Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    135s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17-03-2023 06:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    505123037badf414d1ba076f33305d663708013fe47eff1216fdb7a06c62c394.exe

  • Size

    361KB

  • MD5

    1b4c0e1be6994802be38f50ae5e24608

  • SHA1

    b9712764777858621b9cd6a756e12756ecb7e80e

  • SHA256

    505123037badf414d1ba076f33305d663708013fe47eff1216fdb7a06c62c394

  • SHA512

    7632dbefce3c1206f5f7857c6aee5cc13c225c66e0a42928c9d478dc03ee166e2a28dce4bdb2d308eb43babdb65b34597ab5597273ffeb87d8dd594deb932a97

  • SSDEEP

    6144:VV44B8LHfTR2Zk9vk09dH0g3KL0jxwvDtWmFDHv:Vy4B87igk0zeIjxwbw

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    9ee0ef01cd0f0468c997745b63f39799e510412a4bb4e6ff8efcf6f8ac926172

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\505123037badf414d1ba076f33305d663708013fe47eff1216fdb7a06c62c394.exe
    "C:\Users\Admin\AppData\Local\Temp\505123037badf414d1ba076f33305d663708013fe47eff1216fdb7a06c62c394.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:2432

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    768.4MB

    MD5

    c7c5b0390d5245feff7975ef71cd2b84

    SHA1

    06052996fe24780026ad1d4a57138f1695ddbb03

    SHA256

    6713f86c8903dfd701179f8653f8753c4fd3297a6540181621163d54221c1221

    SHA512

    f94f3c338238cecd33ac903bdb252d7630ff121e58f5bbaa6f5d9007f9cb91a621c730f8fd98e549f77c17cd7a03727fa43fa42962d8e8b1e0fdc2eb4cd7c808

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    768.4MB

    MD5

    c7c5b0390d5245feff7975ef71cd2b84

    SHA1

    06052996fe24780026ad1d4a57138f1695ddbb03

    SHA256

    6713f86c8903dfd701179f8653f8753c4fd3297a6540181621163d54221c1221

    SHA512

    f94f3c338238cecd33ac903bdb252d7630ff121e58f5bbaa6f5d9007f9cb91a621c730f8fd98e549f77c17cd7a03727fa43fa42962d8e8b1e0fdc2eb4cd7c808

    Download Submit

  • memory/1736-122-0x0000000004840000-0x000000000487E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1736-129-0x0000000000400000-0x0000000002B0A000-memory.dmp

    Filesize

    39.0MB

    Download

  • memory/2432-132-0x0000000000400000-0x0000000002B0A000-memory.dmp

    Filesize

    39.0MB

    Download