Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

ghxkehgertedtyp.c.exe

windows7-x64

5

ghxkehgertedtyp.c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/03/2023, 14:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ghxkehgertedtyp.c.exe

  • Size

    7.5MB

  • MD5

    f5d957a42f578847664cacb8a4c3d695

  • SHA1

    5affbea912936570480b7a6a0a7e67c6a2f62ec9

  • SHA256

    00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc

  • SHA512

    07821df782858665c810e959e92f78de4af56e8d090069c5637537338244f9348f7a878bff95d72620b4c092fd97cfb2d15ffe1c097c36a86399a478ea406980

  • SSDEEP

    196608:ZOtzW0BrGc/4GmLcBh8YSZIEqsyZr2caC78:kVW6Gc//B/xEh+a

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ghxkehgertedtyp.c.exe
    "C:\Users\Admin\AppData\Local\Temp\ghxkehgertedtyp.c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    316.1MB

    MD5

    3b3bed3fb44b0233db9d2e67b916ef8d

    SHA1

    87171aa23b7393d3cb3a8c046fa426131d0e364a

    SHA256

    35b2226826ce72ca5eb665e8488ad60405445677967db5854e36e4c1326be329

    SHA512

    770db84047dff127a30078e1e66a4b1adfa33c8536440bce8e65aa7ee6959235e3e4935769efca67f8dd69cd7b26395c90ee6737b6e9edfc6e85b9774965e054

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    251.6MB

    MD5

    2f0d9ddd83046f2ca10c1b51896c62b4

    SHA1

    50b11221efa5e18b5e7adda0c231eebac1abf3cc

    SHA256

    ce5915c28a474f8902e99bc5d2d542edf05ba6150735040fcc50ac4b5e8bb724

    SHA512

    5c229f0482420615b073475552245f8ce87d431b9e49db4638319d2f8b112178c81e21a7867a9aad87b0b7a2ce205804f5de253ebf9a8755ebf113c7f9e70027

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    298.2MB

    MD5

    139e690f66223a1fe9544227517d100e

    SHA1

    a67a23c16c2d11518b15f74b2838f990c8ac7c9a

    SHA256

    2543ed8530bddf94f0e2afbc9a97ae635dee8ac11ccc87dbe898ea4ed32e986e

    SHA512

    bdd32d0e68e929cc3972be9342e3d73ad1306a4f9b8d1205e2212a3d7968a491b70021d0f9253a03bf2059275239e46d44a7ec8b012f419ec2109706ea14af8c

    Download Submit

  • memory/2548-138-0x0000000002F30000-0x0000000002F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-137-0x0000000002F20000-0x0000000002F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-133-0x0000000001330000-0x0000000001331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-139-0x0000000002F40000-0x0000000002F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-140-0x0000000002F60000-0x0000000002F61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-141-0x00000000002F0000-0x0000000000EA0000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/2548-136-0x0000000002F10000-0x0000000002F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-135-0x0000000001350000-0x0000000001351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-134-0x0000000001340000-0x0000000001341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-155-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-156-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-157-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-158-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-159-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-160-0x0000000002F00000-0x0000000002F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-161-0x0000000002F10000-0x0000000002F11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-162-0x0000000002F20000-0x0000000002F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4660-163-0x0000000000430000-0x0000000000FE0000-memory.dmp

    Filesize

    11.7MB

    Download