laplas | 348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

General

Target

tmp.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2000	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
1224	tmp.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1224	tmp.exe
1224	tmp.exe
2000	svcservice.exe
2000	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1224	tmp.exe
2000	svcservice.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 2000	1224	tmp.exe	28
PID 1224 wrote to memory of 2000	1224	tmp.exe	28
PID 1224 wrote to memory of 2000	1224	tmp.exe	28
PID 1224 wrote to memory of 2000	1224	tmp.exe	28
PID 1224 wrote to memory of 2000	1224	tmp.exe	28
PID 1224 wrote to memory of 2000	1224	tmp.exe	28
PID 1224 wrote to memory of 2000	1224	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2000

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
788.3MB

MD5
7d389c6c58b025a922f9add42240eaf7

SHA1
9a41fd27f7ed9d794446c24967584a1855bdf3d4

SHA256
9d28129db470f21df647fb532514029c6f60633c36620b9a518bc272287ff405

SHA512
c572192caec8c8e0ef3a2f0ad7f8109f478e36af075bba83a3f18fa23c0f3c707c8a79a0c600ca34928619c448ce86dfd09c264a62898687cf99820071ce2506

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
788.3MB

MD5
7d389c6c58b025a922f9add42240eaf7

SHA1
9a41fd27f7ed9d794446c24967584a1855bdf3d4

SHA256
9d28129db470f21df647fb532514029c6f60633c36620b9a518bc272287ff405

SHA512
c572192caec8c8e0ef3a2f0ad7f8109f478e36af075bba83a3f18fa23c0f3c707c8a79a0c600ca34928619c448ce86dfd09c264a62898687cf99820071ce2506

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
663.5MB

MD5
7c45ae68c25acaf1e03f70797b88dab7

SHA1
564f22a938b3deeec7a707b930c9349356667481

SHA256
7dcec7d4233586ea90bc37a3221b6558f286c3b76b1f45bf4f7df8407822559b

SHA512
435f5ff3295fc52085357d6a239df83b585dba3d22c58b59c5376e7e53d325a9154d10f4088da0198cfd23e19141b27681b70eb86e98101fff3b7b30f8caeaf4

Download Submit
memory/1224-76-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1224-60-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1224-77-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/1224-78-0x0000000001180000-0x0000000001CFB000-memory.dmp

Filesize
11.5MB

Download
memory/1224-61-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1224-62-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1224-63-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1224-64-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1224-65-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1224-68-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1224-67-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1224-70-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1224-71-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/1224-73-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1224-74-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/1224-55-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1224-59-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1224-57-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1224-58-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1224-56-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1224-54-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2000-98-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2000-102-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2000-95-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2000-104-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2000-99-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2000-90-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2000-96-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2000-93-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2000-101-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2000-105-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2000-111-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2000-110-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2000-108-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2000-107-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2000-112-0x0000000000FA0000-0x0000000001B1B000-memory.dmp

Filesize
11.5MB

Download

Analysis

Sharing