Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-03-2023 01:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2.exe

  • Size

    245KB

  • MD5

    ddd3ef96054200d60d04934492a3d672

  • SHA1

    8ac32d858e32f27cccec6a8896b234affa1873ba

  • SHA256

    c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2

  • SHA512

    e11f8936df9c2b1e8a265ac80b2b24693f161e678d1af8902bfc745fcf013c044837d4d401227734c49e00b0d5b6d5dd512873fc6c8d25cf3b13099f095209ab

  • SSDEEP

    6144:abfmvxMcnAkScaBd5COlRbsQOGdAtqhdCJ:abfmvCcPSc8dsaNssBf

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2.exe
    "C:\Users\Admin\AppData\Local\Temp\c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:4824
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 872
      2⤵
      • Program crash
      PID:4944
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2376 -ip 2376
    1⤵
      PID:4696

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      689.7MB

      MD5

      07530db479a6eae16a60541a5ba44060

      SHA1

      37a9a5db7cf3fcbca3f9b4577d720459ac11d9ed

      SHA256

      ec3f5aaeffa7a360603c63de47394f1f25e6296ebfd3076a5da160db5e3ebdb5

      SHA512

      0b1904dbd438616d35618efcf221922611300b75798fd36b69957fb4dc6d08c7a3a8cbfa9e9086c0d2d54b00d8bb205969d22234d092b49a2ae8b0d590ae986c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      597.6MB

      MD5

      54417d85435a3e1433fb3b0bd006563f

      SHA1

      477c940ce7d2186cdf7d2f4fd03be46402122fb7

      SHA256

      a63e1ebe77119cbf3982378bcb6ad683ca1baa6700b4f539bb8daa51ca943bdf

      SHA512

      f69e145de7aab1f44e309f03bf2bba8947762f855552f0bafdd0d048aef6baef121fccec440e6ea650a773a556cc1d909c890e4b2e669c94f473039ccf1991b3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      580.9MB

      MD5

      2389d5203da00cb54028aa71678220d8

      SHA1

      b9909c2655df4c98b071a12329a6ca2ef4bcdd89

      SHA256

      d52e8ca18b5f0c2de3b038f1d36388edc70e5330fb20861ed1d675bd3cde80ec

      SHA512

      af160d424aa23e2b1d31b1d074d25294c0b93f8ad2282eebd1bb742073822650c936c548458dc3635ec189d7e5186d2d115e1e9ffce33553fc814044eca0b055

      Download Submit

    • memory/2376-134-0x00000000020B0000-0x00000000020EE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2376-140-0x0000000000400000-0x00000000004BD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/2376-145-0x0000000000400000-0x00000000004BD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/4824-146-0x0000000000400000-0x00000000004BD000-memory.dmp

      Filesize

      756KB

      Download