Overview

overview

10

Static

static

1

efd930a05e...a9.exe

windows7-x64

10

efd930a05e...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    21-03-2023 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe

  • Size

    291KB

  • MD5

    3b3aed60d330c39e582230b682ff2156

  • SHA1

    b91132e4edd5f9a02391dd8b5e25b64e68a73b8a

  • SHA256

    efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9

  • SHA512

    81e486b6ae35699a86e7d51bebc2cb314e72c33834e03ab059864befe5e8182ec4f06bdaaf1a1a92eae687cf26d6a0f9af720710caf869fbb5e6590cb1c2ed3a

  • SSDEEP

    3072:/PKXgwL0oG5+1hTI1ca9Y924EbWJaA1SNx75MVtNpkcWK:EgwL055+A1ca9S+GaAQN4B2cWK

Score
10/10
laplasclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Downloads MZ/PE file
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
    "C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe"
    1⤵
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1692
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe
        "C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1260
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:940
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe
    Filesize

    1.9MB

    MD5

    9e02c05696e63e53f6f7a8fc7bf9e5ca

    SHA1

    83d17724e64973eb938926e8ccce0fa4911fafb8

    SHA256

    727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

    SHA512

    767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe
    Filesize

    1.9MB

    MD5

    9e02c05696e63e53f6f7a8fc7bf9e5ca

    SHA1

    83d17724e64973eb938926e8ccce0fa4911fafb8

    SHA256

    727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

    SHA512

    767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    645.0MB

    MD5

    db7fbf1fc40380d6b28f5c9112e04cc0

    SHA1

    8152cf033e36112d635ed84947b29ba029e37e34

    SHA256

    b2b46a7fa8b053f4c33d45123591831ff2cc897cd7d297ded5069f75219a9ea0

    SHA512

    e27ec29f4180aae19b8d89bcab0113f3945c235955268ff7e6d6431aa3c886198a41f583910f5c6ca7d25cf0da90cb0f91233b64b128a49b6f90303c78590239

    Download Submit
  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    629.2MB

    MD5

    825934e22ea4e56b6f1df47fa3b779f0

    SHA1

    4a1d5c5a51d5c3e7340ee20d6e080e0fec6ec5d7

    SHA256

    49f23583f3c4a5f40326c6a43c7f271d57f3566e8f5b9c6c51d60f46b0717136

    SHA512

    feff47e3891358dc00a927e5cd12baab3e09be16c6033aebf22bb66f0f422e7c76dfb9d813525bf88fcfe55f5dcdce5fba91b509ab5903e8fc08a20bbaef3b49

    Download Submit
  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit
  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit
  • \Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe
    Filesize

    1.9MB

    MD5

    9e02c05696e63e53f6f7a8fc7bf9e5ca

    SHA1

    83d17724e64973eb938926e8ccce0fa4911fafb8

    SHA256

    727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

    SHA512

    767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

    Download Submit
  • \Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe
    Filesize

    1.9MB

    MD5

    9e02c05696e63e53f6f7a8fc7bf9e5ca

    SHA1

    83d17724e64973eb938926e8ccce0fa4911fafb8

    SHA256

    727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

    SHA512

    767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    607.6MB

    MD5

    46b6ed7de9c6e44962ecf18f54e8ff4c

    SHA1

    c67fb6b098d637bf39174bb9bbb2a389a51304b0

    SHA256

    6b3373e498c903ab086a31dccde26e45f5dbe928aedc92585b6feb046a70df64

    SHA512

    cb72fa19392819663c5fd09de6d4b7bbc1c08317019122d6ab05b95720abc97cbd757b602fb7871a672a28b65d3128e4c8c205c4332a1a475384bf006e1aa4ab

    Download Submit
  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    610.8MB

    MD5

    b91c8bb0ffe5b0b103389a175a68deee

    SHA1

    233ced9f38b722f2ea69751a6e74f65ea111a47e

    SHA256

    fbc266b7c60ffec5dbfaff833e226bd69cea04c6e1f2da25080c794e7cdd0c60

    SHA512

    38212d5ac1a78f16c38b153477e2a981c795e65991e9a84a23ad1782e33cb76a5c327f970262354f25a4d92d430d734077279651b592f074ffe723d3c62c49e9

    Download Submit
  • memory/940-146-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-140-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-147-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-145-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-148-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-144-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-137-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-143-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-135-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-136-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-134-0x0000000002150000-0x00000000022FA000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/940-138-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/940-139-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/1260-124-0x00000000025D0000-0x00000000029A0000-memory.dmp
    Filesize

    3.8MB

    Download
  • memory/1260-133-0x0000000000400000-0x00000000008A8000-memory.dmp
    Filesize

    4.7MB

    Download
  • memory/1260-123-0x0000000002420000-0x00000000025CA000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1692-118-0x0000000000400000-0x0000000002AF9000-memory.dmp
    Filesize

    39.0MB

    Download
  • memory/1692-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp
    Filesize

    972KB

    Download
  • memory/1692-115-0x0000000000400000-0x0000000002AF9000-memory.dmp
    Filesize

    39.0MB

    Download
  • memory/1692-55-0x0000000000220000-0x0000000000235000-memory.dmp
    Filesize

    84KB

    Download