Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18-03-2023 23:21
General
-
Target
15cf9bf2faf0e67d058abf46628467ff05ecf90097ffbcb1dd434e477685f75a.exe
-
Size
291KB
-
MD5
83ca7eedb2feb0c47269bfcb68952acc
-
SHA1
83500a09400121071b80c44f5e4d6784574b9925
-
SHA256
15cf9bf2faf0e67d058abf46628467ff05ecf90097ffbcb1dd434e477685f75a
-
SHA512
86db21836bf3a603fc111ceb56efa59a93a22666099306a99d7e8f2485b964efe66fa7d1b14cee1ee6c94e354d2bb1e22154aa196f96271292248f8f0a9c0661
-
SSDEEP
3072:zGznWLNLfmP/mFpDMWRZwCApURkkEO7VkoOGQ54TytGHER:4nWLN63gAWs9KWk9qoOGdTZE
Malware Config
Extracted
laplas
http://45.87.154.105
-
api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
-
C:\Users\Admin\AppData\Local\Temp\15cf9bf2faf0e67d058abf46628467ff05ecf90097ffbcb1dd434e477685f75a.exe"C:\Users\Admin\AppData\Local\Temp\15cf9bf2faf0e67d058abf46628467ff05ecf90097ffbcb1dd434e477685f75a.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EGIDBFBFHJ.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\EGIDBFBFHJ.exe"C:\Users\Admin\AppData\Local\Temp\EGIDBFBFHJ.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\15cf9bf2faf0e67d058abf46628467ff05ecf90097ffbcb1dd434e477685f75a.exe" & del "C:\ProgramData\*.dll"" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 23482⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2952 -ip 29521⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD57d1c375649982b6578629a8e3d6633d4
SHA167a356982d102f4c7520f2efa7e139a1a1541635
SHA256e3d43b3b6a41985aa2a8b2e3432bf8409e542113d13df1a1658e0508e187dc3e
SHA512e3f1939fd64005f3157973ef3582cf19be69163ebe4cb37181da224c97afdb0db8b81be0567a280b52dc72daadae71114ccc0baac166be4e9fd0cbbd343d8d18
-
Filesize
1.9MB
MD57d1c375649982b6578629a8e3d6633d4
SHA167a356982d102f4c7520f2efa7e139a1a1541635
SHA256e3d43b3b6a41985aa2a8b2e3432bf8409e542113d13df1a1658e0508e187dc3e
SHA512e3f1939fd64005f3157973ef3582cf19be69163ebe4cb37181da224c97afdb0db8b81be0567a280b52dc72daadae71114ccc0baac166be4e9fd0cbbd343d8d18
-
Filesize
36KB
MD5761388ca8095173f6963b1d23ad8a68b
SHA141e2693d0efc36cb0b97ea215d554932c46464ab
SHA256369a2323cb569b44970884d5af3d70e38c9cfb59a54d929fabb51ba46593aa06
SHA5122db4576927b4325dc51ce1755d55b00f7153a10424ca79fb7f32f8c92a5dec899c3961b44a15a129f1e5234b53a89c8946192703b88b10e70e86670e5831ebdf
-
Filesize
14KB
MD5c01eaa0bdcd7c30a42bbb35a9acbf574
SHA10aee3e1b873e41d040f1991819d0027b6cc68f54
SHA25632297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7
-
Filesize
375.4MB
MD5fb1225ed291d7a0ea7c0b377e41acbeb
SHA1c9097bfb27a0a25a91439fb04cdc36bca8ab596e
SHA256d9a15c9ac1c8c2f8451bf78bdf13bdf531f5dec3485f5865ef324706f5b6545f
SHA512ee33701a673dba570cd8cc613e172f9c491d756459a2bff9f9877251f857d04d4a8322333b89a1d75a3777e637edab0cc22bb7950a2485e95c6daf0e48940f5f
-
Filesize
647.8MB
MD51e8b3e5c3b9d38837c7eef65dc64678a
SHA1ed2df1f4556fb2ed17db66dabe0839b07d934f1e
SHA256e65c9361527ef7bf1104aebe0c899fc579bd27200722a5e4f8ab20296329b9f3
SHA5121736bafde5d6e089447410d7b03439270251e3bb8285cd8c14dca2c4187459d7cbfb998c07a57419d1d60bd2859bb9f61e113016cc7a6f08531a7b3c38fb8a2d
-
Filesize
639.5MB
MD5c970810acde772504faf7bd3e4f7a1cd
SHA18a960a70653e779b32f692b72b943c7612765b3f
SHA256d251cf2ce9cd51970064bd8b80a7221455e5a9fc93240740a97103909d49a52d
SHA512d09b4a0a5cdaa9f89b9e9917bf20d16e87e446d9af0e0ac69abae0940e648daef58d32e43781752108a140f0bcdb82a6d975c1ffb828aecb09eafed3553c0d40
-
Filesize
29KB
MD58d166f7c820a6c98ec8f534da5ddff89
SHA1089a141efecfcd0ae39c16698e1d1250097b97d6
SHA256fd62790dc7315dcce3b0632ed3a881247c7267c860cafddd3d91e39e6dd429d6
SHA512a3b0eb393e158420de92dc536ad06523912828b10e2b5f0660b733332a88bf471ab83dd5513365a1ecece6263a2c8b2186eb74409427314ca7c3287515f97129
-
Filesize
66KB
MD5f37f475891e4607a981cc9824f07d510
SHA174d11e8620df9af2c0dc97a89f502e515950888c
SHA2565f901e10fc24ddfe417c8a56561ca7b2b980f2aff24c365e4b245e95cd83bc12
SHA512d843c16faf6d5781b86688e793cdf7c06260b8aee0ad769455685f9366ecc800849ac6f5e5688870c463001f7f1aa441fe554fb55d66307693efe6c1c07a31ea
-
Filesize
39.0MB
-
Filesize
84KB
-
Filesize
972KB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
40.6MB
-
Filesize
3.8MB
-
Filesize
40.6MB
-
Filesize
40.6MB