Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe

  • Size

    7.5MB

  • MD5

    f5d957a42f578847664cacb8a4c3d695

  • SHA1

    5affbea912936570480b7a6a0a7e67c6a2f62ec9

  • SHA256

    00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc

  • SHA512

    07821df782858665c810e959e92f78de4af56e8d090069c5637537338244f9348f7a878bff95d72620b4c092fd97cfb2d15ffe1c097c36a86399a478ea406980

  • SSDEEP

    196608:ZOtzW0BrGc/4GmLcBh8YSZIEqsyZr2caC78:kVW6Gc//B/xEh+a

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
    "C:\Users\Admin\AppData\Local\Temp\00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4676
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3612

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    791.5MB

    MD5

    2561ad2b1fa318237865efa985835091

    SHA1

    7bd9f816949ecef9ecb66ac23528f32e39c517e7

    SHA256

    a9d97bd38c953c5e9de9a23b752c1b815a17b6f0522968ccaf9886d741087f0d

    SHA512

    bc18b01965068807ca6a01186afd68b4618969d009af77bd5adc6ed5eff1fabd8209ca32843d5898bc8837149e95f10f18fceae978793c58475664ecc40eed30

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    791.5MB

    MD5

    2561ad2b1fa318237865efa985835091

    SHA1

    7bd9f816949ecef9ecb66ac23528f32e39c517e7

    SHA256

    a9d97bd38c953c5e9de9a23b752c1b815a17b6f0522968ccaf9886d741087f0d

    SHA512

    bc18b01965068807ca6a01186afd68b4618969d009af77bd5adc6ed5eff1fabd8209ca32843d5898bc8837149e95f10f18fceae978793c58475664ecc40eed30

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    671.9MB

    MD5

    e868a3e0b6c964c669b6363dc722c237

    SHA1

    c3cca35b653fa5f23675a60409821059f658c632

    SHA256

    6f026aa50788d3bdb73796b07fe887a79b62d16ff85158526ac82f0041863cbd

    SHA512

    ebf1fcd3424bda07e5c1ca974f523dd50b1098149f185478faaf63dc65b8babe6b74e900a8bffb1392f1edf56adc6356754f9fe653f86705d5c9634e38f6aa94

    Download Submit

  • memory/3612-158-0x00000000014A0000-0x00000000014A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-159-0x00000000014B0000-0x00000000014B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-163-0x00000000000C0000-0x0000000000C70000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/3612-162-0x00000000014E0000-0x00000000014E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-161-0x00000000014D0000-0x00000000014D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-160-0x00000000014C0000-0x00000000014C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-157-0x0000000001480000-0x0000000001481000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-156-0x0000000001470000-0x0000000001471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3612-155-0x0000000001460000-0x0000000001461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-134-0x00000000013F0000-0x00000000013F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-135-0x0000000001400000-0x0000000001401000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-136-0x00000000030C0000-0x00000000030C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-133-0x00000000013E0000-0x00000000013E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-137-0x00000000030D0000-0x00000000030D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-141-0x00000000002A0000-0x0000000000E50000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/4676-140-0x0000000003100000-0x0000000003101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-139-0x00000000030F0000-0x00000000030F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4676-138-0x00000000030E0000-0x00000000030E1000-memory.dmp

    Filesize

    4KB

    Download