laplas | 348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

General

Target

99f16ab6ab670935b5aa5c84b1b5f6bd.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1652	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	99f16ab6ab670935b5aa5c84b1b5f6bd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe
1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe
1652	svcservice.exe
1652	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe
1652	svcservice.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27
PID 1484 wrote to memory of 1652	1484	99f16ab6ab670935b5aa5c84b1b5f6bd.exe	27

C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe
"C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
654.3MB

MD5
6b6f2137d5d8caba0c08e706886cb66e

SHA1
2a22bfa7d1cc2b4ae606a475cf8df81daf589a74

SHA256
d3a472ea77aba7fb44285630b29d5337e93bf4ea022111ba9b81dd340c6e0e00

SHA512
18d2d28cbb961c8d0dbd3db14cfeab947eceb1aaf272464c720dba085420aa18e82ed79875de3c0596055374d208e8755da8c2db60f6108d43c8a66c1d5e96ba

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
682.9MB

MD5
b2d2cfac4b03f7f2994a42e8db189d2b

SHA1
5b84b7ede10d092d6932c41cd476c7201cb9db44

SHA256
fef525600e229f4be5466d3fbff10e08e9afaf182d93cbd656c6f3ec0f310702

SHA512
3b8b5caae99e296a69f5f9b570d7eba23d2309dba2977acd166896df775a851b4d058746adf4f885a1be09384adadd114bb3b9742c35a0b3c799060f32758559

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
656.4MB

MD5
0d7db6e45c9cf9a19df0623a0253e7cb

SHA1
1b4c7de70e4cdc7be5cbdc310901a5536c290ec5

SHA256
5ec1837777260834f4f58789730968eb629990f9c3ee7a53e26a8f4310ebbea3

SHA512
a62d34257ad3a77aca823dcc0ee3c342c52fbce48d1a30fb45935365657576b000534eada58fd46bc3ed41d3894d75f5ca4b56a2369341d4a48d3256501a1085

Download Submit
memory/1484-78-0x0000000000B50000-0x00000000016CB000-memory.dmp

Filesize
11.5MB

Download
memory/1484-56-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1484-59-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1484-60-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1484-61-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1484-55-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1484-63-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1484-64-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1484-65-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1484-67-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1484-68-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1484-70-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1484-71-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1484-73-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1484-74-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1484-76-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1484-77-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1484-54-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1484-58-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1484-57-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1484-62-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1652-102-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1652-104-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1652-93-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1652-95-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1652-96-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1652-98-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1652-92-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1652-99-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1652-105-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1652-90-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1652-108-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1652-111-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1652-110-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1652-107-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1652-112-0x0000000000B30000-0x00000000016AB000-memory.dmp

Filesize
11.5MB

Download
memory/1652-101-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing