Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-03-2023 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    174KB

  • MD5

    e58539a5556040a9c415e1cee0a27d7b

  • SHA1

    f6c272d97738f3c9d2258b946857329adda298c2

  • SHA256

    0cfc62e9e3fb70c9319f2b5785dba4a7632b137daf8e0268a557ba9f70e403b3

  • SHA512

    1426c1342e37e29821d3949319c796b14501c0230d388a3060f3f37b56a66074837be82672502e5a1308742199ee57a170366635868cd8b1a889e11f48811eaf

  • SSDEEP

    3072:LosZCJm76T7Q6RL+JLpQskRbM5XVvKLU507hlwtu/XJX:5ZevaLp+A8LUO7hSo

Score
10/10
laplasclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JDAFBKECAK.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:732
      • C:\Users\Admin\AppData\Local\Temp\JDAFBKECAK.exe
        "C:\Users\Admin\AppData\Local\Temp\JDAFBKECAK.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:1592
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 596
          4⤵
          • Program crash
          PID:1748
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\file.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1784
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:3732
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 2128
      2⤵
      • Program crash
      PID:3172
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2192 -ip 2192
    1⤵
      PID:1696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4056 -ip 4056
      1⤵
        PID:1192

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\mozglue.dll
        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        Download Submit

      • C:\ProgramData\mozglue.dll
        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        Download Submit

      • C:\ProgramData\nss3.dll
        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JDAFBKECAK.exe
        Filesize

        1.8MB

        MD5

        7fb57840f6a8777b650bc75f0e67cc1c

        SHA1

        7f02c85ce3a176433d3128fbf8f4a9b4c792e998

        SHA256

        f43a93f2cdd910fe3bf8e164065fcfee493aacc14c673c49c473e7c009bec69c

        SHA512

        f6a142623cd2967a7a4e1599ed702dfa69a1c37238456aa86886f721add6df722bd28b3b06ac9e4a09b170a585704a20ce43ef4206a0b4820ddf816a216909e4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\JDAFBKECAK.exe
        Filesize

        1.8MB

        MD5

        7fb57840f6a8777b650bc75f0e67cc1c

        SHA1

        7f02c85ce3a176433d3128fbf8f4a9b4c792e998

        SHA256

        f43a93f2cdd910fe3bf8e164065fcfee493aacc14c673c49c473e7c009bec69c

        SHA512

        f6a142623cd2967a7a4e1599ed702dfa69a1c37238456aa86886f721add6df722bd28b3b06ac9e4a09b170a585704a20ce43ef4206a0b4820ddf816a216909e4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        Filesize

        644.1MB

        MD5

        a8d3edaed37a15921216166f8e5c038e

        SHA1

        dd190374455078d90f9d76f013fbef394ff6b464

        SHA256

        a332c26c263d0643c91dfb84be7796a19e7ce1d6c38b4cc97d02634c84f95c36

        SHA512

        3aaea202e998f03b0f4286f9f94bff262b748a5fa6ca420d2691a37de84ff42b37a8699dfaf71a4de4b7726e8ffedb3bfa0b3bfee4bbc899b4c1e55736aa9246

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        Filesize

        661.2MB

        MD5

        b62af35ce34b6db96554a58598ffea59

        SHA1

        67c296dcdc5ccc9c896fd0a76bfdf2e2ef786737

        SHA256

        24b4656e2ba97ab1e1aac19600f7ff04da0ed7373a282df2c39162d6f7d80f1f

        SHA512

        478db60a0e6bcd78ee9899703b0927170fe5ef6bf15cc435c58244f55f21b87f62bcc099e69c3bedfc7e5d5b219e51a77062de4944273884f83b055bdbf7544d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
        Filesize

        562.9MB

        MD5

        b70290a88a4605c26e8aa3a5823a9678

        SHA1

        e26661091d0d2a519ccce6541fda41bfeaf5e8fd

        SHA256

        4ad34281d369ac214b15c4dc1623d00d9c9f404184648c58e454fc0160b01b6f

        SHA512

        9adcfa79323f25002f7794e2f008714a733351e13595594906f815c96329c353558a31ad8fea1b87118fdac4d7d2923f473b0d63a4ad41f836547104b2d7f84d

        Download Submit

      • memory/1592-229-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-228-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-222-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-224-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-232-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-231-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-220-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-221-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-230-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-233-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-226-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-225-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/1592-227-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/2192-206-0x0000000000400000-0x0000000000628000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/2192-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

        Filesize

        972KB

        Download

      • memory/2192-134-0x0000000002360000-0x0000000002375000-memory.dmp

        Filesize

        84KB

        Download

      • memory/4056-214-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4056-218-0x0000000000400000-0x0000000000803000-memory.dmp

        Filesize

        4.0MB

        Download

      • memory/4056-211-0x0000000002750000-0x0000000002B20000-memory.dmp

        Filesize

        3.8MB

        Download