laplas | 4e92d369cc121131b68a5bc2839fca89752a8bfa39f1819bc576ed717f0a1441

Analysis

max time kernel
131s
max time network
124s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

291KB
MD5

79583ef72d557666796293419281c161
SHA1

049a4de98d35bafa5a0ef00323826d4a02514223
SHA256

4e92d369cc121131b68a5bc2839fca89752a8bfa39f1819bc576ed717f0a1441
SHA512

c24a53a28ea8a3d3d4507531efb8f539b85dcfa2555d53d0a4a4a418c534b91cb8dd12e16662107634f1ac9aee8bc70e32d12d05cc958506d46ced49c7ebf19a
SSDEEP

3072:QDbHfXpL7ZZak4EMA5n7LN+D7oY6LnEMV+zH5nVJtKQTwQzMzjFUW5nbrWJh:qXpL7ZckfH5hsj8lQzM3S4vYh

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1132	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1564	EHDBGDHDAE.exe
1876	ntlhost.exe

Loads dropped DLL 10 IoCs

pid	Process
1480	setup.exe
1480	setup.exe
2020	cmd.exe
2020	cmd.exe
1564	EHDBGDHDAE.exe
1564	EHDBGDHDAE.exe
1564	EHDBGDHDAE.exe
1564	EHDBGDHDAE.exe
1876	ntlhost.exe
1876	ntlhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	EHDBGDHDAE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
916	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1480	setup.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 2020	1480	setup.exe	29
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1480 wrote to memory of 1132	1480	setup.exe	30
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 1132 wrote to memory of 916	1132	cmd.exe	33
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 2020 wrote to memory of 1564	2020	cmd.exe	34
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35
PID 1564 wrote to memory of 1876	1564	EHDBGDHDAE.exe	35

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe
    "C:\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1876
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
216.7MB

MD5
60d01ff62b265d089ec031c10ac64c18

SHA1
4629f9a2bfb008111d73359011e8d0efeaa34492

SHA256
4d688fcb8f13fd518ff365fb61be4e2590597e9a80e32979c30e7954c3028331

SHA512
d52bdbd3f6360c0c81106c3f6dd4bd3ac6798ecd8f69fb9c0106cfaf7e8d0392c868d3807513dd63dbe82ecfdb26b48dfa7d3ff8bf68028b063100b0e0d758b9

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
211.6MB

MD5
8abd8612ca968833d8ec8c08de473cfd

SHA1
529e508a55740a02cfbdcdc7f6d7f3791ae2b214

SHA256
16742dd324e003cfac25f273249382e063c9002ad37a1b4427146923d37c11c2

SHA512
1d539ff071bedbf0e6866eef157e3ec46300994a2d0e2aa9b8c444a97159f4f83007c0c33ca02481c937c0e7547b613c09e0cd2403df8c334022181f28ca0171

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
216.8MB

MD5
3e1dc5d7fa9293126a7c54dd66117147

SHA1
b809b74431b55dc1d4144d683e7a83168470c2b8

SHA256
184356276efc22f6ade32b215f2c6a6177ebe910a27118f94839d712aef9d291

SHA512
ba652b1a9f434476994618f1723b7afc23e54677496075f51ce68416f88b647ec441ebbaee295db79ede25101808abc190f496df9e159366e06c22730a93e261

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Local\Temp\EHDBGDHDAE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
215.4MB

MD5
53397e20d7b3cefde212c98a12d87c60

SHA1
4f3a11942f2eb33ee033a3ffb1682e5474016f5f

SHA256
69428b9833980cda9cb5cca7f426c662fd7717ee4e218b18b7b473d1f316ef65

SHA512
069a9ee9feb25f0146b858a0f01702e922651f3639b242cbd78782e2dd72ff519d1a3dde3c2babf9ec68f1a7599016270055e8d463116e357b1b843536bdc218

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
190.8MB

MD5
553c1b8c639e56c6973c091e00686d59

SHA1
a591f7895357e708947f44f28da04a8da6209304

SHA256
1da7997fb9ff4c2e0f2f6646de48e285af4253dddd2a785dd813698b8a00b4cd

SHA512
d3bb74da33006609f963ed15f7be8f82d1819d8714c8d3be51ae94568dfc1ba59591d560a84af5cff70986e74ae58f04761782cd7237949cc709b237218c6227

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
212.1MB

MD5
47e870e38842037c39c30e2a09f87f9c

SHA1
698c492fa8835e110f96ca09a5e6a3f8c99cae47

SHA256
71f8942c96a0c433095df93e1bbb1439e665d81f2717b22ed0eb5346a63ac1aa

SHA512
9a4a7cad6d66a37151eaf7f2f131cf9c0500419254e614021f539692dfbc9cd40bfdb242158b7d2dd12ae4d59d2c9f1b9e38d4810b46df21b361e7264f2f903a

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
218.6MB

MD5
4f62089fed269f62309f6f58db27d396

SHA1
e82074445b23500283619c0457e321fadba6c524

SHA256
ca9a9cd6f7c75ae70a2e1052d441decf62ce04c50bd13cd983c324e7cbc74bad

SHA512
d63c440707a10c533095050b553c7324efb43a66ea32b18a8eb2a6d34ead9baaf113f4f30ec340c1bb0f405d39dd15ee86cb82a8f4de496db99e0cafc62e2273

Download Submit
memory/1480-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1480-114-0x0000000000400000-0x0000000002AF9000-memory.dmp

Filesize
39.0MB

Download
memory/1480-55-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/1564-122-0x00000000045B0000-0x000000000475A000-memory.dmp

Filesize
1.7MB

Download
memory/1564-132-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1564-123-0x0000000004760000-0x0000000004B30000-memory.dmp

Filesize
3.8MB

Download
memory/1876-136-0x00000000047F0000-0x000000000499A000-memory.dmp

Filesize
1.7MB

Download
memory/1876-137-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-138-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-139-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-142-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-143-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-144-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-145-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-146-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-147-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-148-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/1876-149-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download