Overview

overview

10

Static

static

1

efd930a05e...a9.exe

windows7-x64

10

efd930a05e...a9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe

  • Size

    291KB

  • MD5

    3b3aed60d330c39e582230b682ff2156

  • SHA1

    b91132e4edd5f9a02391dd8b5e25b64e68a73b8a

  • SHA256

    efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9

  • SHA512

    81e486b6ae35699a86e7d51bebc2cb314e72c33834e03ab059864befe5e8182ec4f06bdaaf1a1a92eae687cf26d6a0f9af720710caf869fbb5e6590cb1c2ed3a

  • SSDEEP

    3072:/PKXgwL0oG5+1hTI1ca9Y924EbWJaA1SNx75MVtNpkcWK:EgwL055+A1ca9S+GaAQN4B2cWK

Score
10/10
laplasclipperdiscoverypersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://45.87.154.105

Attributes
  • api_key

    1c630872d348a77d04368d542fde4663bc2bcb96f1b909554db3472c08df2767

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe
    "C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4680
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\HIIEGHJJDG.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Users\Admin\AppData\Local\Temp\HIIEGHJJDG.exe
        "C:\Users\Admin\AppData\Local\Temp\HIIEGHJJDG.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4140
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Executes dropped EXE
          PID:4820
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\efd930a05e3497d82dec3bf394060900c09945105250b2207326f396bc921ea9.exe" & del "C:\ProgramData\*.dll"" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3548
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 5
        3⤵
        • Delays execution with timeout.exe
        PID:1268
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 2340
      2⤵
      • Program crash
      PID:3964
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4680 -ip 4680
    1⤵
      PID:2344

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    3
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit
    • C:\ProgramData\mozglue.dll
      Filesize

      593KB

      MD5

      c8fd9be83bc728cc04beffafc2907fe9

      SHA1

      95ab9f701e0024cedfbd312bcfe4e726744c4f2e

      SHA256

      ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

      SHA512

      fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      Download Submit
    • C:\ProgramData\nss3.dll
      Filesize

      2.0MB

      MD5

      1cc453cdf74f31e4d913ff9c10acdde2

      SHA1

      6e85eae544d6e965f15fa5c39700fa7202f3aafe

      SHA256

      ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

      SHA512

      dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HIIEGHJJDG.exe
      Filesize

      1.9MB

      MD5

      9e02c05696e63e53f6f7a8fc7bf9e5ca

      SHA1

      83d17724e64973eb938926e8ccce0fa4911fafb8

      SHA256

      727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

      SHA512

      767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HIIEGHJJDG.exe
      Filesize

      1.9MB

      MD5

      9e02c05696e63e53f6f7a8fc7bf9e5ca

      SHA1

      83d17724e64973eb938926e8ccce0fa4911fafb8

      SHA256

      727ab7ab3fbcea9b9ace8552393f06ca837c9b1905772de1be3a263149f55210

      SHA512

      767596c377a656b326bf922cb2fdb96d675590b4974c654fc5b501924b035638d07124224fcdba00a4f7671917918abb216a4d8c5e2bc566a1578c21bc694bb0

      Download Submit
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      215.1MB

      MD5

      f9ad5cf6b11f6e4237453463ac623fa3

      SHA1

      159aa10dd30d68cb3ecc32b33bd6fff07a22fece

      SHA256

      e1212b4656035ff648e62a9c4eb76ebe5c4dce4e5207cc75fa51bc1efefb7add

      SHA512

      59ba68c959baac60eff1fa86ba8cc2f78032fc60ccaade7d39aebfc2ba503aa67a638ffc085fd842d95bc180c319446587189bc6fc38a902e5121f61765f9153

      Download Submit
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      216.1MB

      MD5

      ae48d49a688297ff28667a43d4cbe2fe

      SHA1

      8568dfeb42a785234dfd6ec92c3e6001af962239

      SHA256

      83832b580fa0da094cc35c76e9463cfbb13ae1a2dfb59700eb2e4fd960716a18

      SHA512

      feeef6fb6eae5cb45706815556c3c78246897ddd12387c183f99f9df2a72a5a7cd978a6824a6fa6fe1769604c29adf060794e3d93210e55afc7e8116eb7205ae

      Download Submit
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      Filesize

      216.9MB

      MD5

      1243f670fc4a58f181c7dc71a32009ef

      SHA1

      23d70397c4ab8a9cbb1655b5bf6646f4733c37f6

      SHA256

      f635b6fb0710a76a4f4615d5d9a9c9c0db5248669c17a65b76c36a76bd1a6a41

      SHA512

      297e9cb5b5a6a27b39e6efc84eb39e08911909c62951185cee0287b081d65f07673f0c28f306931d7a96fc126d9432995c7f72b57c676257c0bc10eaffc3dce6

      Download Submit
    • memory/4140-222-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4140-212-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4140-215-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4140-210-0x00000000027D0000-0x0000000002BA0000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/4680-136-0x0000000061E00000-0x0000000061EF3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/4680-134-0x0000000002C40000-0x0000000002C55000-memory.dmp
      Filesize

      84KB

      Download
    • memory/4680-135-0x0000000000400000-0x0000000002AF9000-memory.dmp
      Filesize

      39.0MB

      Download
    • memory/4680-211-0x0000000000400000-0x0000000002AF9000-memory.dmp
      Filesize

      39.0MB

      Download
    • memory/4820-223-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-221-0x00000000027D0000-0x0000000002BA0000-memory.dmp
      Filesize

      3.8MB

      Download
    • memory/4820-225-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-227-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-229-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-231-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-233-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-236-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-238-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-240-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download
    • memory/4820-242-0x0000000000400000-0x00000000008A8000-memory.dmp
      Filesize

      4.7MB

      Download