laplas | 7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11

Analysis

max time kernel
146s
max time network
137s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-03-2023 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.exe
Size

245KB
MD5

83554c48c989188a5483b8cac98bd4ee
SHA1

1a09f227dd35b01abb2a0318fa4b1dd74349ea13
SHA256

7ea5061e9ebeb45f7ef962d1566d74fdbfdaf81cfff399d22aeb1605e2501f11
SHA512

f452875d2eb14c6a9f8124d7ba39a173532d038c0a95e89828fe624577a1a7a3b2547e262c8136450ebf337700ed74522e57c48c7b63988df8272ebbe446be22
SSDEEP

6144:VbfmTinRvgDPVY7Rae8Vkpv9qmo3hLhJ:VbfmGnZgJYqVNB9

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1532	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	sample.exe
1696	sample.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1532	1696	sample.exe	28
PID 1696 wrote to memory of 1532	1696	sample.exe	28
PID 1696 wrote to memory of 1532	1696	sample.exe	28
PID 1696 wrote to memory of 1532	1696	sample.exe	28

C:\Users\Admin\AppData\Local\Temp\sample.exe
"C:\Users\Admin\AppData\Local\Temp\sample.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
655.9MB

MD5
242ec57d753aa3adb4c85264a7a6ab99

SHA1
8213fac9289418038c9d27b0fbabd161bc3b65f6

SHA256
7b0fafb6dd2f0aba1be023caf3044620f96d0b715c189bbc95b7bb85a708a79b

SHA512
98ac195cbe3274ee4a296cf9f79747b66a7a01a5e9f78f9a17389e36afe6576d6f9df8afa684f86c728b039c3622b8b0016793ed675e3197837137d7e7ce97d6

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
594.1MB

MD5
d75de01fdee903c1e9e58d7910c8c2e8

SHA1
ce2851017fe6f7d622daa01b3e49cbf3778161c3

SHA256
07b601d8bf0068555618ef33ac8a40d1949699f4fd0607e22fa25c005032d487

SHA512
8f6b3d7acca9feeccf891aeadd3ceb785f95f051408423384fb28f39510dcdecf83423bde5d4d18d9bf18cbef45b24d6feeb9d7d5bf97cc2e157d6533ba28bf6

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
496.5MB

MD5
037e983b51b59d5ed0f6b8ffc05a960e

SHA1
64ec27e6d504f2c5142090e8740fae62de37c049

SHA256
5fbd34ab9d4fb143e3593f7cdaa4b37d8d8343885e69029a301aff6317de2985

SHA512
bb0995dab72a2664570503d5e0ce8d21c7f7975f52753e4091007dffbd69eedf7625210814ea5808d1b83e24859f8038547c1a9c2110c9ab592b8196a3417f7d

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
580.5MB

MD5
88b7141df5418a264bd21921de0fe6c8

SHA1
f6a0cb5bbfd9b90b2a8f4ff66faf3d6b9a9571a8

SHA256
8330dfb18ef8657db292d6ea8d0d305aa0a0219181729e92f2e35b4939ce3dc9

SHA512
6c1ca31a7b85fe85dc0aca291ed39b7d4b498ec8e1a53e143a0abc52aff34df3674ed77ed30ad064050a2e8431851f7aaf1956e63fccec7235cbaa9249dece16

Download Submit
memory/1532-67-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1696-55-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1696-64-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download