laplas | 949837cfe756740e4d23db3e0aa29129f311e3634143ec9b0795edf105f92cf6

Analysis

max time kernel
144s
max time network
128s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
21/03/2023, 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
Size

291KB
MD5

3b3aed60d330c39e582230b682ff2156
SHA1

b91132e4edd5f9a02391dd8b5e25b64e68a73b8a
SHA256

efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9
SHA512

81e486b6ae35699a86e7d51bebc2cb314e72c33834e03ab059864befe5e8182ec4f06bdaaf1a1a92eae687cf26d6a0f9af720710caf869fbb5e6590cb1c2ed3a
SSDEEP

3072:/PKXgwL0oG5+1hTI1ca9Y924EbWJaA1SNx75MVtNpkcWK:EgwL055+A1ca9S+GaAQN4B2cWK

Score

10^/10

laplas clipper discovery persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://45.87.154.105

Attributes

api_key
1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1308	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1260	JKKEBGCGHI.exe
940	ntlhost.exe

Loads dropped DLL 6 IoCs

pid	Process
1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
632	cmd.exe
632	cmd.exe
1260	JKKEBGCGHI.exe
1260	JKKEBGCGHI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	JKKEBGCGHI.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1804	timeout.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	6	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 632	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	30
PID 1692 wrote to memory of 632	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	30
PID 1692 wrote to memory of 632	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	30
PID 1692 wrote to memory of 632	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	30
PID 1692 wrote to memory of 1308	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	32
PID 1692 wrote to memory of 1308	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	32
PID 1692 wrote to memory of 1308	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	32
PID 1692 wrote to memory of 1308	1692	efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe	32
PID 1308 wrote to memory of 1804	1308	cmd.exe	34
PID 1308 wrote to memory of 1804	1308	cmd.exe	34
PID 1308 wrote to memory of 1804	1308	cmd.exe	34
PID 1308 wrote to memory of 1804	1308	cmd.exe	34
PID 632 wrote to memory of 1260	632	cmd.exe	35
PID 632 wrote to memory of 1260	632	cmd.exe	35
PID 632 wrote to memory of 1260	632	cmd.exe	35
PID 632 wrote to memory of 1260	632	cmd.exe	35
PID 1260 wrote to memory of 940	1260	JKKEBGCGHI.exe	36
PID 1260 wrote to memory of 940	1260	JKKEBGCGHI.exe	36
PID 1260 wrote to memory of 940	1260	JKKEBGCGHI.exe	36
PID 1260 wrote to memory of 940	1260	JKKEBGCGHI.exe	36

C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
"C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe"
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe
    "C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe" & del "C:\ProgramData\*.dll"" & exit
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:1804

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe

Filesize
1.9MB

MD5
9e02c05696e63e53f6f7a8fc7bf9e5ca

SHA1
83d17724e64973eb938926e8ccce0fa4911fafb8

SHA256
727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

SHA512
767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe

Filesize
1.9MB

MD5
9e02c05696e63e53f6f7a8fc7bf9e5ca

SHA1
83d17724e64973eb938926e8ccce0fa4911fafb8

SHA256
727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

SHA512
767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
645.0MB

MD5
db7fbf1fc40380d6b28f5c9112e04cc0

SHA1
8152cf033e36112d635ed84947b29ba029e37e34

SHA256
b2b46a7fa8b053f4c33d45123591831ff2cc897cd7d297ded5069f75219a9ea0

SHA512
e27ec29f4180aae19b8d89bcab0113f3945c235955268ff7e6d6431aa3c886198a41f583910f5c6ca7d25cf0da90cb0f91233b64b128a49b6f90303c78590239

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
629.2MB

MD5
825934e22ea4e56b6f1df47fa3b779f0

SHA1
4a1d5c5a51d5c3e7340ee20d6e080e0fec6ec5d7

SHA256
49f23583f3c4a5f40326c6a43c7f271d57f3566e8f5b9c6c51d60f46b0717136

SHA512
feff47e3891358dc00a927e5cd12baab3e09be16c6033aebf22bb66f0f422e7c76dfb9d813525bf88fcfe55f5dcdce5fba91b509ab5903e8fc08a20bbaef3b49

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe

Filesize
1.9MB

MD5
9e02c05696e63e53f6f7a8fc7bf9e5ca

SHA1
83d17724e64973eb938926e8ccce0fa4911fafb8

SHA256
727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

SHA512
767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

Download Submit
\Users\Admin\AppData\Local\Temp\JKKEBGCGHI.exe

Filesize
1.9MB

MD5
9e02c05696e63e53f6f7a8fc7bf9e5ca

SHA1
83d17724e64973eb938926e8ccce0fa4911fafb8

SHA256
727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

SHA512
767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
607.6MB

MD5
46b6ed7de9c6e44962ecf18f54e8ff4c

SHA1
c67fb6b098d637bf39174bb9bbb2a389a51304b0

SHA256
6b3373e498c903ab086a31dccde26e45f5dbe928aedc92585b6feb046a70df64

SHA512
cb72fa19392819663c5fd09de6d4b7bbc1c08317019122d6ab05b95720abc97cbd757b602fb7871a672a28b65d3128e4c8c205c4332a1a475384bf006e1aa4ab

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
610.8MB

MD5
b91c8bb0ffe5b0b103389a175a68deee

SHA1
233ced9f38b722f2ea69751a6e74f65ea111a47e

SHA256
fbc266b7c60ffec5dbfaff833e226bd69cea04c6e1f2da25080c794e7cdd0c60

SHA512
38212d5ac1a78f16c38b153477e2a981c795e65991e9a84a23ad1782e33cb76a5c327f970262354f25a4d92d430d734077279651b592f074ffe723d3c62c49e9

Download Submit
memory/940-144-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-140-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-148-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-147-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-134-0x0000000002150000-0x00000000022FA000-memory.dmp

Filesize
1.7MB

Download
memory/940-146-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-145-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-143-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-135-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-136-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-137-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-138-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/940-139-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/1260-124-0x00000000025D0000-0x00000000029A0000-memory.dmp

Filesize
3.8MB

Download
memory/1260-133-0x0000000000400000-0x00000000008A8000-memory.dmp

Filesize
4.7MB

Download
memory/1260-123-0x0000000002420000-0x00000000025CA000-memory.dmp

Filesize
1.7MB

Download
memory/1692-115-0x0000000000400000-0x0000000002AF9000-memory.dmp

Filesize
39.0MB

Download
memory/1692-118-0x0000000000400000-0x0000000002AF9000-memory.dmp

Filesize
39.0MB

Download
memory/1692-55-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/1692-56-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download