laplas | c30c055cfc659818b2b25a7fe19885a8737f6e513f421a21c1a5eaf72158b02c

Analysis

max time kernel
133s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16-03-2023 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4666c384a4c3443ac704b4fd1311a3c7.exe
Size

300KB
MD5

4666c384a4c3443ac704b4fd1311a3c7
SHA1

13cda634b73feab1db7e9f021837d3bf3be094eb
SHA256

c30c055cfc659818b2b25a7fe19885a8737f6e513f421a21c1a5eaf72158b02c
SHA512

87e9176ce3926244af2580aadd00d5420266cd026cfd38d0784e01c79d7cb945aa926ab09111ee7b33a38aa31f5ecb65fd74cb1590a86de7b91271fe2c4eb8ef
SSDEEP

3072:lRx2ALdis854nZr2UCPMh6FddAztieF0MjNsvauCaoh8lDaNlf8:nxVL/A4ARddAyMja58

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1708	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1660	KKJKEBKFCA.exe
1948	ntlhost.exe

Loads dropped DLL 6 IoCs

pid	Process
1052	4666c384a4c3443ac704b4fd1311a3c7.exe
1052	4666c384a4c3443ac704b4fd1311a3c7.exe
892	cmd.exe
892	cmd.exe
1660	KKJKEBKFCA.exe
1660	KKJKEBKFCA.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	KKJKEBKFCA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	4666c384a4c3443ac704b4fd1311a3c7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	4666c384a4c3443ac704b4fd1311a3c7.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1228	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1052	4666c384a4c3443ac704b4fd1311a3c7.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1052 wrote to memory of 892	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	30
PID 1052 wrote to memory of 892	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	30
PID 1052 wrote to memory of 892	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	30
PID 1052 wrote to memory of 892	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	30
PID 1052 wrote to memory of 1708	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	31
PID 1052 wrote to memory of 1708	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	31
PID 1052 wrote to memory of 1708	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	31
PID 1052 wrote to memory of 1708	1052	4666c384a4c3443ac704b4fd1311a3c7.exe	31
PID 1708 wrote to memory of 1228	1708	cmd.exe	34
PID 1708 wrote to memory of 1228	1708	cmd.exe	34
PID 1708 wrote to memory of 1228	1708	cmd.exe	34
PID 1708 wrote to memory of 1228	1708	cmd.exe	34
PID 892 wrote to memory of 1660	892	cmd.exe	35
PID 892 wrote to memory of 1660	892	cmd.exe	35
PID 892 wrote to memory of 1660	892	cmd.exe	35
PID 892 wrote to memory of 1660	892	cmd.exe	35
PID 1660 wrote to memory of 1948	1660	KKJKEBKFCA.exe	36
PID 1660 wrote to memory of 1948	1660	KKJKEBKFCA.exe	36
PID 1660 wrote to memory of 1948	1660	KKJKEBKFCA.exe	36
PID 1660 wrote to memory of 1948	1660	KKJKEBKFCA.exe	36

C:\Users\Admin\AppData\Local\Temp\4666c384a4c3443ac704b4fd1311a3c7.exe
"C:\Users\Admin\AppData\Local\Temp\4666c384a4c3443ac704b4fd1311a3c7.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe
    "C:\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:1948
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\4666c384a4c3443ac704b4fd1311a3c7.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe

Filesize
1.8MB

MD5
d433fee70e60de32de4608f07bed7d2a

SHA1
8b84224c8319705317340392ad99bc529183a7db

SHA256
0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

SHA512
ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe

Filesize
1.8MB

MD5
d433fee70e60de32de4608f07bed7d2a

SHA1
8b84224c8319705317340392ad99bc529183a7db

SHA256
0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

SHA512
ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
493.2MB

MD5
19087582a65335061fd8b50117bc3da5

SHA1
f50f87759f0385baceea9b6c7807d055aaa86b22

SHA256
c7e73140ee925857aa05098c94cabe38273e2af542dc789d7397a7e21feffebc

SHA512
67ac26809cdeda7676cab7df00ce37b3eb916643337258f87edfc2fbb2717133d9720bbe11133b349d2f063f234743db666adca174947ab1e855998ebc497df7

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
496.4MB

MD5
206de37abd2c260ca8d61aa70533b3dc

SHA1
3178fbf08fb4fd404d8d2b291140fbae36a15310

SHA256
6b073a31642a8bc18fd532cac2f46ff969f86a72cda340ccb4549c50872323bb

SHA512
45737dcd4d76c2a4ad1af39c1815ae36ce4103ed588d4f6e52fe68359e3be8160f03d56effa0f11ef20e5b00581579818dffb325aa869f660a193f7f54756585

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe

Filesize
1.8MB

MD5
d433fee70e60de32de4608f07bed7d2a

SHA1
8b84224c8319705317340392ad99bc529183a7db

SHA256
0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

SHA512
ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

Download Submit
\Users\Admin\AppData\Local\Temp\KKJKEBKFCA.exe

Filesize
1.8MB

MD5
d433fee70e60de32de4608f07bed7d2a

SHA1
8b84224c8319705317340392ad99bc529183a7db

SHA256
0a93f3cfdedbd88dce010e4a2e54dc8c2a2135e58f037b55a513ed8b1dc49cb7

SHA512
ec62acdea29ce1c56f09729c8e0832ffbd95755746305a35b0c361c92a03c88c8efb1c14eff35a9bdde26f965cd743408cacc08a5b2eb317a067fc876b9844d8

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
498.9MB

MD5
1affdb2b2a1e7c0957ee9fb3a0295e73

SHA1
23d09a9ca8e2d44b7988dcd83f26dc491de493d1

SHA256
d3fb2fcc3695cc449ef43a1dab2c8c29f166ecbe3c607a0f11f36fadb8bb299e

SHA512
344b057285cb147f320cb59c7dcd2c4542a07b89f29cb666a58a4b7146333d9db3a8e2cae0123d3377ee9551af9a275d9da8d5bc25396c8d15d537853e12337d

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
525.0MB

MD5
78c4dc46f320f1e19f0ba9a97e8be6f8

SHA1
5570828fc2579eeab59f2640b285a77af3cdf5a1

SHA256
156ce0ea8e552e5d12747f3607b8f055338c84d6f7034b78cc64750edc74ed02

SHA512
6e93cf68fbde7da6f281bb9e99293488f0a1d3e4f1fbdd9d8ab5032b406ea8958c2e451ffb986cc4bc0b87d4a6041861a6353213e7d08ca98a2c906833ed70cd

Download Submit
memory/1052-115-0x0000000000400000-0x0000000002B0F000-memory.dmp

Filesize
39.1MB

Download
memory/1052-55-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1052-111-0x0000000000400000-0x0000000002B0F000-memory.dmp

Filesize
39.1MB

Download
memory/1052-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1660-120-0x0000000002120000-0x00000000022CA000-memory.dmp

Filesize
1.7MB

Download
memory/1660-121-0x00000000022D0000-0x00000000026A0000-memory.dmp

Filesize
3.8MB

Download
memory/1660-130-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-132-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-131-0x0000000002180000-0x000000000232A000-memory.dmp

Filesize
1.7MB

Download
memory/1948-133-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-134-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-137-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-138-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-139-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-140-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-141-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-142-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-143-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/1948-144-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download