laplas | 1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105

General

Target

add_attack/neee.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	neee.exe

Executes dropped EXE 1 IoCs

pid	Process
60	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	neee.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1648	neee.exe
1648	neee.exe
60	svcservice.exe
60	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1648	neee.exe
1648	neee.exe
60	svcservice.exe
60	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 60	1648	neee.exe	85
PID 1648 wrote to memory of 60	1648	neee.exe	85
PID 1648 wrote to memory of 60	1648	neee.exe	85

C:\Users\Admin\AppData\Local\Temp\add_attack\neee.exe
"C:\Users\Admin\AppData\Local\Temp\add_attack\neee.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:60

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0P80TOLA\online[1].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKFP9JBL\regex[1].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
766.3MB

MD5
1bce8a7c9ba30ea7713af903b858bb9f

SHA1
9c3661b880a5292476e1a7f099d849e9ad6e1449

SHA256
98adb0c05412e3070978488d1a77c613daf07d2c3b59519adc82b58a60bad39a

SHA512
425773a0be0410fc28058aa0fd665a5cf3d44fc083bafb6ff8c3ce5d08103878b20d4355d7b24d16d86286deeeede05f282e603544af0dc5712d5958219d61f1

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
766.3MB

MD5
1bce8a7c9ba30ea7713af903b858bb9f

SHA1
9c3661b880a5292476e1a7f099d849e9ad6e1449

SHA256
98adb0c05412e3070978488d1a77c613daf07d2c3b59519adc82b58a60bad39a

SHA512
425773a0be0410fc28058aa0fd665a5cf3d44fc083bafb6ff8c3ce5d08103878b20d4355d7b24d16d86286deeeede05f282e603544af0dc5712d5958219d61f1

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
766.3MB

MD5
1bce8a7c9ba30ea7713af903b858bb9f

SHA1
9c3661b880a5292476e1a7f099d849e9ad6e1449

SHA256
98adb0c05412e3070978488d1a77c613daf07d2c3b59519adc82b58a60bad39a

SHA512
425773a0be0410fc28058aa0fd665a5cf3d44fc083bafb6ff8c3ce5d08103878b20d4355d7b24d16d86286deeeede05f282e603544af0dc5712d5958219d61f1

Download Submit
memory/60-157-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/60-162-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/60-163-0x0000000000CF0000-0x000000000186B000-memory.dmp

Filesize
11.5MB

Download
memory/60-161-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/60-160-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/60-159-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/60-158-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/60-155-0x0000000001CF0000-0x0000000001CF1000-memory.dmp

Filesize
4KB

Download
memory/60-156-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1648-136-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/1648-133-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/1648-137-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1648-138-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1648-139-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/1648-141-0x0000000000E50000-0x00000000019CB000-memory.dmp

Filesize
11.5MB

Download
memory/1648-140-0x0000000000E40000-0x0000000000E41000-memory.dmp

Filesize
4KB

Download
memory/1648-135-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1648-134-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing