laplas | bd0a3f94c283fbb440e90ce6d24b145f5f0fdbf71864e97d6e6c549ecb28f08d

General

Target

00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
Size

7.5MB
MD5

f5d957a42f578847664cacb8a4c3d695
SHA1

5affbea912936570480b7a6a0a7e67c6a2f62ec9
SHA256

00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc
SHA512

07821df782858665c810e959e92f78de4af56e8d090069c5637537338244f9348f7a878bff95d72620b4c092fd97cfb2d15ffe1c097c36a86399a478ea406980
SSDEEP

196608:ZOtzW0BrGc/4GmLcBh8YSZIEqsyZr2caC78:kVW6Gc//B/xEh+a

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe

Executes dropped EXE 1 IoCs

pid	Process
664	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
664	svcservice.exe
664	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
664	svcservice.exe
664	svcservice.exe
664	svcservice.exe
664	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 664	4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe	85
PID 4448 wrote to memory of 664	4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe	85
PID 4448 wrote to memory of 664	4448	00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe	85

C:\Users\Admin\AppData\Local\Temp\00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe
"C:\Users\Admin\AppData\Local\Temp\00978d16ecc2b0f6cf039b3bef087a8542d2092d8f95f36104f2329f7bf362dc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
28.1MB

MD5
7d7b02a38c9ab21dcfb1fa8384ff215a

SHA1
44d814cea3901ab05d926cc9fa48b3c2a374df55

SHA256
dd735699c87f441f5c9f4ed42a1bcd21ec5daa2e7a16c57c4f36737eb2b8c5f6

SHA512
e926fe4d7d6e633965fedc2badf45b15dda62ddc3faccd03c707e0219edc91bd0162a2af62c3a86f3abcfd23bef6b784d0081c8a654b8605c338d5448058cc91

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
23.8MB

MD5
04204782bb20fa1dee0bee4ce513eb8c

SHA1
c4da59f015f96e5c11a6d1d4557f2a3818138065

SHA256
992a1f37c29d5572f2e5e25596e2590f91c39edb50f7473cc512baee5744fde4

SHA512
b2ff287469011469e7d58bad640b4abb323ba2476e3ce52382b6c10a0fe031061375a0d788b32185b6e9aa08cd6152200e7d79403d03e6ab1479c3dc046c0388

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
25.1MB

MD5
6d127afab7c3eddedb5c76545b5cb15f

SHA1
8a4a56f5a5f6661a8ab9a48534b0c0fd873de3fa

SHA256
1dc6b8e2a5a6eac9bb0f966662bbf6cbbe7f978db77411545a3d7aa7d7653769

SHA512
7aee26521d4f864d15c51c7390cb8b4d5ba430f3e428a8c1645f79130975de5e870ac7e7adb0d4f05f2426b0b733bbf7ed4cc3cc8c8ed445c2c62526aa42f87e

Download Submit
memory/664-161-0x0000000001710000-0x0000000001711000-memory.dmp

Filesize
4KB

Download
memory/664-160-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/664-155-0x00000000016A0000-0x00000000016A1000-memory.dmp

Filesize
4KB

Download
memory/664-156-0x00000000016B0000-0x00000000016B1000-memory.dmp

Filesize
4KB

Download
memory/664-159-0x00000000016F0000-0x00000000016F1000-memory.dmp

Filesize
4KB

Download
memory/664-163-0x00000000004A0000-0x0000000001050000-memory.dmp

Filesize
11.7MB

Download
memory/664-162-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/664-157-0x00000000016C0000-0x00000000016C1000-memory.dmp

Filesize
4KB

Download
memory/664-158-0x00000000016E0000-0x00000000016E1000-memory.dmp

Filesize
4KB

Download
memory/4448-134-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/4448-135-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/4448-136-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/4448-133-0x0000000003170000-0x0000000003171000-memory.dmp

Filesize
4KB

Download
memory/4448-137-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/4448-141-0x00000000004C0000-0x0000000001070000-memory.dmp

Filesize
11.7MB

Download
memory/4448-139-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/4448-140-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/4448-138-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing