laplas | 8267f9dda287a6d9f0f1765c10dadee63c81ad8d2ba349db949a5219bc16b721

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe
Size

263KB
MD5

a5738bf405e2d273310bb9eea4275555
SHA1

d582cad53d78f41f4d2ea814e083e5291e59820b
SHA256

dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69
SHA512

bb15f79ce0b5be6d1ff0be8740f5bc6acd65b260c1e41b3645f53685ced7fc29aa450173a599f42ee88ae9ecd5213fa22d65378c90269ccb1973ad1076235f45
SSDEEP

3072:4A9FDcQxP9TF9CeVQtVVO/gCyVed1XCCyj3yvKJIvVEhSZ1hvJzmCpZmcgl11ycW:lFgQxP9T6y6V7U453yyIthZnlZQzu

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe

Executes dropped EXE 1 IoCs

pid	Process
2148	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	1416	WerFault.exe	85

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 2148	1416	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	86
PID 1416 wrote to memory of 2148	1416	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	86
PID 1416 wrote to memory of 2148	1416	dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe	86

C:\Users\Admin\AppData\Local\Temp\dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe
"C:\Users\Admin\AppData\Local\Temp\dd9b8dbe2a4bd2f65eab24664fe843325690731cfeff8efa5aeaf24e6565fe69.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 884
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1416 -ip 1416
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
626.5MB

MD5
3590488751126052bb0fcdb171c36c88

SHA1
34f7b97a22b2cc6fa6763ea408b9fa9bd7b7f302

SHA256
0c07fa141fb9e6fc2b1276b643f0c21f75f61b816f59e60379235ca43454f535

SHA512
37c2f1db0cbacd2a84f5736518272090382c21fd1318a916eba79afc8280f74d5e185c564c72cf9d757e6333454272cedd5e537adfe23a398ab1c6712970f295

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
662.8MB

MD5
b4de67c2ac4a15d5c20e7c3e05b4c224

SHA1
e2af8d6bd7348ff021dbbf54f450d636ed1d3f8f

SHA256
20992d670db70cae9d5d69ab1ea3e1bc3f07ae64764e4b8f45c9050ea8c323e6

SHA512
99438ac4691bfadb87daea4283a7f57a9f7a0ff23fed06cf40aff0390dfb4e1a4193376e8fde905c3043b44c70230b312627c635d0c8050e5f92029b181a0ca2

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
507.7MB

MD5
0bd541ec7120c4775a50dee212c3b638

SHA1
0e79a6a8b12d15fe164b37beeec3f23252b0c59c

SHA256
10323632832728b8caf99991d590d62d4b904884b3ab80c5c6ecad2cf366d1fb

SHA512
d323bdb6b19cba1e88d28b95bc8766b07311d1450578c9863964f92312a86e00d5516aa0dfa39a3c162be20b18c850ea2816410ff922f0eb4e9962d1a52a2525

Download Submit
memory/1416-134-0x00000000005A0000-0x00000000005DC000-memory.dmp

Filesize
240KB

Download
memory/1416-136-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1416-151-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2148-152-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download