laplas | 5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe
Size

246KB
MD5

95d60d52c0f8e2c87d1f495f426f4e20
SHA1

daa905959994df54356b8d010df02b2cdcf88cfe
SHA256

5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0
SHA512

eaa3956a4a60acf551673b2a2fb16105dd34d8caa17d8d87918e6f1013673fcb8241e4147ad4ce535b03bcadae8b4fc682cb8b6e48619a59dc27cfd506b7be7e
SSDEEP

6144:pQwkcWSfzNAFKtUG4BNCLcZzgiestN9oI:pQwfQ0yG4T6K8dst

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe

Executes dropped EXE 1 IoCs

pid	Process
3984	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4196	2188	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 3984	2188	5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe	85
PID 2188 wrote to memory of 3984	2188	5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe	85
PID 2188 wrote to memory of 3984	2188	5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe	85

C:\Users\Admin\AppData\Local\Temp\5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe
"C:\Users\Admin\AppData\Local\Temp\5f0b4bc4ef82e8d3178167ef18f1bbbfb3a7d94929d7262cc6ca77592f3293c0.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1120
  2⤵
  - Program crash
  PID:4196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 2188 -ip 2188
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
520.9MB

MD5
08365e3a4b7480cd8978ad3db79d3a00

SHA1
2392f29ca2a937c43c7f597bd6120c2589582096

SHA256
94af9e61806d7e9e32b7decf4b1b753812c7ccc2bc7bf3374aff22d98f8cdffd

SHA512
f81d0b888d12d99af47585593c3c0ba30ce4c868a6f1230be7931821ab23573e5b66c1158fed0c49d55dd6cfd8abf93653d4fff59d73ac770ed2bc1830404353

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
591.1MB

MD5
1be3ff86bee8448d4e0c7212d78f5a85

SHA1
af313722eb669439ef99d2f71b08ea77792fa5ac

SHA256
b49029ac038a90b81f82b42b87e1fcfc0698f2589854f1a10368d8b73bf4b382

SHA512
660b5ab8ec3ab9e821a5b3975f529b1a5a15893a7b5efe40b32655639a7d1dc78d83ee02f75e3814917bb14b49e6ddf920f28c87f41d2e2d0a0cd92288271372

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
554.8MB

MD5
45e22d6049adda83776d495356c313a4

SHA1
e3506d029680cd81f290e2bd470807458ea64896

SHA256
e3d40bbe4209cca79066930bc8118cb5c59c1a57f5c6537b7aacd89555fc7c58

SHA512
b3759a76c27f45abd7f780167dd7035516cc9d4401a161d62225b67f94be225a9b6a27395a5f93e6cc0b84c0eb0d081a56c105df2738fc6c5354e0731cfe49a9

Download Submit
memory/2188-134-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/2188-136-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2188-144-0x0000000000670000-0x00000000006AE000-memory.dmp

Filesize
248KB

Download
memory/2188-151-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3984-150-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download