laplas | 2289996f4a35a9b01273ba095e1df0802759f84fc4e3041c3a18591af9372c4f

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2023 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe
Size

8.6MB
MD5

fe2457d4da43adde492576a91398086e
SHA1

8c7c1efd47044f1d31cee78ea6c73df1a9296dea
SHA256

82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24
SHA512

b16fcdf02fe6e9f148d40cc04529840c98065bc2b69e144ff33e82c8285134b3e2c5e832c659132f8a99885e2b02589e2474f4d93b3bcef750ea1f2a64ffaf1a
SSDEEP

49152:pKnK6YN8UMtKNKogIHvueIxgfSZJxUu3INODRUgeCseICR7NWm8qpHakXvLQh0/o:on1YN8dKNcJxtISeCrXv0W/qpDRX5L

Score

10^/10

laplas redline fm clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

redline

Botnet

91.193.43.63:81

Attributes

auth_value
686ed4f5bce1c0303019c1940beddd78

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Shelds32.exe

Executes dropped EXE 5 IoCs

pid	Process
4272	Shelds32.exe
828	c1.exe
2360	f1.exe
3148	m1.exe
8004	ntlhost.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	c1.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2360 set thread context of 5040	2360	f1.exe	83
PID 3148 set thread context of 4180	3148	m1.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5032	2360	WerFault.exe	81
640	3148	WerFault.exe	82

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	62	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	RegSvcs.exe
5040	RegSvcs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	RegSvcs.exe
Token: SeDebugPrivilege	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 4272	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	79
PID 4972 wrote to memory of 4272	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	79
PID 4972 wrote to memory of 4272	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	79
PID 4972 wrote to memory of 828	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	80
PID 4972 wrote to memory of 828	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	80
PID 4972 wrote to memory of 828	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	80
PID 4272 wrote to memory of 2360	4272	Shelds32.exe	81
PID 4272 wrote to memory of 2360	4272	Shelds32.exe	81
PID 4272 wrote to memory of 2360	4272	Shelds32.exe	81
PID 4272 wrote to memory of 3148	4272	Shelds32.exe	82
PID 4272 wrote to memory of 3148	4272	Shelds32.exe	82
PID 4272 wrote to memory of 3148	4272	Shelds32.exe	82
PID 2360 wrote to memory of 5040	2360	f1.exe	83
PID 2360 wrote to memory of 5040	2360	f1.exe	83
PID 2360 wrote to memory of 5040	2360	f1.exe	83
PID 2360 wrote to memory of 5040	2360	f1.exe	83
PID 2360 wrote to memory of 5040	2360	f1.exe	83
PID 3148 wrote to memory of 5044	3148	m1.exe	87
PID 3148 wrote to memory of 5044	3148	m1.exe	87
PID 3148 wrote to memory of 5044	3148	m1.exe	87
PID 3148 wrote to memory of 4180	3148	m1.exe	88
PID 3148 wrote to memory of 4180	3148	m1.exe	88
PID 3148 wrote to memory of 4180	3148	m1.exe	88
PID 3148 wrote to memory of 4180	3148	m1.exe	88
PID 3148 wrote to memory of 4180	3148	m1.exe	88
PID 828 wrote to memory of 8004	828	c1.exe	101
PID 828 wrote to memory of 8004	828	c1.exe	101
PID 828 wrote to memory of 8004	828	c1.exe	101
PID 4972 wrote to memory of 5688	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	102
PID 4972 wrote to memory of 5688	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	102
PID 4972 wrote to memory of 5688	4972	82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe	102
PID 5688 wrote to memory of 3056	5688	cmd.exe	104
PID 5688 wrote to memory of 3056	5688	cmd.exe	104
PID 5688 wrote to memory of 3056	5688	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe
"C:\Users\Admin\AppData\Local\Temp\82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe
  "C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 304
      4⤵
      Program crash
      PID:5032
- - C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe
    "C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:5044
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:4180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3148 -s 336
      4⤵
      Program crash
      PID:640
- C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe
  "C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    3⤵
    - Executes dropped EXE
    PID:8004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "82a5d382c3b4fe2e17f09af36df20f1e53bb8b712ca6f7af9a15861b38f91f24.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5688
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2360 -ip 2360
1⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 3148 -ip 3148
1⤵
PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
156.5MB

MD5
c2639117ca97316c9ac026e198b06c75

SHA1
1daa1a3a523746bba8c9fa5fb9bab461593e318b

SHA256
1a4b811b4f14007fa38de8aec4da1ccf39d3cbf69ee9055282c25c0074cbb66d

SHA512
2ba1cc57a79811126903e9865d7f7f7ac0e12bae428eecdd971bc9c2e28eaca26c9fff3b9f5983cfb4e6721a1ce8db828c2af9916d18249a1a9b1a27a7cb2f38

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
153.7MB

MD5
09588926867ff253775435896c72e644

SHA1
ee71f533b8400594e81d349467def104546b06b8

SHA256
3fb23f702f5d397100377916db8d64ce7c94b3ed58c91cc01740bb753bec7cf9

SHA512
3b263a3be837f52c4d64f03598e567ddeb0730eda2eba309bdd123f9976bf72b08b1a27b29131cadffb2b906a77f30d538e3e451f1a3bae0993d84862556cfcd

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe

Filesize
4.8MB

MD5
b3492f2a3f077b285966e8190d95a7d9

SHA1
ac1ebd096d80a41f6ea19aff2607259183ac649a

SHA256
761b483f0c0322092784e53bfcbe66bfc95a4ce7fb7842a8b639629cfe5073f3

SHA512
d360296106253d9d525bd54a215a9aca815a665ba43eaa357e906428ee744f13f54fbfd9d07abb9cb621ef6a799a37bc7cf0fbff22022e31fe811abf8ed9dfea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe

Filesize
4.8MB

MD5
b3492f2a3f077b285966e8190d95a7d9

SHA1
ac1ebd096d80a41f6ea19aff2607259183ac649a

SHA256
761b483f0c0322092784e53bfcbe66bfc95a4ce7fb7842a8b639629cfe5073f3

SHA512
d360296106253d9d525bd54a215a9aca815a665ba43eaa357e906428ee744f13f54fbfd9d07abb9cb621ef6a799a37bc7cf0fbff22022e31fe811abf8ed9dfea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Shelds32.exe

Filesize
4.8MB

MD5
b3492f2a3f077b285966e8190d95a7d9

SHA1
ac1ebd096d80a41f6ea19aff2607259183ac649a

SHA256
761b483f0c0322092784e53bfcbe66bfc95a4ce7fb7842a8b639629cfe5073f3

SHA512
d360296106253d9d525bd54a215a9aca815a665ba43eaa357e906428ee744f13f54fbfd9d07abb9cb621ef6a799a37bc7cf0fbff22022e31fe811abf8ed9dfea

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe

Filesize
3.8MB

MD5
0a0b3aacdc321a1612d01e285993250b

SHA1
802205c8d1e0a1b6d203815df513fabb4948ad8c

SHA256
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a

SHA512
03c4bbe0778b5e839f8e2b09ab189676ef0ed40ee7d098c49575b63ea42bba82ba56dd88d7783e4c4970d20e13debfc5c27556513aac6811264c77211962eb62

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe

Filesize
3.8MB

MD5
0a0b3aacdc321a1612d01e285993250b

SHA1
802205c8d1e0a1b6d203815df513fabb4948ad8c

SHA256
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a

SHA512
03c4bbe0778b5e839f8e2b09ab189676ef0ed40ee7d098c49575b63ea42bba82ba56dd88d7783e4c4970d20e13debfc5c27556513aac6811264c77211962eb62

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\c1.exe

Filesize
3.8MB

MD5
0a0b3aacdc321a1612d01e285993250b

SHA1
802205c8d1e0a1b6d203815df513fabb4948ad8c

SHA256
4b7b83c99991371b9756ff91ec07abfbbc1c0cc17caf422e6ecd062f2d84cf9a

SHA512
03c4bbe0778b5e839f8e2b09ab189676ef0ed40ee7d098c49575b63ea42bba82ba56dd88d7783e4c4970d20e13debfc5c27556513aac6811264c77211962eb62

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe

Filesize
1.3MB

MD5
6fbb68ec3f04b2961b81c9c4bb591b18

SHA1
cc215398392070b62ac0edb951804f8c76630d08

SHA256
0ab25294685dfc422eb597698b11442e8cf4afb44bea0cd6305477f8a0f5d904

SHA512
189bc24be8bf4abd19ea4f2b8262a55b7e8665dc0d04474cf868b997ef31bb438813f1bdf87b4f54adafef7184b74ed943ca22ec027d05206beb2deb5bdf0e39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe

Filesize
1.3MB

MD5
6fbb68ec3f04b2961b81c9c4bb591b18

SHA1
cc215398392070b62ac0edb951804f8c76630d08

SHA256
0ab25294685dfc422eb597698b11442e8cf4afb44bea0cd6305477f8a0f5d904

SHA512
189bc24be8bf4abd19ea4f2b8262a55b7e8665dc0d04474cf868b997ef31bb438813f1bdf87b4f54adafef7184b74ed943ca22ec027d05206beb2deb5bdf0e39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\f1.exe

Filesize
1.3MB

MD5
6fbb68ec3f04b2961b81c9c4bb591b18

SHA1
cc215398392070b62ac0edb951804f8c76630d08

SHA256
0ab25294685dfc422eb597698b11442e8cf4afb44bea0cd6305477f8a0f5d904

SHA512
189bc24be8bf4abd19ea4f2b8262a55b7e8665dc0d04474cf868b997ef31bb438813f1bdf87b4f54adafef7184b74ed943ca22ec027d05206beb2deb5bdf0e39

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe

Filesize
3.6MB

MD5
4fb7d752ce196cd847ec8bacd9c51906

SHA1
c3325b47ae7348d38c97157c7e8cfaeb4b2c4a52

SHA256
8dae0e9964e70eb34d55763bd6f4a23c08d0f253e1c07002e04d69025d8bc749

SHA512
a0c52c4c84f60d41ab8a2e9b779e2f81adc902c61c58546c6c745e4e9eb86d10d94d7a75f45c87f109c0bb6898f7af31f5504c750ac3f58b5d18d8998b5a3e83

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe

Filesize
3.6MB

MD5
4fb7d752ce196cd847ec8bacd9c51906

SHA1
c3325b47ae7348d38c97157c7e8cfaeb4b2c4a52

SHA256
8dae0e9964e70eb34d55763bd6f4a23c08d0f253e1c07002e04d69025d8bc749

SHA512
a0c52c4c84f60d41ab8a2e9b779e2f81adc902c61c58546c6c745e4e9eb86d10d94d7a75f45c87f109c0bb6898f7af31f5504c750ac3f58b5d18d8998b5a3e83

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\m1.exe

Filesize
3.6MB

MD5
4fb7d752ce196cd847ec8bacd9c51906

SHA1
c3325b47ae7348d38c97157c7e8cfaeb4b2c4a52

SHA256
8dae0e9964e70eb34d55763bd6f4a23c08d0f253e1c07002e04d69025d8bc749

SHA512
a0c52c4c84f60d41ab8a2e9b779e2f81adc902c61c58546c6c745e4e9eb86d10d94d7a75f45c87f109c0bb6898f7af31f5504c750ac3f58b5d18d8998b5a3e83

Download Submit
memory/4180-203-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4180-199-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4180-201-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4180-200-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4180-180-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4272-153-0x0000000000500000-0x00000000009DA000-memory.dmp

Filesize
4.9MB

Download
memory/4972-133-0x0000000000CA0000-0x000000000154C000-memory.dmp

Filesize
8.7MB

Download
memory/5040-315-0x0000000006760000-0x00000000067C6000-memory.dmp

Filesize
408KB

Download
memory/5040-389-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/5040-178-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/5040-176-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/5040-175-0x0000000005A90000-0x00000000060A8000-memory.dmp

Filesize
6.1MB

Download
memory/5040-374-0x0000000006E80000-0x0000000007424000-memory.dmp

Filesize
5.6MB

Download
memory/5040-378-0x00000000069D0000-0x0000000006A62000-memory.dmp

Filesize
584KB

Download
memory/5040-179-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/5040-450-0x00000000081B0000-0x0000000008372000-memory.dmp

Filesize
1.8MB

Download
memory/5040-454-0x00000000088B0000-0x0000000008DDC000-memory.dmp

Filesize
5.2MB

Download
memory/5040-479-0x00000000074E0000-0x0000000007556000-memory.dmp

Filesize
472KB

Download
memory/5040-482-0x0000000007560000-0x00000000075B0000-memory.dmp

Filesize
320KB

Download
memory/5040-170-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-177-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download