Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    17/03/2023, 20:20

General

  • Target

    507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe

  • Size

    297KB

  • MD5

    bb37b749213479c84b7976511c55d9f4

  • SHA1

    b413e7d55f7efafb6b14c868dfcfbd46fbc480a0

  • SHA256

    507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082

  • SHA512

    b51d904f4f153ad269ffaff9e191255dfda4af299b74b660ec1feb580b34d35f7203c55b414e25d650805555e60ad84adb201aebcb746948465bf4b5329203c6

  • SSDEEP

    3072:I0+jh1gWLErGGgpTzZqmT+IrLzENoqpF7CD6ywOGXpS2x5dqyz0pwyeitTDnuM:d+rgWLE6GgpT1baxNZ7Wvxyqo0xDnu

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe
    "C:\Users\Admin\AppData\Local\Temp\507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4300
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe
        "C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:4240
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1344

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\mozglue.dll

          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        • C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe

          Filesize

          1.9MB

          MD5

          bffa52b5cf6599656807cd59666821d4

          SHA1

          a5b4f03c320488e0c616c7070166c3eccfe235c3

          SHA256

          a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951

          SHA512

          6cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8

        • C:\Users\Admin\AppData\Local\Temp\IJDHDGDAAA.exe

          Filesize

          1.9MB

          MD5

          bffa52b5cf6599656807cd59666821d4

          SHA1

          a5b4f03c320488e0c616c7070166c3eccfe235c3

          SHA256

          a79893e20ce928c0dee25e1f6d64f7e88cdf7cf0db83e923decd0bf643f0f951

          SHA512

          6cc12e483dfb8e6680621fc5536158211c26ab82191db935731c3667a3c44c135edb34ec10809bb4a1ec8007eac8f2af424e130d8810ed34370ef9b9a9fa94c8

        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

          Filesize

          606.1MB

          MD5

          e90884dd794d3802e4e41d973d4f097a

          SHA1

          7358daef4e6038d65a1bfa30c2f88615914027f6

          SHA256

          024170cf550d318fb71a0349216072f4c544eb34023b71a747ef38f7735c7487

          SHA512

          262b28150ee42abc4452af199a98317f79a2e0b47903ace505e9407d190277bc025953a2359cef5c6a4c76199ede3c2fc0ca0724d8e8de3eb14928ee93b1ee9b

        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

          Filesize

          505.4MB

          MD5

          2cadb9713cd4fac58b00ddb1ed2ef858

          SHA1

          5a6b2c2de58ef66db4e3f0cf1eeedf103a9a4353

          SHA256

          2b34f78351a79c9482a3950363a936ab221fd8c5fe51f09adc170428dedf6dba

          SHA512

          b143a03944670db8bc6744cfbd7952ca3d91fc0de9f4de59e96c1beafb666960c2c15a20c696578aef994b6ea6beb666292408f6917461162ea37a34456f7a05

        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

          Filesize

          582.8MB

          MD5

          c978dca366954a1198f49443e29178fe

          SHA1

          7df5a6f05dc3e72969e718bd63440c5e72ab5475

          SHA256

          6e433e519e812c0507c6e9844ce4c9b2cc0cbd8195e609e7d9cf9032428fc3ab

          SHA512

          95a96db315ec42508b3a3dd8b08d34846a6f4f31eb3536356078a3fdb2f6ee297cc440f308d27319319402f3767bb6b48d03512e174bdc23a3581de89698c738

        • \ProgramData\mozglue.dll

          Filesize

          593KB

          MD5

          c8fd9be83bc728cc04beffafc2907fe9

          SHA1

          95ab9f701e0024cedfbd312bcfe4e726744c4f2e

          SHA256

          ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

          SHA512

          fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        • \ProgramData\nss3.dll

          Filesize

          2.0MB

          MD5

          1cc453cdf74f31e4d913ff9c10acdde2

          SHA1

          6e85eae544d6e965f15fa5c39700fa7202f3aafe

          SHA256

          ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

          SHA512

          dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        • memory/2668-192-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/2668-186-0x0000000004A90000-0x0000000004E60000-memory.dmp

          Filesize

          3.8MB

        • memory/4240-197-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-200-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-206-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-193-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-194-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-195-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-205-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-196-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-198-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-204-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-201-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-202-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4240-203-0x0000000000400000-0x0000000002C8F000-memory.dmp

          Filesize

          40.6MB

        • memory/4300-181-0x0000000000400000-0x0000000002AFB000-memory.dmp

          Filesize

          39.0MB

        • memory/4300-122-0x0000000061E00000-0x0000000061EF3000-memory.dmp

          Filesize

          972KB

        • memory/4300-121-0x0000000004810000-0x0000000004825000-memory.dmp

          Filesize

          84KB