5dd3d4895a3a21180c9466f273209a8
SHA5129f82a0c1fb2f7533bb4e2161bc06d8b1361833ee4be4555f0276a1ea50c856500909c13e82f8a7ce1136e4fcc795ac5547a7c7de3eb5cea8faaa4d1c06d6f6d9
-
Filesize
754.2MB
MD57d6378a6f9debbbcbf23ec9b7c3426b4
SHA1e2f6c30e1a80c6429aa9946f7361c042041d8fc8
SHA256b0304763d9bde68e96c94f0a5b7871fdc5dd3d4895a3a21180c9466f273209a8
SHA5129f82a0c1fb2f7533bb4e2161bc06d8b1361833ee4be4555f0276a1ea50c856500909c13e82f8a7ce1136e4fcc795ac5547a7c7de3eb5cea8faaa4d1c06d6f6d9
-
Filesize
754.2MB
MD57d6378a6f9debbbcbf23ec9b7c3426b4
SHA1e2f6c30e1a80c6429aa9946f7361c042041d8fc8
SHA256b0304763d9bde68e96c94f0a5b7871fdc5dd3d4895a3a21180c9466f273209a8
SHA5129f82a0c1fb2f7533bb4e2161bc06d8b1361833ee4be4555f0276a1ea50c856500909c13e82f8a7ce1136e4fcc795ac5547a7c7de3eb5cea8faaa4d1c06d6f6d9
-
Filesize
248KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
764KB
-
Filesize
248KB
-
Filesize
764KB
-
Filesize
764KB