Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 13:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    290KB

  • MD5

    e681980e0fe13cc6b03d145f993f6d57

  • SHA1

    55c90ca0e3558e3227980cc1c083e14694c7b3f7

  • SHA256

    6eca42031f2809aca73b3cc3296cde7d49852f2ed14985c3093c10244d22376d

  • SHA512

    c2d6bef9ce2782ce7cd2f657773ac69ccb8bf5ea32cfd2cc7bdaa42df1334d784bef52286025294ea6220a41c8de51e6a938110ae573f14ec761d09a36578917

  • SSDEEP

    6144:gNnHLcUZsHVqxCpKbz+44XfQvW5xRPvPhO:gNnHAUSwJb64A5HHPh

Score
10/10
laplasclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\CBAFCAKEHD.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3616
      • C:\Users\Admin\AppData\Local\Temp\CBAFCAKEHD.exe
        "C:\Users\Admin\AppData\Local\Temp\CBAFCAKEHD.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3172
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:2552
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\tmp.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 2248
      2⤵
      • Program crash
      PID:1620
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4368 -ip 4368
    1⤵
      PID:4956

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • C:\ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CBAFCAKEHD.exe
      Filesize

      1.9MB

      MD5

      d8c99c5dd392f68fc5b546dfd9020e0f

      SHA1

      b157ece3c88b5a58d6ecc59d56db1dd08fe8cfe1

      SHA256

      d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f

      SHA512

      961c2f0ef15858aaf1b02eba93da79b9c8c00c3cb34ef5d63fdefe565ceed47739a4d4e604347e2d71e9ad18a6a01064bc3534b805abf248b96373c9f8a7def2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CBAFCAKEHD.exe
      Filesize

      1.9MB

      MD5

      d8c99c5dd392f68fc5b546dfd9020e0f

      SHA1

      b157ece3c88b5a58d6ecc59d56db1dd08fe8cfe1

      SHA256

      d0ae0f42b639a1dc06fc46b8f2d711f8198e328b4101f4398190d635f1914c5f

      SHA512

      961c2f0ef15858aaf1b02eba93da79b9c8c00c3cb34ef5d63fdefe565ceed47739a4d4e604347e2d71e9ad18a6a01064bc3534b805abf248b96373c9f8a7def2

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      554.7MB

      MD5

      b25a7455423e44d774227eacc7d2fc1c

      SHA1

      9a81bb42aeb96f4f013423894749b823c53cf010

      SHA256

      ab317081767a165ba1f7df094b073676f6695da2bc94f0399c9a6d571fb10001

      SHA512

      44019acd460d7a6bcd00a90013c51f9bd66f6796103873af47a2ba4f3c2238feb54e9e3d815fde27c7862c690e162895a595247c1e0caa9fb49167228d333ef4

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      555.2MB

      MD5

      20af1ce2ecbfd84b8eeca189d2d15c19

      SHA1

      6bbe48b7d34d47fe1e885a53c260a1bf7a53fbc3

      SHA256

      efa33045ae39a48b898eedf9053cb067b0bac89c81a2d0e59d0ce56ad01a7b02

      SHA512

      0ee7fe69a28ef8c6ac0b24491679f435d39ec31f31207a4f6f56a8aeda30de796e4dbc8d0e2e77d25ee5c3e0dbb95fcc08badc9976a5606aa4e338480dc445a1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      557.6MB

      MD5

      5c1f166cc6a127adecb5688687e6cdce

      SHA1

      028bcae1ffd1ff1c65901a4b1a2b865b814cc585

      SHA256

      f5b14d338986b6e4f2e1107c156a800018d55d016b0da053bab5f3d76a979772

      SHA512

      6d2342a6d3203cbbd2e3a0a9198fc20c4e5b447d5ec6fdad1abdbcba76cf3862b4c21c6d9817f674d666415e0e8aaf1ccfecb4b3babcb99e9e8ddeab3656e1b0

      Download Submit

    • memory/2552-221-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2552-219-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2552-222-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2552-223-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2552-224-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2552-225-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/3172-213-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/3172-211-0x0000000004BA0000-0x0000000004F70000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/3172-215-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/4368-134-0x0000000004830000-0x0000000004845000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4368-209-0x0000000000400000-0x0000000002AF8000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4368-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

      Download