laplas | 8267f9dda287a6d9f0f1765c10dadee63c81ad8d2ba349db949a5219bc16b721

Analysis

max time kernel
146s
max time network
115s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/03/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe
Size

263KB
MD5

a5738bf405e2d273310bb9eea4275555
SHA1

d582cad53d78f41f4d2ea814e083e5291e59820b
SHA256

dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69
SHA512

bb15f79ce0b5be6d1ff0be8740f5bc6acd65b260c1e41b3645f53685ced7fc29aa450173a599f42ee88ae9ecd5213fa22d65378c90269ccb1973ad1076235f45
SSDEEP

3072:4A9FDcQxP9TF9CeVQtVVO/gCyVed1XCCyj3yvKJIvVEhSZ1hvJzmCpZmcgl11ycW:lFgQxP9T6y6V7U453yyIthZnlZQzu

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1936	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe
2040	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1936	2040	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	28
PID 2040 wrote to memory of 1936	2040	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	28
PID 2040 wrote to memory of 1936	2040	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	28
PID 2040 wrote to memory of 1936	2040	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	28

C:\Users\Admin\AppData\Local\Temp\dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe
"C:\Users\Admin\AppData\Local\Temp\dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:1936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
472.6MB

MD5
0cab5f9bfc79f3f69cc30107dba090dd

SHA1
a4f6d1d0c7bdba32ece4bed7918b279e5d7e3567

SHA256
901e941e5bba4a2ec6986ed9fdd7b7c3d1a8976bef930353777f2e6dbc0d56a6

SHA512
6b8f4ea83b4e5e1e21689c3e2e43f32d9b994176227591bef5714d0ef6b1d770517b3802a46474c1c983f7ba2af2b1cbd12c91dc941327e659a9e64854efb08d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
470.6MB

MD5
7194a885b844d53d376edebcad2052cb

SHA1
0b40b4d68831a450f75d93d145a90f2c45490cd3

SHA256
1163feca08cc98a642223a1475bb0f1eca305716ed7ff640e283f75e7702aa4c

SHA512
df4d71d8837295dec77c4a5cd531af0f98fe1f4b9f99a24ab27a3c13d993ef6e76c609e768e221266767971707097f4057aa083ab844162b9c05e8dfd76b4aac

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
453.9MB

MD5
136d8681006eb56c72a9482dc748080a

SHA1
6b6e5130670d37a5ab7b692e507d6fe00a046643

SHA256
882158b3291ae02b828d9647da454980ba83822202f4c83e82dbc714d783e917

SHA512
b6e3bb48f1675cc231cf6cd9ef70935797cd91315685bb165c6fadc15a0d4b9d07b7eec7156e3c2c6e53f25ac69307169adc508b03e49e8f8cd1c9ebea8aceac

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
416.7MB

MD5
ce67b792515aa27e3dfc814a1b9ab3e4

SHA1
9472512db5c38bf65655d767c76ee504c3115521

SHA256
c2e7922b9393875fbcce629ba7e35e78119085b49296b3cd754401131742ab99

SHA512
d31c5c7a5f00f5dfbca02726a5a74f031805d2fa7ad700eb8d48d57317162ed1406f27ee4c627d5d707a9761622d52ae3145618d2981f175737cb6709c0d780a

Download Submit
memory/1936-67-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2040-55-0x00000000003A0000-0x00000000003DC000-memory.dmp

Filesize
240KB

Download
memory/2040-65-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download