laplas | 507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082

Analysis

max time kernel
134s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
17-03-2023 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

297KB
MD5

bb37b749213479c84b7976511c55d9f4
SHA1

b413e7d55f7efafb6b14c868dfcfbd46fbc480a0
SHA256

507da6dd60f7fdeecbd1286dac0458ce493ecb89eae4b398695e98f0aaaf7082
SHA512

b51d904f4f153ad269ffaff9e191255dfda4af299b74b660ec1feb580b34d35f7203c55b414e25d650805555e60ad84adb201aebcb746948465bf4b5329203c6
SSDEEP

3072:I0+jh1gWLErGGgpTzZqmT+IrLzENoqpF7CD6ywOGXpS2x5dqyz0pwyeitTDnuM:d+rgWLE6GgpT1baxNZ7Wvxyqo0xDnu

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1740	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1784	IJKKKFCFHC.exe
1616	ntlhost.exe

Loads dropped DLL 6 IoCs

pid	Process
1296	tmp.exe
1296	tmp.exe
1632	cmd.exe
1632	cmd.exe
1784	IJKKKFCFHC.exe
1784	IJKKKFCFHC.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	IJKKKFCFHC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
112	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1296	tmp.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1296 wrote to memory of 1632	1296	tmp.exe	30
PID 1296 wrote to memory of 1632	1296	tmp.exe	30
PID 1296 wrote to memory of 1632	1296	tmp.exe	30
PID 1296 wrote to memory of 1632	1296	tmp.exe	30
PID 1296 wrote to memory of 1740	1296	tmp.exe	32
PID 1296 wrote to memory of 1740	1296	tmp.exe	32
PID 1296 wrote to memory of 1740	1296	tmp.exe	32
PID 1296 wrote to memory of 1740	1296	tmp.exe	32
PID 1740 wrote to memory of 112	1740	cmd.exe	34
PID 1740 wrote to memory of 112	1740	cmd.exe	34
PID 1740 wrote to memory of 112	1740	cmd.exe	34
PID 1740 wrote to memory of 112	1740	cmd.exe	34
PID 1632 wrote to memory of 1784	1632	cmd.exe	35
PID 1632 wrote to memory of 1784	1632	cmd.exe	35
PID 1632 wrote to memory of 1784	1632	cmd.exe	35
PID 1632 wrote to memory of 1784	1632	cmd.exe	35
PID 1784 wrote to memory of 1616	1784	IJKKKFCFHC.exe	36
PID 1784 wrote to memory of 1616	1784	IJKKKFCFHC.exe	36
PID 1784 wrote to memory of 1616	1784	IJKKKFCFHC.exe	36
PID 1784 wrote to memory of 1616	1784	IJKKKFCFHC.exe	36

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1296
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe
    "C:\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1784
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\tmp.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe

Filesize
1.9MB

MD5
4c89113e9ec9f66382893b6e3b206667

SHA1
d4391bcc02d5589c6c4efc3936048825a2ccbd21

SHA256
feb5a0556e226e438f4ca419f476e611df2ff7112a0668303b2da9ef1d2b89b1

SHA512
349efe882aba9a626a461c02c4e431e16114a59eb916d805f7a1d3fbc2194b6c41b29757c1aa1765eac9f2b276b02ed9e66535476a9b4be7106832ce964f2b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe

Filesize
1.9MB

MD5
4c89113e9ec9f66382893b6e3b206667

SHA1
d4391bcc02d5589c6c4efc3936048825a2ccbd21

SHA256
feb5a0556e226e438f4ca419f476e611df2ff7112a0668303b2da9ef1d2b89b1

SHA512
349efe882aba9a626a461c02c4e431e16114a59eb916d805f7a1d3fbc2194b6c41b29757c1aa1765eac9f2b276b02ed9e66535476a9b4be7106832ce964f2b5e

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
377.9MB

MD5
8f993a7b49006275be45c59108055154

SHA1
f757e89b190e18269b9a1d7c3eab5fdbbdf1edf7

SHA256
a86ba7795a2c6b61c3a577ebf6dacd1c290c7c3dc520a2868a68c390ff8dae88

SHA512
206882c51bacc87b115b7aeb9a8bbf542c05c3ee44ac2039b01d8c964f1519d49f2198b1e51c89eda0f5b555db0d5531ffbf296f7571c665c7140e88e7c0f4dc

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
337.9MB

MD5
b15f2d5f1c7ae8e12360ca90dc7c86f6

SHA1
8d43d6e04a058daa7039b632b80393182f125dcf

SHA256
208827b8ead482074ce7a87206d09a7f22f4db3a1ffe423c2878c42865d5cc1f

SHA512
603bd01845dc3fad42d7b85debeeb8b33598e38ae6e34a38c5e41f96800983a06f4d92b6587ea9a9d0279d764c5df291e7ae6f2f3320843ea703812594f33826

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe

Filesize
1.9MB

MD5
4c89113e9ec9f66382893b6e3b206667

SHA1
d4391bcc02d5589c6c4efc3936048825a2ccbd21

SHA256
feb5a0556e226e438f4ca419f476e611df2ff7112a0668303b2da9ef1d2b89b1

SHA512
349efe882aba9a626a461c02c4e431e16114a59eb916d805f7a1d3fbc2194b6c41b29757c1aa1765eac9f2b276b02ed9e66535476a9b4be7106832ce964f2b5e

Download Submit
\Users\Admin\AppData\Local\Temp\IJKKKFCFHC.exe

Filesize
1.9MB

MD5
4c89113e9ec9f66382893b6e3b206667

SHA1
d4391bcc02d5589c6c4efc3936048825a2ccbd21

SHA256
feb5a0556e226e438f4ca419f476e611df2ff7112a0668303b2da9ef1d2b89b1

SHA512
349efe882aba9a626a461c02c4e431e16114a59eb916d805f7a1d3fbc2194b6c41b29757c1aa1765eac9f2b276b02ed9e66535476a9b4be7106832ce964f2b5e

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
358.0MB

MD5
0e9b8595b1d564b208bf21a63bcf6c6f

SHA1
0bfce482513d62da31d1ee9701563ba2fe7d415a

SHA256
83afdf2399d02f6bf913c0d9cf2a29a8af3168300d617c422f00383ec3d86e01

SHA512
ca8a0e66af599ca5bd8c0ddaed9c7737d455ca60c2ccb37e06a99089045e7c8988aec507aa3693f988cc04475ab6c335c778dc2c1fa0fcea95d2e4a317ab4632

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
375.6MB

MD5
472c3414464df2c86dde153fe9e14bdb

SHA1
a72421fbe5539421a408a6a8d8a3d009a0706aa7

SHA256
a462506fbb90da596ab072b485b4239f7d68e6a75a8c345b36e38547d65f1fa9

SHA512
16dc5d568efeb052f5ba7032fff3d7f9d4c6b58618e26d5adf229c0e46f274bbd8cd33be92b900a243a4b03851c65500976f64e8e7b2ba13c825a42e0b3b8d7b

Download Submit
memory/1296-55-0x0000000000230000-0x0000000000245000-memory.dmp

Filesize
84KB

Download
memory/1296-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1296-118-0x0000000000400000-0x0000000002AFB000-memory.dmp

Filesize
39.0MB

Download
memory/1296-114-0x0000000000400000-0x0000000002AFB000-memory.dmp

Filesize
39.0MB

Download
memory/1616-135-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-143-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-146-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-145-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-144-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-136-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-137-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-140-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-141-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-142-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download
memory/1616-133-0x00000000047A0000-0x000000000494A000-memory.dmp

Filesize
1.7MB

Download
memory/1784-123-0x0000000004670000-0x000000000481A000-memory.dmp

Filesize
1.7MB

Download
memory/1784-124-0x0000000004820000-0x0000000004BF0000-memory.dmp

Filesize
3.8MB

Download
memory/1784-134-0x0000000000400000-0x0000000002C8F000-memory.dmp

Filesize
40.6MB

Download