laplas | 348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

General

Target

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
4984	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
4984	svcservice.exe
4984	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
4984	svcservice.exe
4984	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4984	3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe	66
PID 3228 wrote to memory of 4984	3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe	66
PID 3228 wrote to memory of 4984	3228	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe	66

C:\Users\Admin\AppData\Local\Temp\348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
"C:\Users\Admin\AppData\Local\Temp\348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6CI3IN3W\regex[2].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6RO0PN6W\online[2].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
773.5MB

MD5
5901c0111de27d3176097cf52fa322d5

SHA1
d653f5abd102c58f3c3644b71cb11c1e521fd52e

SHA256
0348b1a9967895e9a2a48af5fe899c3953130a933c4d2f13b7c05cd67e8b161c

SHA512
663f4eabb9fd30eecb2da260ce4ac0bef818a21ca955154d3a2b2a818a56d11a71104e1055331c587e12cb02eaa7500d5ee5beebbcdf5ae7e1c0c918ef423472

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
769.2MB

MD5
ccff4abcee0cf495ced4907573ff767a

SHA1
230a26e59a558c6240885dc0880e8c46cc8e2772

SHA256
dc8258191f489e6a933df0d01be912405c5689399fb6c6eb3be5d6474a1becf7

SHA512
921270fe790fc23bea5e9fc4b191143e1f55a52f41291506ecd95d4a3bbd9de106831cdda7842e1c30b5667609d6900abd9d88032910c87ebf045b47c12d661e

Download Submit
memory/3228-126-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/3228-121-0x0000000001230000-0x0000000001231000-memory.dmp

Filesize
4KB

Download
memory/3228-128-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/3228-127-0x00000000012A0000-0x00000000012A1000-memory.dmp

Filesize
4KB

Download
memory/3228-129-0x00000000012B0000-0x0000000001E2B000-memory.dmp

Filesize
11.5MB

Download
memory/3228-125-0x0000000001280000-0x0000000001281000-memory.dmp

Filesize
4KB

Download
memory/3228-124-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/3228-122-0x0000000001240000-0x0000000001241000-memory.dmp

Filesize
4KB

Download
memory/3228-123-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/4984-141-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4984-144-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/4984-143-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/4984-142-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4984-139-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/4984-137-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4984-145-0x0000000000D50000-0x00000000018CB000-memory.dmp

Filesize
11.5MB

Download
memory/4984-140-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/4984-138-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing