Overview

overview

10

Static

static

1

ece100b824...76.exe

windows7-x64

5

ece100b824...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-03-2023 14:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe

  • Size

    7.5MB

  • MD5

    fb0deff37fe12bbc4f0c1fe21e2d15ef

  • SHA1

    180325b8b6e64638e167601c67cd9c53331ba9f6

  • SHA256

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

  • SHA512

    9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

  • SSDEEP

    196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe
    "C:\Users\Admin\AppData\Local\Temp\ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5112
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    125.0MB

    MD5

    5d74ca051c93f896934431df1823e73a

    SHA1

    2ca937c09cb4a763f0a52a2e859e8fbd0970fc62

    SHA256

    6cf97969d52cb2ec8861e1a54c2f30c8b443e058af2056e907dffc90aa0ea574

    SHA512

    a4d20306bfac2234e260bbceb8e4c3963dd72506c83e6a16fe5f61380d60fbd076881be704538faec3078af32e03de8b7e5bdfb38da3e50495094e7fb2faf5df

    Download Submit
  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    118.8MB

    MD5

    9b386ef7c6cd578a064f6ab4ea1d49ac

    SHA1

    225b591bd06d5f5d954524aae510da5b222f7448

    SHA256

    fac1570d4b52dc6ec2eb3f9fa4db07e93d4f221857e809542a0dfccf9c84e8c7

    SHA512

    be4619c6459741a257e9c326e95ef8df02e2a74ab254fe0b3a4aff3c8b64b2444b89ae9593f4bc3b3eedc23ac41bdcc0974e1f0a9260a48474a9f7ec46ff2fc4

    Download Submit
  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    119.4MB

    MD5

    e3cc4a80050cb7afea8ef01f9c8bb852

    SHA1

    d0aa159e66b7842f924255eb55cc7c33055bf866

    SHA256

    9f13ac295e9640e51a097690ec4dbdf1826636a83e1cf24d32c3a4dc769e4eae

    SHA512

    9578fc99d1d5a4a41e31724c62ca1fec151c0a67b52cfef9b7a988f16640092189b4efa27a3301c7ad9bcac08e48ce9ad716df14025e81ff601f8f48091c70a4

    Download Submit
  • memory/4780-163-0x0000000000970000-0x000000000151B000-memory.dmp
    Filesize

    11.7MB

    Download
  • memory/4780-159-0x0000000003440000-0x0000000003441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-155-0x0000000001A00000-0x0000000001A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-156-0x0000000001A60000-0x0000000001A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-157-0x0000000001A70000-0x0000000001A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-158-0x0000000003430000-0x0000000003431000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-160-0x0000000003450000-0x0000000003451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-161-0x0000000003460000-0x0000000003461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4780-162-0x0000000003470000-0x0000000003471000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-134-0x0000000001450000-0x0000000001451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-135-0x0000000001460000-0x0000000001461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-136-0x0000000001480000-0x0000000001481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-133-0x0000000001440000-0x0000000001441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-137-0x0000000001490000-0x0000000001491000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-141-0x00000000001F0000-0x0000000000D9B000-memory.dmp
    Filesize

    11.7MB

    Download
  • memory/5112-140-0x0000000003130000-0x0000000003131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-139-0x00000000014B0000-0x00000000014B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/5112-138-0x00000000014A0000-0x00000000014A1000-memory.dmp
    Filesize

    4KB

    Download