laplas | d4607fe27527413aa9685e2ecbce8df78b2c2538ccc5703442f7757a100c1362

General

Target

installer.exe
Size

245KB
MD5

8f5f61c192960b47701d367d4c0112a6
SHA1

e084cb5d4457be7cfba1c79adcc1ae59a500a66f
SHA256

d4607fe27527413aa9685e2ecbce8df78b2c2538ccc5703442f7757a100c1362
SHA512

9cf04819b99aff1e5247d1d2e4fe134cffbb1278fb8bdd62be3bcfcfa4a4dcc3ed1d7f8d82824328d1d0e41dbda09a56b788e3636f4968fc7641307a9a6ad9db
SSDEEP

6144:jbOxXV0HcczeTv85qfnl2Hrti0ChhQhGJ:jbOxWHLzGrnUHZi0Chu

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1976	svcservice.exe

Loads dropped DLL 5 IoCs

pid	Process
2008	installer.exe
2008	installer.exe
1976	svcservice.exe
1976	svcservice.exe
1976	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1976	2008	installer.exe	28
PID 2008 wrote to memory of 1976	2008	installer.exe	28
PID 2008 wrote to memory of 1976	2008	installer.exe	28
PID 2008 wrote to memory of 1976	2008	installer.exe	28
PID 2008 wrote to memory of 1976	2008	installer.exe	28
PID 2008 wrote to memory of 1976	2008	installer.exe	28
PID 2008 wrote to memory of 1976	2008	installer.exe	28

C:\Users\Admin\AppData\Local\Temp\installer.exe
"C:\Users\Admin\AppData\Local\Temp\installer.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
278.2MB

MD5
e3cf6842d939fb81c872d91b0186c374

SHA1
6b66251ccb4d9bf089bc1c363b1d7116b6898517

SHA256
63f857193969d309565a1aa2b96efea6ce2b5f60acae00ed5badf6596c210f3c

SHA512
ce5eac403efd98fa4329169b0b0e0f02d791815c7be79995b3688139487c8f3a57e903bf593b9496939a33a798c97aecd45847b4c7871d75552bb6b24d2901bf

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
306.2MB

MD5
2a8c05a5972499239d03e5ce7395eb31

SHA1
142114d1d31008403dd0d3457c8bda0aa971fd3b

SHA256
f338796042fe41a8d4c0b5b624a314e0d3e822445bf21651e548af73cfb4a3d9

SHA512
61d5896e61deb10d3b813ca918426ccb853d88ff23d6dff10dec6ef44154c5db5f04ecde4635c0c1081cc6bf1c36e76e1ce846d4ce0d9709e26bf1c2f9b81eae

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
298.8MB

MD5
2e6aba1092aefbf92671918979388fc6

SHA1
e1f2432dd3efd1be3a4e69ac34d18a550a33cf4a

SHA256
543355e5b601aaba27715d0cfe87bd144b1ea08e7c19156d9a53621adc50b26f

SHA512
01191a09d6c113852adc0a609fe40d901b9050bd84bc5cfb381d01e39093755ca8c5e5b0d8654b74f07dcc6242ffb6a7132ea12487beb86e87888e0a1e02b739

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
295.1MB

MD5
aae6a2395d72bb7ebab46fe6d59f0f44

SHA1
fac3843c17bd0d01173f38067bc62b11817636b8

SHA256
1fedb762c73953c7689c5e8fe223cb4561b2d30dbf72ecfe4caab1c938a5ea14

SHA512
618b20ffc70d8fc3e9bbda096df67a2c83c2c4c55c4d967fce15a372e7efdd1693867ccb1aeff468f3b4837df89e4051ae0747a4067aa43f974d4f256852671e

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
213.2MB

MD5
ee646c8becb9e25475c40a8e6611f48c

SHA1
d5d91d0b0496f68e8ba7a4babbbc33cd2d9aac5f

SHA256
fc75dd6f085402faf6efb9becf9dd770c923339a1ed657a652f8b26b8735f1bd

SHA512
eea72836dae1a26dc377e8e6c2364b97a9b0eea80cd6e4dd79c7bb57c7357e41598fd296601b39225eb1ebffafb55faf80cf4b8522995d2a40e6c71adbb40cb8

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
305.9MB

MD5
b7a728049d05abf6af81bfda3ea6a20f

SHA1
f11fa02cfb6b702f4aa5405ec774929c778d1624

SHA256
3b050da188a21027adc82551958bf2f336aca617061909c4571f944355d4371d

SHA512
7b81d46c52991adfcc6214709af5722185c714aff7a965f0266b87ef8ef3c95810a5b070de3c7367f2983faf778a265d2753e0c2befa25b8fb8964b580d6791b

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
264.2MB

MD5
b75594dc19145e82a603bc69dcbbe034

SHA1
e2c688e7bbbe399e7eff405ee05b160c6d57f16c

SHA256
c87d8f1d8f2bb9bb24ca6057e653f9464de7dd9e1ca4b854b848ce21c96907c3

SHA512
f1136e947c0cedcc9ad7e67a193b8827e0e1b469a335b003590babfed0be8285363b2538caae0200b1d90985f943577a16a92868932c78520ddb1940467ae679

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
299.7MB

MD5
e6f2c5c3acaaeb568241c8cbd6eed276

SHA1
d38161aaf7428cd2bb336fca3338b22a88d3c922

SHA256
a91c31d5dca880c8663fa15ef6f28fe705c2090543f00477e31c968903e5aca9

SHA512
1a9efe8f396329b2b8b19d2827e3fade2c692c6b10e59dcfc6ce37814d851771a8e9f5a2e57e6219148f8aa1e535224de0e401b6d8084c01773e80c67ca529c0

Download Submit
memory/1976-73-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2008-55-0x00000000004C0000-0x00000000004FE000-memory.dmp

Filesize
248KB

Download
memory/2008-65-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing