laplas | 778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe
Size

245KB
MD5

25a5b10307be36cf8a5d6237bf45da95
SHA1

4b6289cafe8dba823f841aaeaae1e1454c91eea2
SHA256

778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a
SHA512

3936ac03c4b7d73c3ff7bc00e27655e67bcefd2903d4177563bb137593a6791efb90f50373934738853881d91a9811208f10af1e637c84c237c4ca8b8d69a6c2
SSDEEP

6144:OQlYxF3P1vMI97WxMGoB0gBlhrEZc+4B:OQlYx1aIu

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe

Executes dropped EXE 1 IoCs

pid	Process
4104	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5056	2556	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4104	2556	778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe	88
PID 2556 wrote to memory of 4104	2556	778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe	88
PID 2556 wrote to memory of 4104	2556	778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe	88

C:\Users\Admin\AppData\Local\Temp\778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe
"C:\Users\Admin\AppData\Local\Temp\778f7f711fd9968bad559bdafc408f6d8448ef8138f49ff3144f5e36e7728e5a.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 1212
  2⤵
  - Program crash
  PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2556 -ip 2556
1⤵
PID:4344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
766.0MB

MD5
3143f3fc9f4c581af8b42a86fd1326bb

SHA1
59fd31e7d6ff51e5f8085a06c3bebd199d04d71d

SHA256
010b84d66fc99b004572ffb220765c5c4aa48f2da8ac78884ea5e9a682046bd5

SHA512
8e5b09b1986fb34ba88ca80a29d2fe834c72476a52e2577a505518d49138f2de053e04a1ceb5a01aa8fec96f436f41c1bfe6a1b362fc372c6da097f759f87ba3

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
717.9MB

MD5
17698cf07a87be3e5190c6baeb10d665

SHA1
be99eeb91a2715c2aab9f8549d1e0f0827116977

SHA256
cbe72e8fab71db455d9a8367110102abe866a944a20bca97ffc1e623f4dbfa09

SHA512
8ce4e8259458cad58fb18c5a3a0e42438b4e564c8c2cc6419b8460269943a177acaef3226daccee1e5409bfa896395ffe8e2214101e1e76dca1bc012c6fda225

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
762.0MB

MD5
9d9b988dd4da33976644d53361e13630

SHA1
22a69f1c378ff78cc560602c9f0e3b53d978c397

SHA256
553727074e409bece5af55594fb0bf00f775f0362141d52c3066c73c5dd6a073

SHA512
0263373bb59ba65cc0ee3c70603dfffa11563b699391559d4ed6a5f3844a48e95251fdffeca766d5e71c51795ad7f7478d233a1ee7c15ce09e3cd3ee527c8658

Download Submit
memory/2556-134-0x0000000000580000-0x00000000005BE000-memory.dmp

Filesize
248KB

Download
memory/2556-143-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2556-147-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4104-152-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download