laplas | 348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057

General

Target

tmp.exe
Size

7.3MB
MD5

99f16ab6ab670935b5aa5c84b1b5f6bd
SHA1

59f375481cdfe246d1ddcaada9941e16dcfda297
SHA256

348014d89503967f134b988559b2ac694e0d3256708bbf7d8b96aa8c49fe1057
SHA512

845e76e29adb6b7890a3a5c508e27b9731e9872bc791eeefb146b23e0e737280d19e4df1203b719f8e168a8c8a0d8ae1b4bf670da5d264bde1eece8663624d70
SSDEEP

196608:Ltu5ODXM16mjmKSRFWuxx6ruj3nK/x9jWuy:L05ODcgR6mix1

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.104

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
3120	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	tmp.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
5084	tmp.exe
5084	tmp.exe
3120	svcservice.exe
3120	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5084	tmp.exe
5084	tmp.exe
3120	svcservice.exe
3120	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 3120	5084	tmp.exe	87
PID 5084 wrote to memory of 3120	5084	tmp.exe	87
PID 5084 wrote to memory of 3120	5084	tmp.exe	87

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
795.3MB

MD5
0e314fac3138b1085228a3df982d747a

SHA1
60bbac0fa642087dd16a3161d6e57b68c6cd39fb

SHA256
b99d9081070cf7f945650a0d55d01e5ebb6cc6374da13d7053a6f5822bdd5900

SHA512
072afabd308d3586c9525a8cd3fdaf94d1b79c380e62adb85b338ef114383b40f2bd1dfd7872df25f10bcfe9ccc599bf3ee10c983c3be659b781f66f8b05965f

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
793.9MB

MD5
066a6c5c1fcdaa9f8d46df78f6d0d5d5

SHA1
e81ac949427f47d22bd96fceeb48681e37b6a827

SHA256
33da50890cfe28d85cd10176ecf60b1a3f6b5868603c41ba4c93e86631aef1ca

SHA512
a053c8b5e4747c915655f2981bbf3e13b5f0d682ed246a13feab15c4bf001426bd31df93b6b843657998325c142eda6927e13a71ac22c9e038eb20e75d0e0071

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
795.3MB

MD5
0e314fac3138b1085228a3df982d747a

SHA1
60bbac0fa642087dd16a3161d6e57b68c6cd39fb

SHA256
b99d9081070cf7f945650a0d55d01e5ebb6cc6374da13d7053a6f5822bdd5900

SHA512
072afabd308d3586c9525a8cd3fdaf94d1b79c380e62adb85b338ef114383b40f2bd1dfd7872df25f10bcfe9ccc599bf3ee10c983c3be659b781f66f8b05965f

Download Submit
memory/3120-158-0x0000000001990000-0x0000000001991000-memory.dmp

Filesize
4KB

Download
memory/3120-160-0x0000000003450000-0x0000000003451000-memory.dmp

Filesize
4KB

Download
memory/3120-163-0x0000000000780000-0x00000000012FB000-memory.dmp

Filesize
11.5MB

Download
memory/3120-162-0x0000000003470000-0x0000000003471000-memory.dmp

Filesize
4KB

Download
memory/3120-161-0x0000000003460000-0x0000000003461000-memory.dmp

Filesize
4KB

Download
memory/3120-159-0x00000000019A0000-0x00000000019A1000-memory.dmp

Filesize
4KB

Download
memory/3120-157-0x0000000001860000-0x0000000001861000-memory.dmp

Filesize
4KB

Download
memory/3120-156-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/3120-155-0x0000000001840000-0x0000000001841000-memory.dmp

Filesize
4KB

Download
memory/5084-134-0x0000000001A70000-0x0000000001A71000-memory.dmp

Filesize
4KB

Download
memory/5084-135-0x0000000001A80000-0x0000000001A81000-memory.dmp

Filesize
4KB

Download
memory/5084-136-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/5084-133-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/5084-137-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/5084-141-0x0000000000B00000-0x000000000167B000-memory.dmp

Filesize
11.5MB

Download
memory/5084-140-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/5084-139-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/5084-138-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing