laplas | 1055458a8ee3ee7724fd82ca27387523cb1d0d1733ac8cceaf99fab47e35d105

Analysis

max time kernel
562s
max time network
568s
platform
windows7_x64
resource
win7-20230220-es
resource tags

arch:x64arch:x86image:win7-20230220-eslocale:es-esos:windows7-x64systemwindows
submitted
19-03-2023 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

add_attack/neee.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1712	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
680	neee.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	neee.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
680	neee.exe
680	neee.exe
1712	svcservice.exe
1712	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
680	neee.exe
1712	svcservice.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 1712	680	neee.exe	28
PID 680 wrote to memory of 1712	680	neee.exe	28
PID 680 wrote to memory of 1712	680	neee.exe	28
PID 680 wrote to memory of 1712	680	neee.exe	28
PID 680 wrote to memory of 1712	680	neee.exe	28
PID 680 wrote to memory of 1712	680	neee.exe	28
PID 680 wrote to memory of 1712	680	neee.exe	28

C:\Users\Admin\AppData\Local\Temp\add_attack\neee.exe
"C:\Users\Admin\AppData\Local\Temp\add_attack\neee.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:680
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\regex[2].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\online[2].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
757.3MB

MD5
156fa53cb7419d10c9d4a7ab940f21ca

SHA1
559543412106377d3ff9a872e39b66d38ca88095

SHA256
531a3e0079e6faf3289b92a2edcd824faf93f8c285c27f6140e0801959c44d43

SHA512
5f88ed349d51bfb52108e46f111d159ace438712edf34b601072cf4ed0aec1ab52fc3419380bab822a62523b00b25749e8e877f30a6471fedb9c861a45e6736c

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
757.3MB

MD5
156fa53cb7419d10c9d4a7ab940f21ca

SHA1
559543412106377d3ff9a872e39b66d38ca88095

SHA256
531a3e0079e6faf3289b92a2edcd824faf93f8c285c27f6140e0801959c44d43

SHA512
5f88ed349d51bfb52108e46f111d159ace438712edf34b601072cf4ed0aec1ab52fc3419380bab822a62523b00b25749e8e877f30a6471fedb9c861a45e6736c

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
757.3MB

MD5
156fa53cb7419d10c9d4a7ab940f21ca

SHA1
559543412106377d3ff9a872e39b66d38ca88095

SHA256
531a3e0079e6faf3289b92a2edcd824faf93f8c285c27f6140e0801959c44d43

SHA512
5f88ed349d51bfb52108e46f111d159ace438712edf34b601072cf4ed0aec1ab52fc3419380bab822a62523b00b25749e8e877f30a6471fedb9c861a45e6736c

Download Submit
memory/680-78-0x0000000000950000-0x00000000014CB000-memory.dmp

Filesize
11.5MB

Download
memory/680-73-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/680-61-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/680-62-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/680-63-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/680-64-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/680-65-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/680-67-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/680-68-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/680-70-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/680-71-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/680-56-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/680-74-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/680-76-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/680-77-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/680-54-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/680-59-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/680-58-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/680-57-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/680-60-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/680-55-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1712-89-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/1712-93-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1712-95-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1712-96-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/1712-98-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1712-99-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1712-102-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1712-101-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/1712-104-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1712-105-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1712-107-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1712-108-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1712-110-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1712-111-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1712-112-0x0000000000100000-0x0000000000C7B000-memory.dmp

Filesize
11.5MB

Download
memory/1712-92-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1712-90-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download