Malware Analysis Report

2025-06-16 04:56

Sample ID 230318-a6zvtaaf57
Target ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5
SHA256 ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5
Tags
laplas clipper discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5

Threat Level: Known bad

The file ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5 was found to be: Known bad.

Malicious Activity Summary

laplas clipper discovery persistence spyware stealer

Laplas Clipper

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-18 00:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-18 00:50

Reported

2023-03-18 00:52

Platform

win10v2004-20230221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe"

Signatures

Laplas Clipper

stealer clipper laplas

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 900 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe C:\Windows\SysWOW64\cmd.exe
PID 892 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 892 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 892 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2224 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe
PID 2224 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe
PID 2224 wrote to memory of 4224 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe
PID 4224 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4224 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
PID 4224 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe

"C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\ddb0eb49fbaccec15aa023cd0e3f184b431ceccad615cdaf419c8dde6f4ee0f5.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 900 -ip 900

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe

"C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 2216

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4224 -ip 4224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4224 -s 468

Network

Country Destination Domain Proto
LV 45.87.154.30:80 45.87.154.30 tcp
US 8.8.8.8:53 133.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 30.154.87.45.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 204.79.197.203:443 tcp
N/A 185.119.196.167:80 185.119.196.167 tcp
US 8.8.8.8:53 167.196.119.185.in-addr.arpa udp
US 8.8.8.8:53 86.192.144.4.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 151.122.125.40.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 99.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 113.66.64.40.in-addr.arpa udp

Files

memory/900-134-0x0000000002C50000-0x0000000002C65000-memory.dmp

memory/900-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe

MD5 b5ddb8ef8e4c2d6794ea20684387c71e
SHA1 845c7315887330fe61714dcdbea413dd6ba5a049
SHA256 00d3cd08ccbd51f7e9c5c186c101494281413e0d5f6afea753e025aa6eac388e
SHA512 c3cfdb5ade38bbd074671cb889a59cedcd35d6b85866e917fb4e7bfe659d6ec2126c14bef31b1099464ae5ba4644e21599172a9c2d3da921808b066e11cf846c

C:\Users\Admin\AppData\Local\Temp\JKEGHDGHCG.exe

MD5 b5ddb8ef8e4c2d6794ea20684387c71e
SHA1 845c7315887330fe61714dcdbea413dd6ba5a049
SHA256 00d3cd08ccbd51f7e9c5c186c101494281413e0d5f6afea753e025aa6eac388e
SHA512 c3cfdb5ade38bbd074671cb889a59cedcd35d6b85866e917fb4e7bfe659d6ec2126c14bef31b1099464ae5ba4644e21599172a9c2d3da921808b066e11cf846c

memory/4224-222-0x0000000004C00000-0x0000000004FD0000-memory.dmp

memory/900-223-0x0000000000400000-0x0000000002AFB000-memory.dmp

memory/4224-225-0x0000000000400000-0x0000000002C8F000-memory.dmp

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 29ed0eed099112f3841e8d061d05a88e
SHA1 fb78732acd573d28cac1df54b8acf41cacd1b669
SHA256 634a85f71f9e4bef34dd632df3d055703129be15d4595a5000adb0c74cd90ae4
SHA512 7c4edc0b1b62b2156de1d356f2c4de9170227b6cb01258036f5a2c4941060665593f044b90dbb47da7fe3445898b2042c79ed0670387312ad0c3a1a883174425

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 fc0b7197c3f7ca31582154325b3d8e35
SHA1 4ecd2ab28bff36d0c5f1ac943a3cd8ca8935016b
SHA256 3f677e8eb11bafd95de30d26e5b4cbfa15d4ae271865d273bd9928e075669c6d
SHA512 f1514b9558791bd71934f182ddcdc55932dcb8896dfac78e299f76da3a1eb4a3462dfb3565c39aac434b1116065b29c71f2f4baff3c9f407779cb75d51a4d034

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

MD5 fc9a14f10ee25ad3dcccbb1375cf4902
SHA1 7d45771fb46731fd08faa89287c61cbd6edbcc8a
SHA256 d370b9b7212b870a40241a6badb366f3a2f26894877b2955905f659e2af58b2e
SHA512 9f37b901bf1959efccb2963b1a236fe2a9b3a81998816e89b7c37a372834703ebf1ca9143be856bdd9de44a150eb9778532a9a87f1437c3db8307b4f7adadfa8

memory/4224-230-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-231-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-232-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-233-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-235-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-236-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-237-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-238-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-239-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-240-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-241-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-242-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-243-0x0000000000400000-0x0000000002C8F000-memory.dmp

memory/1088-244-0x0000000000400000-0x0000000002C8F000-memory.dmp