Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2023, 15:36

General

  • Target

    99f16ab6ab670935b5aa5c84b1b5f6bd.exe

  • Size

    7.3MB

  • MD5

    99f16ab6ab670935b5aa5c84b1b5f6bd

  • SHA1

    59f375481cdfe246d1ddcaada9941e16dcfda297

  • SHA256

    348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

  • SHA512

    845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70

  • SSDEEP

    196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe
    "C:\Users\Admin\AppData\Local\Temp\99f16ab6ab670935b5aa5c84b1b5f6bd.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1740

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    733.3MB

    MD5

    1f534eac78be1b83d9bb3af8e752842b

    SHA1

    fefcaeb6739d7bb71e77beb03b4540407b1cc50e

    SHA256

    83f838c581cdbb48a15a5c2cea94d65132dc9c858352438b23dc94972a3e6371

    SHA512

    2046863f8719fd6ab203c5e97e764dcbe933d16b7e7d79ca4f364cdc7c9c4ae37b9c2bfbbce3655903a8e0b87b498eed033cfd96664d20fa1806e2e2852e1043

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    733.3MB

    MD5

    1f534eac78be1b83d9bb3af8e752842b

    SHA1

    fefcaeb6739d7bb71e77beb03b4540407b1cc50e

    SHA256

    83f838c581cdbb48a15a5c2cea94d65132dc9c858352438b23dc94972a3e6371

    SHA512

    2046863f8719fd6ab203c5e97e764dcbe933d16b7e7d79ca4f364cdc7c9c4ae37b9c2bfbbce3655903a8e0b87b498eed033cfd96664d20fa1806e2e2852e1043

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    733.3MB

    MD5

    1f534eac78be1b83d9bb3af8e752842b

    SHA1

    fefcaeb6739d7bb71e77beb03b4540407b1cc50e

    SHA256

    83f838c581cdbb48a15a5c2cea94d65132dc9c858352438b23dc94972a3e6371

    SHA512

    2046863f8719fd6ab203c5e97e764dcbe933d16b7e7d79ca4f364cdc7c9c4ae37b9c2bfbbce3655903a8e0b87b498eed033cfd96664d20fa1806e2e2852e1043

  • memory/540-138-0x0000000001260000-0x0000000001261000-memory.dmp

    Filesize

    4KB

  • memory/540-137-0x0000000001250000-0x0000000001251000-memory.dmp

    Filesize

    4KB

  • memory/540-133-0x0000000000460000-0x0000000000461000-memory.dmp

    Filesize

    4KB

  • memory/540-139-0x0000000001270000-0x0000000001271000-memory.dmp

    Filesize

    4KB

  • memory/540-140-0x0000000001280000-0x0000000001281000-memory.dmp

    Filesize

    4KB

  • memory/540-141-0x00000000004D0000-0x000000000104B000-memory.dmp

    Filesize

    11.5MB

  • memory/540-136-0x0000000001240000-0x0000000001241000-memory.dmp

    Filesize

    4KB

  • memory/540-135-0x0000000001220000-0x0000000001221000-memory.dmp

    Filesize

    4KB

  • memory/540-134-0x00000000004C0000-0x00000000004C1000-memory.dmp

    Filesize

    4KB

  • memory/1740-155-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

    Filesize

    4KB

  • memory/1740-157-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

    Filesize

    4KB

  • memory/1740-156-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

    Filesize

    4KB

  • memory/1740-159-0x00000000013B0000-0x00000000013B1000-memory.dmp

    Filesize

    4KB

  • memory/1740-158-0x00000000013A0000-0x00000000013A1000-memory.dmp

    Filesize

    4KB

  • memory/1740-160-0x00000000013C0000-0x00000000013C1000-memory.dmp

    Filesize

    4KB

  • memory/1740-161-0x00000000013D0000-0x00000000013D1000-memory.dmp

    Filesize

    4KB

  • memory/1740-162-0x00000000013E0000-0x00000000013E1000-memory.dmp

    Filesize

    4KB

  • memory/1740-163-0x0000000000450000-0x0000000000FCB000-memory.dmp

    Filesize

    11.5MB