Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    123s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/03/2023, 16:35

General

  • Target

    SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe

  • Size

    7.5MB

  • MD5

    fb0deff37fe12bbc4f0c1fe21e2d15ef

  • SHA1

    180325b8b6e64638e167601c67cd9c53331ba9f6

  • SHA256

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

  • SHA512

    9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

  • SSDEEP

    196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heuristic.HEUR.AGEN.1254260.13336.3751.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1724

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    786.5MB

    MD5

    88a497ee49dab1d5770bc79f4a6f9ff4

    SHA1

    96c2c664fe212f58369451f4fc7c0d524a4263de

    SHA256

    ca08291bbc324b8a8b223841b6dd314109a380297dc645582aff311ff3e1146e

    SHA512

    77546b97566959ace4be6acd700650cf198fa44d7d87697445e9463a60dd1c4f499f16baa33f61f8d369b8940e38f4abc0b0dea840db91345b5a793e30c32113

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    755.7MB

    MD5

    1fa9eee1c50eda740ba4d720f08b12cf

    SHA1

    0b4c4759163ab2ddf9377f8abb3247801bcf6d4c

    SHA256

    9445d635de8f05de30bfd3508438f2b664b2e49cd726e163238a3808ba78f1ae

    SHA512

    062e719811f5024eb1ca1f2addda38c5ccce2936a8d86c6149945af72e2c0277030cbe8c2a414cb6ab7f40236905e60d2278c79255c2952a94965717f967bcf8

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    663.9MB

    MD5

    9908196b42d9b2e4a337a3c35abf7465

    SHA1

    ebf18bc4835c8d0c60f35e3f294ccc7c0d8721ac

    SHA256

    04cb4b678cd12b7b9fd7f151fa1d15df8315f2815ec4eb61b6fd704ab06c33d2

    SHA512

    b4501e96f385d5d234ced3e91aa52812bc1fdaa17389e480f9f7e07b33fabd455d90c8ceae9b8cf88e49ef04f3d6886830294988dca6230e9741cf75d8a56488

  • memory/1724-158-0x0000000000900000-0x0000000000901000-memory.dmp

    Filesize

    4KB

  • memory/1724-160-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

    Filesize

    4KB

  • memory/1724-163-0x0000000000D60000-0x000000000190B000-memory.dmp

    Filesize

    11.7MB

  • memory/1724-156-0x00000000008D0000-0x00000000008D1000-memory.dmp

    Filesize

    4KB

  • memory/1724-162-0x0000000000D10000-0x0000000000D11000-memory.dmp

    Filesize

    4KB

  • memory/1724-161-0x0000000000D00000-0x0000000000D01000-memory.dmp

    Filesize

    4KB

  • memory/1724-159-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

    Filesize

    4KB

  • memory/1724-157-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

  • memory/1724-155-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

  • memory/1904-134-0x0000000001B70000-0x0000000001B71000-memory.dmp

    Filesize

    4KB

  • memory/1904-135-0x0000000001B80000-0x0000000001B81000-memory.dmp

    Filesize

    4KB

  • memory/1904-136-0x0000000001BA0000-0x0000000001BA1000-memory.dmp

    Filesize

    4KB

  • memory/1904-133-0x0000000001B60000-0x0000000001B61000-memory.dmp

    Filesize

    4KB

  • memory/1904-137-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

    Filesize

    4KB

  • memory/1904-141-0x0000000000F70000-0x0000000001B1B000-memory.dmp

    Filesize

    11.7MB

  • memory/1904-140-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

    Filesize

    4KB

  • memory/1904-139-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

    Filesize

    4KB

  • memory/1904-138-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

    Filesize

    4KB