laplas | e7c00ab7a27a5edfe559c63dce0cf8091c62d5139b45ba895dc4a71a58b47f97

Analysis

max time kernel
146s
max time network
143s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-03-2023 03:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

245KB
MD5

ce0f1f85a927d457599097096d857bd2
SHA1

4c368c5beb62227a21ef3e4c119646e06fa27da3
SHA256

e7c00ab7a27a5edfe559c63dce0cf8091c62d5139b45ba895dc4a71a58b47f97
SHA512

8bfddef4c458f0d79db769e554a6ca86f7db301530fc09d4cd01ec2bcbd2d4e903e91dc022987731168ec1a2ca10ac31db01df214924f526c85c2aa502b71304
SSDEEP

3072:5QPbxBn1JYIYtNIGIVsng6gwBownWKotYEF8JY7FwZBHxFsLPdsfhVMAdJB:kbbotNIGIVsY7wWnn8JCFyFSQhCGJ

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1996	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
2040	file.exe
2040	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1996	2040	file.exe	28
PID 2040 wrote to memory of 1996	2040	file.exe	28
PID 2040 wrote to memory of 1996	2040	file.exe	28
PID 2040 wrote to memory of 1996	2040	file.exe	28

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
629.2MB

MD5
287d7f3ca4385a19ac41e8dc6bd07098

SHA1
03863b78cd22544ecb00226927c569617c96c332

SHA256
8bc720acbad5fdd8ad2372dece7695f5ec417fdc39ac9907a00f37186ec70c73

SHA512
ba42a8b18ea72e4d31a0d1f54daa13c6d1027be2e5f1d7b6cb7b39c04704c3d11d4c91662f209c1cb904fac3df39588363109073ca0c5f949e2dea10ac85657c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
500.0MB

MD5
6e4b08bc0e2f939ce177a31679c10e21

SHA1
5131dc604d89f7cc9e444e887baa26f993a6fbd8

SHA256
cbc3b12c70ec40a0d71e7ed7104c639fcb73c21be6a551adc34a4a0fa9bfcb95

SHA512
c3e43b014a9f08d60ce5764d5628bc1117a2ef7ccd7e08ea2ecbac8d68e55482eae8279b0b9674536a485aebd1d490064391c1e469a80439810bcde3b3f3ed99

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
562.6MB

MD5
73fa4383a9de2f78d00cae79831d49c4

SHA1
d2427fce73ee22dfe325b545f475845e358bcb2a

SHA256
4f75648fdcb5b82c3384a394cac5c75a32227d5d4282ac303670a439022e8e54

SHA512
3894ef0c1d8860fd9163fc608a8c6c97f2e91b6d85a039b244e06cdb13435e666aa52beeea6aee1db6c8a4d64f1357c67be1f68b0c8498b77917c38fe62be6ee

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
620.2MB

MD5
bec30ec21b9c0302998a18eefa0a77f4

SHA1
a1b12a35305c33559a0c89173c44c05359db7366

SHA256
b0d3e17f93b744290157a20daf2dea400922669a24d039af3906b33ae418658a

SHA512
d9ac33c88ea305cf9e7cadfbf1942dc411c1c610a5b3740fb55459370e2e2b13f288b7ba14268bc6457add5808843a4832f2749f03ca5407dbd9da2900919663

Download Submit
memory/1996-69-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2040-55-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2040-64-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download