laplas | c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
17-03-2023 03:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

245KB
MD5

ddd3ef96054200d60d04934492a3d672
SHA1

8ac32d858e32f27cccec6a8896b234affa1873ba
SHA256

c66e87a025b4ccb8f93a1540b999fabf9beb16c455cbbfd189e133ab642e83e2
SHA512

e11f8936df9c2b1e8a265ac80b2b24693f161e678d1af8902bfc745fcf013c044837d4d401227734c49e00b0d5b6d5dd512873fc6c8d25cf3b13099f095209ab
SSDEEP

6144:abfmvxMcnAkScaBd5COlRbsQOGdAtqhdCJ:abfmvCcPSc8dsaNssBf

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 1 IoCs

pid	Process
1292	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4048	1964	WerFault.exe	84

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 1292	1964	file.exe	89
PID 1964 wrote to memory of 1292	1964	file.exe	89
PID 1964 wrote to memory of 1292	1964	file.exe	89

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 860
  2⤵
  - Program crash
  PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1964 -ip 1964
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
596.0MB

MD5
10ff334cc22ddf73e9771968b97b324a

SHA1
09b9a04009d12f848e366b47daaa642bd5c461ba

SHA256
c20a96eaca261b2442f8a4c4692c724e7d05bf7adf50af1ac482496de203fb87

SHA512
6691ddd281751b8cab73b6a9cd9f4ad661e417754ddda2a4f5f98c2f98c2f4c6ab9849a6ac5c70f5b1e8455085310f3928b53ee3029c1d7b2c3a164e433aaa4d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
432.3MB

MD5
7300166568317bb1e8f1b430180aeaa0

SHA1
f9889d6bd9b49fe385fd6a7d2776f2de15db13fc

SHA256
97095807f10787b10d8495ca2f221765b2dd5744e71e7d9c37d89504da567804

SHA512
c8045cd752273a9e08a921feb2d03a43cf8e5e44ea6a0ea49d8ecfccfd733f1a4b215c50d2a39a820ba26cc2bb2b8acf4839bbee46a296bb2b5ea7af53122a0a

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
430.0MB

MD5
3e97043554011485b008589ac56c5cf5

SHA1
80f2b8a3947d9c183295744cdf5927003a73bb31

SHA256
dfac5e5798f625f87db9830333df8e97de54b7f742f566a724e269fd54d105f4

SHA512
f2f840fe91e63434c67d657c425a281d76c8e4183febe278432ba6651007f181f52addffed1ae11d96736f9c89b7c7d6fb993d05cc0b6ffab38a0ee073401a5e

Download Submit
memory/1292-149-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1964-134-0x00000000021F0000-0x000000000222E000-memory.dmp

Filesize
248KB

Download
memory/1964-140-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1964-145-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download