laplas | 348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

General

Target

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1788	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3853465373-1718857667-1861325682-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
1788	svcservice.exe
1788	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
1788	svcservice.exe
1788	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1788	4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe	66
PID 4104 wrote to memory of 1788	4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe	66
PID 4104 wrote to memory of 1788	4104	348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe	66

C:\Users\Admin\AppData\Local\Temp\348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe
"C:\Users\Admin\AppData\Local\Temp\348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057.exe"
1⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1788

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0PBDMEPO\online[2].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6FGHNCOX\regex[2].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
123.3MB

MD5
19c824bd7d023b4fba43f4e7285bf01d

SHA1
c5007ba474135d8b8502518e87a7909e1f929875

SHA256
c8766c9d0c40bb052aed6697795f298289a80d4eb671e09af1b6b9a9f523fbe9

SHA512
aa0957911395dc61d070fd2c9c2dff347e6115f3a9c492b1b29683c66487fe11e64cc975924a28624a6fe519a3ab4fafff7f9739a9f4cda0a0c3bbbf56b1ca84

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
123.7MB

MD5
f013307dd3ad774db752783b24e0d616

SHA1
1e4ed1e5e44aa94e1467e5da417b5ac59e0032a4

SHA256
86a9e01f7ac7f8e1bbf56f95f4b8946fddd0b19404b6ec280d46778c62bcaec6

SHA512
b01d9384ff30054952e0364ce11b87f46e7f8fd042c52d8ae3a932abb14113621f4a9360b140edfd52b183650996ef1bf6a1e81b26871e72975bc87f69d6f0c9

Download Submit
memory/1788-139-0x0000000000990000-0x0000000000991000-memory.dmp

Filesize
4KB

Download
memory/1788-137-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/1788-135-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1788-136-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1788-138-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1788-140-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/1788-143-0x00000000010A0000-0x0000000001C1B000-memory.dmp

Filesize
11.5MB

Download
memory/1788-141-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/1788-142-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/4104-122-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/4104-123-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/4104-119-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4104-127-0x0000000000C90000-0x000000000180B000-memory.dmp

Filesize
11.5MB

Download
memory/4104-124-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/4104-126-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/4104-125-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/4104-121-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/4104-120-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing