laplas | ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

General

Target

SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
Size

7.5MB
MD5

fb0deff37fe12bbc4f0c1fe21e2d15ef
SHA1

180325b8b6e64638e167601c67cd9c53331ba9f6
SHA256

ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76
SHA512

9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d
SSDEEP

196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes

api_key
b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
1724	svcservice.exe
1724	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
1724	svcservice.exe
1724	svcservice.exe
1724	svcservice.exe
1724	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1724	1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe	95
PID 1904 wrote to memory of 1724	1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe	95
PID 1904 wrote to memory of 1724	1904	SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe	95

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
786.5MB

MD5
88a497ee49dab1d5770bc79f4a6f9ff4

SHA1
96c2c664fe212f58369451f4fc7c0d524a4263de

SHA256
ca08291bbc324b8a8b223841b6dd314109a380297dc645582aff311ff3e1146e

SHA512
77546b97566959ace4be6acd700650cf198fa44d7d87697445e9463a60dd1c4f499f16baa33f61f8d369b8940e38f4abc0b0dea840db91345b5a793e30c32113

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
755.7MB

MD5
1fa9eee1c50eda740ba4d720f08b12cf

SHA1
0b4c4759163ab2ddf9377f8abb3247801bcf6d4c

SHA256
9445d635de8f05de30bfd3508438f2b664b2e49cd726e163238a3808ba78f1ae

SHA512
062e719811f5024eb1ca1f2addda38c5ccce2936a8d86c6149945af72e2c0277030cbe8c2a414cb6ab7f40236905e60d2278c79255c2952a94965717f967bcf8

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
663.9MB

MD5
9908196b42d9b2e4a337a3c35abf7465

SHA1
ebf18bc4835c8d0c60f35e3f294ccc7c0d8721ac

SHA256
04cb4b678cd12b7b9fd7f151fa1d15df8315f2815ec4eb61b6fd704ab06c33d2

SHA512
b4501e96f385d5d234ced3e91aa52812bc1fdaa17389e480f9f7e07b33fabd455d90c8ceae9b8cf88e49ef04f3d6886830294988dca6230e9741cf75d8a56488

Download Submit
memory/1724-158-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1724-160-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1724-163-0x0000000000D60000-0x000000000190B000-memory.dmp

Filesize
11.7MB

Download
memory/1724-156-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1724-162-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/1724-161-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1724-159-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/1724-157-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1724-155-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/1904-134-0x0000000001B70000-0x0000000001B71000-memory.dmp

Filesize
4KB

Download
memory/1904-135-0x0000000001B80000-0x0000000001B81000-memory.dmp

Filesize
4KB

Download
memory/1904-136-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

Filesize
4KB

Download
memory/1904-133-0x0000000001B60000-0x0000000001B61000-memory.dmp

Filesize
4KB

Download
memory/1904-137-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

Filesize
4KB

Download
memory/1904-141-0x0000000000F70000-0x0000000001B1B000-memory.dmp

Filesize
11.7MB

Download
memory/1904-140-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

Filesize
4KB

Download
memory/1904-139-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

Filesize
4KB

Download
memory/1904-138-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing