Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc169d66a15f7a459d73225fe925d3d08fa693530313bc6f31b2e711eaad1f0e.exe

  • Size

    291KB

  • MD5

    c0cddc95c61243fcc138abdedd77036d

  • SHA1

    bc7a72334c9d38bd12ca62812720f3eb62a8e6de

  • SHA256

    bc169d66a15f7a459d73225fe925d3d08fa693530313bc6f31b2e711eaad1f0e

  • SHA512

    c9f2bddac82468a9aae8dcb5c577de1901b28d02adb4f9ee27d7ca18f1168111d0c56c143b467af987ed33020780dc7c5a18ff4e2a41d7ac78855e9bad98d7db

  • SSDEEP

    3072:tD0WX/L6PD0HApNr0mjugOIBwZgVZ5i5Ib7pJhD5:/X/L6LWENrTggdrfjhD

Score
10/10
laplasclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc169d66a15f7a459d73225fe925d3d08fa693530313bc6f31b2e711eaad1f0e.exe
    "C:\Users\Admin\AppData\Local\Temp\bc169d66a15f7a459d73225fe925d3d08fa693530313bc6f31b2e711eaad1f0e.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\AFCBFIJEHD.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Users\Admin\AppData\Local\Temp\AFCBFIJEHD.exe
        "C:\Users\Admin\AppData\Local\Temp\AFCBFIJEHD.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2996
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:632
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\bc169d66a15f7a459d73225fe925d3d08fa693530313bc6f31b2e711eaad1f0e.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2388
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1184 -s 2340
      2⤵
      • Program crash
      PID:4708
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1184 -ip 1184
    1⤵
      PID:3744

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit

    • C:\ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AFCBFIJEHD.exe
      Filesize

      1.9MB

      MD5

      52cf0121c6e7906c6ecae7fe91780b37

      SHA1

      ab1364fb1908684956c80e0e6a5f09ca7f399269

      SHA256

      8eedcb9fa507269b6e4930996c16c425e94c7870a0dad263b34dd3d2281e21f0

      SHA512

      671cbc150f70b650af911ba3be0ac1c91e6616d87cd343b354aed1dfc9506766d6116452ab11552628f313c3dc57db1c20b6015c16981b1d8d0f4f30e9d75164

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\AFCBFIJEHD.exe
      Filesize

      1.9MB

      MD5

      52cf0121c6e7906c6ecae7fe91780b37

      SHA1

      ab1364fb1908684956c80e0e6a5f09ca7f399269

      SHA256

      8eedcb9fa507269b6e4930996c16c425e94c7870a0dad263b34dd3d2281e21f0

      SHA512

      671cbc150f70b650af911ba3be0ac1c91e6616d87cd343b354aed1dfc9506766d6116452ab11552628f313c3dc57db1c20b6015c16981b1d8d0f4f30e9d75164

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      629.4MB

      MD5

      a4ad87866d92971df7e35b88e2734d8d

      SHA1

      d8e795f1410cf86a1247d76b07fa9ceb4593763a

      SHA256

      d27124f659f87d3e71abc5c57ff578cfc26171bc8d353c9feddc1b3bcfe3f3b4

      SHA512

      04018b9586942d879597b949193e593c83d50cd1671bfb749bef9943646f6237f28d9e090c81bf697b8d4f990c35b297b0f6c3673f9dd6689f16a2ad46cb5037

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      564.1MB

      MD5

      ed08457b0aae2bb21ccd74ed8654d2c1

      SHA1

      0ff493cf03c2f764f79763ec32b999e1b12dfff9

      SHA256

      135cd750f5c1d877991b1781099d3b0a7d2a5f08f4402ebabcd63ac8d0e04717

      SHA512

      cf303cd3272c05d94f385699820ff2093bb78eb16bcd36dbf64a2554d37feb63b8596948f51b6c36987313d6f912d9f9da68f3d4cc8d38e8f24edda12b6e6ac5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      597.9MB

      MD5

      d81f4e755413b760d68db99dbee9ea02

      SHA1

      c132efa1b23fd3b06bc9e460ed6b37c80d8dffc7

      SHA256

      9fc5d74c49395e89c8bdd8ccd59d0c7e2603b13d1fd2d7069ac27645b9923d71

      SHA512

      39a817071b2af7c162061d15909ab69161c88409364141c919195de3a7ba89fa14989db6f7dcae54fb53db2edba3751701ffa18e8d864793f54d044848a403f3

      Download Submit

    • memory/632-225-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-226-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-222-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-223-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-228-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-220-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-218-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-219-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-230-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-229-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-227-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/632-224-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/1184-134-0x0000000002E90000-0x0000000002EA5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1184-210-0x0000000000400000-0x0000000002AF9000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/1184-135-0x0000000061E00000-0x0000000061EF3000-memory.dmp

      Filesize

      972KB

      Download

    • memory/2996-215-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download

    • memory/2996-209-0x0000000004B10000-0x0000000004EE0000-memory.dmp

      Filesize

      3.8MB

      Download

    • memory/2996-212-0x0000000000400000-0x0000000002C8E000-memory.dmp

      Filesize

      40.6MB

      Download