laplas | 4cb97044fa8325ea15b14dbf9d6ee9301b9fb0601189a0c04dac9c7358313b0a

Analysis

max time kernel
144s
max time network
132s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

246KB
MD5

9789fecf55c4b070e0194adb021ed607
SHA1

5acfd723e11c569a12d5880083346576c1afe5a3
SHA256

4cb97044fa8325ea15b14dbf9d6ee9301b9fb0601189a0c04dac9c7358313b0a
SHA512

7b5f0e67236c7dd0823ad6993933106fdf1c2f51d4a8008e2b52bcf7ded4a6ad9bf5dc538300f7d82d7229bc39c64b1ddc817516989beb6ad09082879d778836
SSDEEP

6144:pp/7/xgVzhs7yOomaVP1cQX6yOQgNRaMWm2:pp/lQYymMuQKyF0Km

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2024	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	file.exe
2044	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2024	2044	file.exe	28
PID 2044 wrote to memory of 2024	2044	file.exe	28
PID 2044 wrote to memory of 2024	2044	file.exe	28
PID 2044 wrote to memory of 2024	2044	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
533.8MB

MD5
160eab63965bf4c27a747f68fae9f533

SHA1
35f27cb5dd9d33c5fed72477e67081006e52afa9

SHA256
62cadae37a4fc5e66665128410539db2c3b85c05ff7e91332929e0c4483b97d0

SHA512
0957a26be058fb28b843fbc962adeb1ece617ace4aefce6aa6bf8ac3b2706adbfa324a462e14d6d2233e30c119f9a0dbbfe98e91f915486f659796a64944731e

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
622.9MB

MD5
63dd7d2cccd6db5ac734d9d93aaede09

SHA1
3fcc05991f3de458b805e97475fe61369e650ada

SHA256
7c3a5a9160ced7a219c469c209d3d4b6f5020f52f610ce98ccac2019815b7254

SHA512
e84dd08f3230c1c23c858c3ee71ac3f405aad85e61998cd011d4348aa49d263fb0871b1387fc19a0b821831aae1db94e4ebee52de1c33ba43a96349413f69393

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
566.4MB

MD5
12f930d5220d34978a489699a3400961

SHA1
f325efe59e05f07900d465b706985000c2ae6c70

SHA256
be4bb786ae5c5e019946fcd62ba412132a5432f34f1273c275ec6206e8e5f634

SHA512
bcd818a5654e00af5fb4e424e27b5a6fb7c4d12ec36a1b15e3a94fcf02fbc278298f8c21d23d5add8d909ec6c2ba196a59e974f1d9979329224383678b06fda7

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
603.8MB

MD5
3a9edf343b478582e3dc656c39b50a76

SHA1
cc5da7e8704e300c3f58794370d88c69e15b2522

SHA256
17e66ee563b6abd15553396a1b0ec69952ca0939c762424eb70c02d6f80a7fdc

SHA512
81519eb0da437ffc4ef266ce14ca49020ec7fe3209908252a371aff5492f4e40da1afed81699d3690c831b66ff779a0ebf0bc12789c4236329f87f871043a08b

Download Submit
memory/2024-67-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2044-55-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2044-65-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download