Overview

overview

10

Static

static

1

SecuriteIn...38.exe

windows7-x64

5

SecuriteIn...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 16:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.65986477.30295.30638.exe

  • Size

    7.5MB

  • MD5

    f5d957a42f578847664cacb8a4c3d695

  • SHA1

    5affbea912936570480b7a6a0a7e67c6a2f62ec9

  • SHA256

    00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc

  • SHA512

    07821df782858665c810e959e92f78de4af56e8d090069c5637537338244f9348f7a878bff95d72620b4c092fd97cfb2d15ffe1c097c36a86399a478ea406980

  • SSDEEP

    196608:ZOtzW0BrGc/4GmLcBh8YSZIEqsyZr2caC78:kVW6Gc//B/xEh+a

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.65986477.30295.30638.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.65986477.30295.30638.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1176

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    776.5MB

    MD5

    88d2b62f3615334793e3024f6bce5400

    SHA1

    ecb7535af3924bcc679057320437d53b8368d4ec

    SHA256

    8984081d7ce664fdb7214f02ae95012c3e8c88ae4c0b2a146b3c1c6084cd306d

    SHA512

    c51b49f78ed71055afb87bae6b9f858d423cd5016668c5e5610297d41fa7bbec174a9ecc42752bf6b30b5acf7d6accb6ff3c89fb51802918737777c7665d44d4

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    707.7MB

    MD5

    602a0fbb0a57a113b8e5344c9f33a7e6

    SHA1

    3a776543c6418c6a7fa6f71d3f9f6d7368efcf53

    SHA256

    82658dacced47b90a6837bede0afe7187af895c48e08dca6d449629556e889f2

    SHA512

    d7cb01967931b9e977885965b4f3b6a054a12645f4c7b202603596a02e2e04141f8768eb1c5d695012131f10cb14398427fe65eb8c8446d8c65f2a7e77843599

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    776.5MB

    MD5

    88d2b62f3615334793e3024f6bce5400

    SHA1

    ecb7535af3924bcc679057320437d53b8368d4ec

    SHA256

    8984081d7ce664fdb7214f02ae95012c3e8c88ae4c0b2a146b3c1c6084cd306d

    SHA512

    c51b49f78ed71055afb87bae6b9f858d423cd5016668c5e5610297d41fa7bbec174a9ecc42752bf6b30b5acf7d6accb6ff3c89fb51802918737777c7665d44d4

    Download Submit

  • memory/1176-158-0x00000000039D0000-0x00000000039D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-157-0x00000000039B0000-0x00000000039B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-163-0x0000000000DF0000-0x00000000019A0000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/1176-162-0x0000000003B20000-0x0000000003B21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-161-0x0000000003B10000-0x0000000003B11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-160-0x0000000003B00000-0x0000000003B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-159-0x0000000003AF0000-0x0000000003AF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-156-0x00000000039A0000-0x00000000039A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1176-155-0x0000000003990000-0x0000000003991000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-134-0x00000000016E0000-0x00000000016E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-135-0x00000000016F0000-0x00000000016F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-136-0x00000000031B0000-0x00000000031B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-133-0x00000000016D0000-0x00000000016D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-137-0x00000000031C0000-0x00000000031C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-141-0x0000000000490000-0x0000000001040000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/3208-139-0x00000000031E0000-0x00000000031E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-140-0x00000000031F0000-0x00000000031F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3208-138-0x00000000031D0000-0x00000000031D1000-memory.dmp

    Filesize

    4KB

    Download