laplas | 15539a353d5b7e18b87b30f717454dc25c4261954d97af791596ea49acb1fa92

Analysis

max time kernel
131s
max time network
129s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

291KB
MD5

8cca6d631010620a368ddc7925c0649c
SHA1

cbac7cdb0b393a64a25726c09c718616e83ffa8f
SHA256

15539a353d5b7e18b87b30f717454dc25c4261954d97af791596ea49acb1fa92
SHA512

4c38a618668d2fe78ee950aaadd4f32d7f4ff3130039efefb1e039bc79aeedb2e065141fdd96d4255735ffb68a991b83e0d4609e02a76a958c99feda4f24135c
SSDEEP

3072:2D2H6X9LmnZiTw5aX/ifwSYt3pkki/c9yEh+vp5nbrSLJhCe:MX9LmnMTlX/iYSYPkR/cWvzvohC

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1888	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
656	FCAEBFIJKE.exe
960	ntlhost.exe

Loads dropped DLL 10 IoCs

pid	Process
2044	setup.exe
2044	setup.exe
1548	cmd.exe
1548	cmd.exe
656	FCAEBFIJKE.exe
656	FCAEBFIJKE.exe
656	FCAEBFIJKE.exe
656	FCAEBFIJKE.exe
960	ntlhost.exe
960	ntlhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	FCAEBFIJKE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1044	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	5	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2044	setup.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1548	2044	setup.exe	29
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 2044 wrote to memory of 1888	2044	setup.exe	31
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1888 wrote to memory of 1044	1888	cmd.exe	33
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 1548 wrote to memory of 656	1548	cmd.exe	34
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35
PID 656 wrote to memory of 960	656	FCAEBFIJKE.exe	35

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe
    "C:\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1888
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
223.9MB

MD5
473cf9499de2ec29f05277d67ec36697

SHA1
ef93fc911ebc3a8faae145693109be2e4dca1b68

SHA256
0a465f72ae0aadec610579631f25520c484272aadd313618c9ee1b046c7f0975

SHA512
0d2fecdfdb1e0458e2e660290b92bab60c2dc104243ff498a39ad0102e169457c9119bb4def6c5d4b43ca4c64adca90a94ec7074ec8e2f86ac6758fe9dc3ca51

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
212.6MB

MD5
a28eccfaaa2b973ae583ff6b21e428c0

SHA1
9661bce47e4c42242ba00fe6508537c66527d1c3

SHA256
480728a4c7706cf8462bd5c005a54a02261ed295e22ac2f0f7474c0f91927376

SHA512
ababce10ac189180a03171a43e945f064ad73903581bd43fde41c730d0c63d4ac4f2d2d070adf219f0f4a86b5aa9ef19f1bce5a106b5e5fcff271f80a627e325

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
215.2MB

MD5
aa1971f35973b8d222e1332569b3e08a

SHA1
a85e181c0003d61232043dce890466ca3486dd5d

SHA256
1999b6d3eded1f8e4d11c3b58f9cbb3afd618288cdf888a59071bf25cbdba573

SHA512
f0edb295450a3649eb867f1e11b85c55b2474ad02cb17179b7c6ccf922f8333c4ca65526972d49a494284d12567dcf8fd127fe97247779f748cad5736e9a96dc

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Local\Temp\FCAEBFIJKE.exe

Filesize
1.9MB

MD5
aa3321fbcbc033da9e097aacf740fdc5

SHA1
e9ecea40f56118e22d2d2bd53588d53804b2e91f

SHA256
4ca3dbb5395f00dd3e6a76add2069626e3db6222be3b8bba9a29444c5960f47f

SHA512
f8459386d1ec1151b1217587111a14584e2cf3086f2895e9c6ec67a3d50df93d20213e482999895ff9d0f58b3b9311254457a21fd15e14995cba5726758a7caa

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
223.7MB

MD5
fd564257cb6eb67d5a05c4cdda64d600

SHA1
d6f4865ed37779b503d634ce45a10f5fe0bd6217

SHA256
c5fe6100953ac91f2b73e76268275cd71bdc1b24f29eac66d2805b336b269d07

SHA512
0c978f665abffdd303c15d3dafba8d876c95e508235036a8c24155a38646dc678bb821075c00b7593fa00ad2b391ccd1e910d2efa09319bb6931df9ce11e20b3

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
224.3MB

MD5
4cf99307682412ea9b16226a5e6b66a6

SHA1
64d9f35f4e347f2cd7e127fa9179891a9c1434a1

SHA256
dd792cb50b930478c759bb1a5c7f1a0c4b54c392bfb26bdca742acb4709a2ced

SHA512
fbe5fc7ad8bb355f7f15934195ba2ba9e4311a8e81f917092120dc23cc87372440f91943b1215b6b7e827837d4469f2727e87fdcd3bdb83ce5ec434c54df8d63

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
220.1MB

MD5
3e8e7a9cf56f2ebad8a59973e8f0366e

SHA1
3d82ef99625db4c2cece72985bfa0b9adda34285

SHA256
be9e299f9eb364f2ea38affd4d9ac9b0d837901ff1d9638a035cd2f8f2dc68b6

SHA512
8014720d21db606bc099150d536416c2f2031c17d3df38aa6ad59127d96568b8c8c59c69b4473e3649babfe8267a1514f33c6c49133522b0c487ae2a37aca285

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
218.8MB

MD5
3674436110668cda357096a6b9b81642

SHA1
acf03b80c5ab0b77029a59a79061783eba145b6c

SHA256
b58d79f3de36bee5c2b0c9853794f10094cc0f34371edf61d1d3a5a738ae2499

SHA512
7972d98cdce3821d8049a040e5be2903f4ff98a81c2f4197ffb43f5be24b531a2e730983b123e5f2faf705b68dcc6337030ed49697df3832674ede2787c68126

Download Submit
memory/656-120-0x0000000004840000-0x0000000004C10000-memory.dmp

Filesize
3.8MB

Download
memory/656-119-0x0000000004670000-0x000000000481A000-memory.dmp

Filesize
1.7MB

Download
memory/656-129-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-140-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-138-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-147-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-146-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-135-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-136-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-137-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-133-0x00000000045D0000-0x000000000477A000-memory.dmp

Filesize
1.7MB

Download
memory/960-139-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-145-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-143-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/960-144-0x0000000000400000-0x0000000002C8E000-memory.dmp

Filesize
40.6MB

Download
memory/2044-55-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/2044-112-0x0000000000400000-0x0000000002AF9000-memory.dmp

Filesize
39.0MB

Download
memory/2044-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download