laplas | 1e57c51cc9d846bf498dafd60c3423dcb6896cf9e2cc9f754e2ba7c77b38445d

Analysis

max time kernel
109s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
13/03/2023, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
Size

11.7MB
MD5

aca042ff3879a53b09a6089012c0dc3c
SHA1

cffcd52ebc1dac648c06abf22a73fed5e631d932
SHA256

39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d
SHA512

1b774c8804457e0c5a424f243c5a1cdeeb2c5cb52b867d0695d377a9edecad4e4cc125adcef05eed939de13cb325e5160213fc75850016a6b31469cf24837fa6
SSDEEP

196608:W9x9G9JpwtykN94/4KdH3WPdv16lzYrcttP5Kzn/cpCXH2zcgh0YZZoJ8wnVSh7U:WxRtykbuH3+x162r0Pkzn/c4XH2zcU0Q

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	4m0f7sf4.exe

Executes dropped EXE 3 IoCs

pid	Process
1504	tv4VwC88.exe
4532	4m0f7sf4.exe
3860	svcservice.exe

Loads dropped DLL 3 IoCs

pid	Process
1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	4m0f7sf4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4532	4m0f7sf4.exe
4532	4m0f7sf4.exe
3860	svcservice.exe
3860	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
4532	4m0f7sf4.exe
4532	4m0f7sf4.exe
3860	svcservice.exe
3860	svcservice.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1504	1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe	94
PID 1268 wrote to memory of 1504	1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe	94
PID 1504 wrote to memory of 5040	1504	tv4VwC88.exe	95
PID 1504 wrote to memory of 5040	1504	tv4VwC88.exe	95
PID 5040 wrote to memory of 5016	5040	cmd.exe	97
PID 5040 wrote to memory of 5016	5040	cmd.exe	97
PID 1268 wrote to memory of 4532	1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe	98
PID 1268 wrote to memory of 4532	1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe	98
PID 1268 wrote to memory of 4532	1268	39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe	98
PID 4532 wrote to memory of 3860	4532	4m0f7sf4.exe	100
PID 4532 wrote to memory of 3860	4532	4m0f7sf4.exe	100
PID 4532 wrote to memory of 3860	4532	4m0f7sf4.exe	100

C:\Users\Admin\AppData\Local\Temp\39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe
"C:\Users\Admin\AppData\Local\Temp\39c28f0244bfeb2fe54808cda05f80ad36a886f1e2c75960779ede0894a9219d.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\tv4VwC88.exe
  "C:\Users\Admin\AppData\Local\Temp\tv4VwC88.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\tv4VwC88.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5040
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 0
      4⤵
      PID:5016
- C:\Users\Admin\AppData\Local\Temp\4m0f7sf4.exe
  "C:\Users\Admin\AppData\Local\Temp\4m0f7sf4.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:3860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
C:\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
C:\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4m0f7sf4.exe

Filesize
7.3MB

MD5
99f16ab6ab670935b5aa5c84b1b5f6bd

SHA1
59f375481cdfe246d1ddcaada9941e16dcfda297

SHA256
348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

SHA512
845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\4m0f7sf4.exe

Filesize
7.3MB

MD5
99f16ab6ab670935b5aa5c84b1b5f6bd

SHA1
59f375481cdfe246d1ddcaada9941e16dcfda297

SHA256
348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

SHA512
845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\4m0f7sf4.exe

Filesize
7.3MB

MD5
99f16ab6ab670935b5aa5c84b1b5f6bd

SHA1
59f375481cdfe246d1ddcaada9941e16dcfda297

SHA256
348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

SHA512
845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4VwC88.exe

Filesize
13.9MB

MD5
ed336b6bdb233598a61aa4fd6d008491

SHA1
2c336b11ae740a8e4dc0a5f9896076638cb60f2c

SHA256
12e19037193d668adfa5f080c0d675599287a1597c97126f9816ea2ea03e89b6

SHA512
10fb6056da29268403002ff5b4b1d832b156b3d9326157e231c82274e073d095883162d2f973d4f1eaaf294772b0d54117b2a10f7caa678c553191ae8de6ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4VwC88.exe

Filesize
13.9MB

MD5
ed336b6bdb233598a61aa4fd6d008491

SHA1
2c336b11ae740a8e4dc0a5f9896076638cb60f2c

SHA256
12e19037193d668adfa5f080c0d675599287a1597c97126f9816ea2ea03e89b6

SHA512
10fb6056da29268403002ff5b4b1d832b156b3d9326157e231c82274e073d095883162d2f973d4f1eaaf294772b0d54117b2a10f7caa678c553191ae8de6ee70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tv4VwC88.exe

Filesize
13.9MB

MD5
ed336b6bdb233598a61aa4fd6d008491

SHA1
2c336b11ae740a8e4dc0a5f9896076638cb60f2c

SHA256
12e19037193d668adfa5f080c0d675599287a1597c97126f9816ea2ea03e89b6

SHA512
10fb6056da29268403002ff5b4b1d832b156b3d9326157e231c82274e073d095883162d2f973d4f1eaaf294772b0d54117b2a10f7caa678c553191ae8de6ee70

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
767.3MB

MD5
b26721967a17313cc663b92cda735e02

SHA1
076138fbe73399894d3fbaac74c13e083f881e9e

SHA256
5879615375551e9c897a0e9a9a18b8543996c0fa85137838c22741851ba00684

SHA512
65a92978ceb7b61c9ce2422b71de65582d4029ac3030a2421095f587244f7fbf0733991652a04aeb5c553dc022a46f539ca2bfd5cc5a3c46836be833c247de75

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
767.3MB

MD5
b26721967a17313cc663b92cda735e02

SHA1
076138fbe73399894d3fbaac74c13e083f881e9e

SHA256
5879615375551e9c897a0e9a9a18b8543996c0fa85137838c22741851ba00684

SHA512
65a92978ceb7b61c9ce2422b71de65582d4029ac3030a2421095f587244f7fbf0733991652a04aeb5c553dc022a46f539ca2bfd5cc5a3c46836be833c247de75

Download Submit
memory/1268-137-0x0000000003770000-0x0000000003771000-memory.dmp

Filesize
4KB

Download
memory/1268-186-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/1268-136-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/1268-138-0x0000000003780000-0x0000000003781000-memory.dmp

Filesize
4KB

Download
memory/1268-135-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/1268-134-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/1268-133-0x0000000001960000-0x0000000001961000-memory.dmp

Filesize
4KB

Download
memory/1268-139-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1268-140-0x0000000000400000-0x00000000018DB000-memory.dmp

Filesize
20.9MB

Download
memory/1504-205-0x00000000002E0000-0x000000000112F000-memory.dmp

Filesize
14.3MB

Download
memory/3860-241-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/3860-242-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3860-249-0x0000000000C20000-0x000000000179B000-memory.dmp

Filesize
11.5MB

Download
memory/3860-248-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

Filesize
4KB

Download
memory/3860-246-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/3860-245-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/3860-247-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/3860-244-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/3860-243-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4532-226-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/4532-219-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/4532-220-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/4532-221-0x00000000014D0000-0x00000000014D1000-memory.dmp

Filesize
4KB

Download
memory/4532-227-0x0000000000940000-0x00000000014BB000-memory.dmp

Filesize
11.5MB

Download
memory/4532-222-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/4532-225-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4532-224-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/4532-223-0x0000000001500000-0x0000000001501000-memory.dmp

Filesize
4KB

Download