Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    246KB

  • MD5

    9789fecf55c4b070e0194adb021ed607

  • SHA1

    5acfd723e11c569a12d5880083346576c1afe5a3

  • SHA256

    4cb97044fa8325ea15b14dbf9d6ee9301b9fb0601189a0c04dac9c7358313b0a

  • SHA512

    7b5f0e67236c7dd0823ad6993933106fdf1c2f51d4a8008e2b52bcf7ded4a6ad9bf5dc538300f7d82d7229bc39c64b1ddc817516989beb6ad09082879d778836

  • SSDEEP

    6144:pp/7/xgVzhs7yOomaVP1cQX6yOQgNRaMWm2:pp/lQYymMuQKyF0Km

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:724
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:5048
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 1120
      2⤵
      • Program crash
      PID:4896
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 724 -ip 724
    1⤵
      PID:1612

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      820.2MB

      MD5

      0437becbb082a451d6bab2421d6e6ad4

      SHA1

      910b8595b74d6edf98c87c79ca40ac51cd8fc2f7

      SHA256

      6a94b4e28e9dfc0488db0ea511451b0794f3bda102324df786c6eb61277c2899

      SHA512

      6d5efe91098ed8d1e3ccd59814a18965acd040295ec3490812b000cfc53bdba4764a6cc176cec61f45ab62140ac0bc8c840bc8cedd1b4fa063d277d57b4f1407

      Download Submit

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      713.9MB

      MD5

      fe9ddb76623da9169d3f08de61a57dbf

      SHA1

      6c89a53633a19788d4f2a7a1eb31a4f3336b4fd1

      SHA256

      5a68ceac559fbe39221881186c5d46b79ec509c42d81fef94f30d80f623adbd3

      SHA512

      b6a03d8950172f9578be2639dcb090c2ff042d4f053e9fa629076cf10fedf0001f4a7cfb7eb76d9e7678e935a7154fdba8117b2661608d69850f5e385556a7ab

      Download Submit

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      740.7MB

      MD5

      26bbaf25a5dac3f642c22c02c0a0cd53

      SHA1

      ad01cf09e04117ed58fee44c1b57ab4c1b1f8015

      SHA256

      7c785d27738d285a84d0d9bd5b13105e64a0603a0dd002dd09df508d8c45b46e

      SHA512

      d6258bf59609b0e61989d947546d42178099263854508a7b94fbc7722ba44e6faf3ea35e278811ad975819fa6a34712fd84f1c095dee65d3e9f9641bef3f795c

      Download Submit

    • memory/724-134-0x0000000002210000-0x000000000224E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/724-143-0x0000000000400000-0x00000000004BD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/724-148-0x0000000000400000-0x00000000004BD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/5048-151-0x0000000000400000-0x00000000004BD000-memory.dmp

      Filesize

      756KB

      Download