Overview

overview

10

Static

static

1

Installer.exe

windows7-x64

10

Installer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2023 02:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer.exe

  • Size

    5.0MB

  • MD5

    7f6e6211f715679a559e695cce334801

  • SHA1

    6c74f4269d5e5b6fd96b02fd9b0e8d86eae1cab5

  • SHA256

    a712edcd797e4f33522d77382e7eae9b55eddaaa753ac33da65af73e0b6e785f

  • SHA512

    b0732f3ad124a745952a90ad5df08f67e438bbaf63d2f5a4060d98873a219b8bd4a655089825a5a5f254b57d40c6b194dac77cf1bfe22a15a04cf0ed766943ac

  • SSDEEP

    98304:EELNQWOGMWGapFt7G67QI1sbfr30wz93R:EELyWJMWGIgVUuR

Score
10/10
laplasbootkitclipperdiscoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://193.233.20.134

Attributes
  • api_key

    57728dce0f7018e17faf9f061cb2d77048e08414376baf6d860b78e74e83c208

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1960
      • C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe
        "C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Writes to the Master Boot Record (MBR)
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Writes to the Master Boot Record (MBR)
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3288
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1012

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mntemp
    Filesize

    16B

    MD5

    8a2d9b289c19e05fd0379b82f2919a21

    SHA1

    97440fb16a4b8c0ede2d527141749aab76a7a252

    SHA256

    158fa2d1f60e6330072d181063c9b6d2c2c19fd92b5400f382f7d95bfaec1fec

    SHA512

    cd553fea1140ebb0231c1ecb618793e6a4746a35129bc7a7c96e066cd17edf0f1fec65ee483784add1c296b06637e4f0ddf1e13c6e9231ec54ee2fc458acd015

    Download Submit

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • C:\ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe
    Filesize

    10.5MB

    MD5

    d75c660c2584891aa2072643e345c941

    SHA1

    cc3ed51870ecd89963428c4d3638c8a99d0ea991

    SHA256

    11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be

    SHA512

    8a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe
    Filesize

    10.5MB

    MD5

    d75c660c2584891aa2072643e345c941

    SHA1

    cc3ed51870ecd89963428c4d3638c8a99d0ea991

    SHA256

    11b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be

    SHA512

    8a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    596.1MB

    MD5

    101439accfca914b118c4f5a240228f3

    SHA1

    6f04334b7fb7b2efe31437ea73204c8d2ad9c4c0

    SHA256

    3358a6f42627c24aca7fd7cc6bd0be279a9c31bc886bd3769cc5437f828e40c6

    SHA512

    52aa4f0735667bd859342da8288cc38ceafddcf6fee2b9a4898e0de354cff847b3cd562439adab0bd21f5252fd3e2066f75a042db433f34e2ecd39c1a9296a87

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    597.4MB

    MD5

    3c5ff4042294d60381f6d6a904de2436

    SHA1

    efa037520feab67d91e1d15154683a208103ef39

    SHA256

    cd2e3086a3cc4884efbfb618ef26fd10050dde53f98d04ef36a193c4015e5288

    SHA512

    277ae7a7780e6e172f492a7090d8affade996c1961b3eaa49eafb3c9c6d2639a7945b4ca874bc2d695a920227df97b9d149e4bfff0493a0630286b9269364c2f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    575.9MB

    MD5

    7e56dd347681485514999b040e926743

    SHA1

    cf6880d55d734f54aa7dd5e3a2895e55aedd8ee4

    SHA256

    f790a4edaaa7dba55a06bb9ee3aec6f6ea9b1baf89841190855cc4c272083cbd

    SHA512

    e7b9fe2fbf56ed18e2233bbf477ffa11f4a6c837f9ee6321bfc19de21132ac800e3e568a623330da192a8a2a50a9043378bedb05697c41cc47a70d375ba22cbc

    Download Submit

  • memory/1012-254-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-264-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-260-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-262-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-263-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-253-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-261-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-252-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-259-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-265-0x0000018533760000-0x0000018533761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1548-238-0x0000000003DD0000-0x00000000041D3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1548-247-0x0000000000C90000-0x0000000001DB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/1548-241-0x0000000003DD0000-0x00000000041D3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1548-227-0x0000000000C90000-0x0000000001DB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/1548-223-0x0000000000C90000-0x0000000001DB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/1548-225-0x0000000000C90000-0x0000000001DB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/1548-226-0x0000000000C90000-0x0000000001DB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/1548-237-0x0000000003DD0000-0x00000000041D3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1548-236-0x0000000003DD0000-0x00000000041D3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1548-235-0x0000000003DD0000-0x00000000041D3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/1548-229-0x0000000003DD0000-0x00000000041D3000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/3184-138-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/3184-134-0x00000000028D0000-0x0000000002AF8000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/3288-255-0x0000000000B90000-0x0000000001CB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/3288-251-0x0000000000B90000-0x0000000001CB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/3288-250-0x0000000000B90000-0x0000000001CB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/3288-248-0x0000000000B90000-0x0000000001CB7000-memory.dmp

    Filesize

    17.2MB

    Download

  • memory/3288-275-0x0000000004310000-0x0000000004713000-memory.dmp

    Filesize

    4.0MB

    Download