Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    46s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2023, 20:59

General

  • Target

    avicapn32.exe

  • Size

    8.6MB

  • MD5

    8d7cf73ce0624c89820492186e81268e

  • SHA1

    f43f83b11e6e4b850297443a30803f72cef99489

  • SHA256

    2a8e2ab611c7ea1a7c4e7b6fd50cef0a812ae4921a66d25106a039c90582ce29

  • SHA512

    2bc53e07e6d5d6b4267430011943824590001d8c341a5ccffb2260fc26fa1693d4a146f27a26a579450f822c5998551dfda50814e0b24d4cba8c903ccd8289cd

  • SSDEEP

    196608:dCFM0/NuKzJqwRCCuNhH8DuSHVKiPxtgDe/3jyAan7Ftnl+6+GVp7:KMMsA3U4t1HDOAI7T7

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.223

Attributes
  • api_key

    afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\avicapn32.exe
    "C:\Users\Admin\AppData\Local\Temp\avicapn32.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1804
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1344

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    468.0MB

    MD5

    46fe26a8d2fc41726fe7f596b6d9e162

    SHA1

    a7328a357683b02ed31987faca6ed82d42554a64

    SHA256

    099cd8c9bc98fe7dacd017fc7fc7150e9a1ecd60316e2d42fc0718443dd29eb6

    SHA512

    4822cbfeed34669d24c4c59d53a265e232ba8096e1969dc1a3ba2c57790216599ee0e5ddf70b18fcba8bc1c161285307028a0ba6319e9dc01adbb45acf50b820

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    493.2MB

    MD5

    9fa5a726c02db746a06fe160718218cb

    SHA1

    c62c59d7b066e02eddeac38108abfe085c6ec5f1

    SHA256

    65344b6b0ae35cd01ecce04aeee9db219e02bd1fb4df8d21ab029b41320af703

    SHA512

    891dfd97c08e0a1d25626ebca8015a9aae0c5af21782876d36faf6ed414216aeff5e6f5923702b1c9801dc76efaaf9455eb7db0efa931cc9f252455b18f882c3

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    463.7MB

    MD5

    ff4d911c639b36fb7c34d4ebbde4ca99

    SHA1

    6f0980e8af95364ad98f50d7542fab87e7666836

    SHA256

    749bc2d74751369b4ee1f99bd2ac06223dbcbfd4e836f756826256b70f6633b2

    SHA512

    6245b9c43891fb3fc14f5f419d73bdb006a3c039d4d9769267ee9968a9b813fafd86b6d6e187c4ba6316377448a42069158d6fe9cc6736d0f0d62a1df389918e

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    420.3MB

    MD5

    5c10584c3d3842705afa32a500b76f5e

    SHA1

    5851ccd77432fd76850b5c34eb75a42b20fd2958

    SHA256

    60b0d99df3d033641ad23529f1a24863f560500e6fb01b587d532a6962219e17

    SHA512

    0d22af8bef6236ff1f318e9c71008fc340aa303af4029493afe2d3bf7919c5a0eae172edca6f578af58a0fdabadf3cccdabe1820c9f48d03a6a71e4fa4d3bf79

  • memory/1344-85-0x0000000000230000-0x0000000001157000-memory.dmp

    Filesize

    15.2MB

  • memory/1344-84-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

  • memory/1344-96-0x0000000003380000-0x0000000003783000-memory.dmp

    Filesize

    4.0MB

  • memory/1344-95-0x0000000003380000-0x0000000003783000-memory.dmp

    Filesize

    4.0MB

  • memory/1344-94-0x0000000003380000-0x0000000003783000-memory.dmp

    Filesize

    4.0MB

  • memory/1344-88-0x0000000003380000-0x0000000003783000-memory.dmp

    Filesize

    4.0MB

  • memory/1804-69-0x0000000000EE0000-0x00000000012E3000-memory.dmp

    Filesize

    4.0MB

  • memory/1804-77-0x0000000000EE0000-0x00000000012E3000-memory.dmp

    Filesize

    4.0MB

  • memory/1804-57-0x00000000013B0000-0x00000000022D7000-memory.dmp

    Filesize

    15.2MB

  • memory/1804-56-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

  • memory/1804-54-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

  • memory/1804-55-0x00000000000E0000-0x00000000000E1000-memory.dmp

    Filesize

    4KB

  • memory/1804-59-0x00000000000F0000-0x00000000000F2000-memory.dmp

    Filesize

    8KB

  • memory/1804-60-0x0000000000EE0000-0x00000000012E3000-memory.dmp

    Filesize

    4.0MB

  • memory/1804-68-0x0000000000EE0000-0x00000000012E3000-memory.dmp

    Filesize

    4.0MB

  • memory/1804-67-0x0000000000EE0000-0x00000000012E3000-memory.dmp

    Filesize

    4.0MB

  • memory/1804-66-0x0000000000EE0000-0x00000000012E3000-memory.dmp

    Filesize

    4.0MB