laplas | db44c01bcd0e42427d9e58a4372debdef43b69db67403fc0052c1311ff85de83

Analysis

max time kernel
142s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 08:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe
Size

338KB
MD5

3a74abde4ab3fcd0530867f346b11310
SHA1

a4a3d959576d09fb6d27e4e563459f890c1c362f
SHA256

07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7
SHA512

e8dc08e6c698675978eef91f2b1b8b413fc6a969f7fdefbad234f031c7260a5e393085aa29919fe92d5f209247fbb0dc4d413545b9ecb9bc39442043e45c109f
SSDEEP

3072:MdMY1dTjn7/vb0JsFKCqdwqatG+3a6bnBbn/9GKc0gBFla4XtX64v4:iH1xjnTgJz7RVn6bl/9fMS4Xt

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe

Executes dropped EXE 1 IoCs

pid	Process
2220	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1048	3172	WerFault.exe	86

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2220	3172	07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe	87
PID 3172 wrote to memory of 2220	3172	07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe	87
PID 3172 wrote to memory of 2220	3172	07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe	87

C:\Users\Admin\AppData\Local\Temp\07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe
"C:\Users\Admin\AppData\Local\Temp\07e9526a3bfe3cd21b5354d5bc3d1a6bb1ae74b4fa7fa2dae99f11731e386ec7.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1120
  2⤵
  - Program crash
  PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3172 -ip 3172
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
633.4MB

MD5
34916a1d101e959a7e3062efa1a4a48a

SHA1
4d3f8ea919edcdcad05e651ab6573bca15302600

SHA256
667aa030c78992984d4c8522bb6fe00a7e2e13541f809361758574dd26a07a29

SHA512
e5e79eb41dc03f0950933881b23344cc0e302707deb37c0b3c46d743a8a317882bbde6d82c87a8ae28a43670d9eca2209a1e5d945b0e406800ffe08143de3fd4

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
521.4MB

MD5
e97ecb53b61d6669ae47aef7fe327b05

SHA1
267200a8c7e5d0e0e9752084ba3838be6d55c519

SHA256
814740fa183ce8cdeec406624c060fa99987c716784b36adcd23ec51a7ced650

SHA512
cec7731d474ab6ea62e15cc2ca116b8106c78e5d79bbf1b909915d1c58042ea50483d3ddba15731ac59395049c783e176c3b5114e1e8350b450fc384718ca20e

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
527.9MB

MD5
aaf8f5c21fe2b1ca920f14b983604abf

SHA1
6b84c86c99cb94e6ebaa37d7379b22d4ef59cad1

SHA256
4098573402e5a9a80f47f7cc00ff1263b2eae90f3aea36551dc201cb35167615

SHA512
8d8e171886877d24407593b719cc1b31f3576be8038be8c6a3f644b37d6a8e16c1e0ede04024a23f7506c8a6635afebccc3a0d2bbd2f76f35db235648864e5a4

Download Submit
memory/2220-146-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3172-134-0x0000000000730000-0x000000000076E000-memory.dmp

Filesize
248KB

Download
memory/3172-140-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/3172-145-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download