Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 02:10

General

  • Target

    aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe

  • Size

    330KB

  • MD5

    303d02e6001fe7b563765c812c860f2f

  • SHA1

    ab8a49810c82a1a709a8ab9316d13d1033a95347

  • SHA256

    aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892

  • SHA512

    b9b7d078bb46cbdb4ce7ada90246b11f3a54070881a78daabc0156c89d530460ebe8b163d31c87259a377f57e10eb24856f9312db70a872bd27601cd5345fe06

  • SSDEEP

    3072:X6flsJI1iLBb7lcMXs/OScEDO8veYEvCKAIvEjJnKDRVNtxvkJH:qfMI1iLJ7lQ/3zxVMMIvx31MJH

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe
    "C:\Users\Admin\AppData\Local\Temp\aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4444
      • C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe
        "C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:832
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:4920
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\aacb20f669b174f1d38daa0fd94c42d375ec652b0623e47a1d69f6823d1c8892.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:4344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 2108
      2⤵
      • Program crash
      PID:1940
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3040 -ip 3040
    1⤵
      PID:3248

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    Collection

    Data from Local System

    2
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    • C:\ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    • C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe
      Filesize

      1.9MB

      MD5

      87b5057f44c2a25338f03f6ba10358ad

      SHA1

      b8d68c22a48b7b1dabecf2d0cb830392291e3cab

      SHA256

      de7320a71b9a0de261be6f7a8d36a6f13c3989681bb98627bc169d0e3f3c76eb

      SHA512

      2c6463eb46b6f2f263beb3601bdf909f7dfb24c4b1b0cb5dd6f19777ae703d7daa84c483e575ffce2792751925668afb6bf4bf0bd2f7e0898f057900eb4b9367

    • C:\Users\Admin\AppData\Local\Temp\DAFIEHIEGD.exe
      Filesize

      1.9MB

      MD5

      87b5057f44c2a25338f03f6ba10358ad

      SHA1

      b8d68c22a48b7b1dabecf2d0cb830392291e3cab

      SHA256

      de7320a71b9a0de261be6f7a8d36a6f13c3989681bb98627bc169d0e3f3c76eb

      SHA512

      2c6463eb46b6f2f263beb3601bdf909f7dfb24c4b1b0cb5dd6f19777ae703d7daa84c483e575ffce2792751925668afb6bf4bf0bd2f7e0898f057900eb4b9367

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      451.6MB

      MD5

      28e99f601f6defa2d7297866325ace82

      SHA1

      22a18c17f91373dc0544ad465601cccd93d4372d

      SHA256

      3e00e56fb457ae4764cdee095ff1c632c7dac84a182e741fe2ddb60ac8328e93

      SHA512

      d8f34cda5a8cf6d4aca95520185ce0351b1b7051a42d5f084464766053278979a22d94a0def97fd95f9fb0e6cce8dcf6fa1bb20e3acb25e19c4da0ad3aaf1176

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      429.0MB

      MD5

      4107373dd5f89431ef7fad5e8bf562ec

      SHA1

      9688410cb578330d22f634203840adb9ddbbd0db

      SHA256

      2786b938bcf5ccd35fa4bce15f56184d7aea04d4c1a7b3748ffb2e9e7e9bd7f4

      SHA512

      b01384aec5612db9a16d7599beef08ce96e214fef71cd612587d6d797f69d0aebf616c0d76f047520249b1856ed7a172923f446a49635f2434673b874b968439

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      427.8MB

      MD5

      29c77471b3629d47aeea979aa1c0fc47

      SHA1

      a12473c5013c79c23a59bc98e189580547fada9c

      SHA256

      247550f014cd786ddfff6492da949f8d6eb6a2ab120269d2b5a2fe11e9cd7a7d

      SHA512

      c0f9dbb00ad3f5ac743d0902f508bc16a242a762fa5c90f6753b03439ac7dd84b82525a2a8a14cd028d308a36e8bed8237487a2eacf8e7352cbbad6662c420c9

    • memory/832-216-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/832-213-0x0000000004AC0000-0x0000000004E90000-memory.dmp
      Filesize

      3.8MB

    • memory/832-219-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/3040-214-0x0000000000400000-0x0000000002B02000-memory.dmp
      Filesize

      39.0MB

    • memory/3040-138-0x0000000061E00000-0x0000000061EF3000-memory.dmp
      Filesize

      972KB

    • memory/3040-137-0x0000000002DA0000-0x0000000002DB5000-memory.dmp
      Filesize

      84KB

    • memory/4920-224-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-223-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-222-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-225-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-226-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-227-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-228-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-230-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-231-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-232-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-233-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-234-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB

    • memory/4920-235-0x0000000000400000-0x0000000002C97000-memory.dmp
      Filesize

      40.6MB