Analysis
-
max time kernel
45s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
24-03-2023 02:34
General
-
Target
Installer.exe
-
Size
5.0MB
-
MD5
7f6e6211f715679a559e695cce334801
-
SHA1
6c74f4269d5e5b6fd96b02fd9b0e8d86eae1cab5
-
SHA256
a712edcd797e4f33522d77382e7eae9b55eddaaa753ac33da65af73e0b6e785f
-
SHA512
b0732f3ad124a745952a90ad5df08f67e438bbaf63d2f5a4060d98873a219b8bd4a655089825a5a5f254b57d40c6b194dac77cf1bfe22a15a04cf0ed766943ac
-
SSDEEP
98304:EELNQWOGMWGapFt7G67QI1sbfr30wz93R:EELyWJMWGIgVUuR
Malware Config
Extracted
laplas
http://193.233.20.134
-
api_key
57728dce0f7018e17faf9f061cb2d77048e08414376baf6d860b78e74e83c208
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 14 IoCs
-
Suspicious use of SendNotifyMessage 14 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe"C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mntempFilesize
16B
MD58a2d9b289c19e05fd0379b82f2919a21
SHA197440fb16a4b8c0ede2d527141749aab76a7a252
SHA256158fa2d1f60e6330072d181063c9b6d2c2c19fd92b5400f382f7d95bfaec1fec
SHA512cd553fea1140ebb0231c1ecb618793e6a4746a35129bc7a7c96e066cd17edf0f1fec65ee483784add1c296b06637e4f0ddf1e13c6e9231ec54ee2fc458acd015
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exeFilesize
10.5MB
MD5d75c660c2584891aa2072643e345c941
SHA1cc3ed51870ecd89963428c4d3638c8a99d0ea991
SHA25611b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be
SHA5128a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6
-
C:\Users\Admin\AppData\Local\Temp\IEBFIEBAFC.exeFilesize
10.5MB
MD5d75c660c2584891aa2072643e345c941
SHA1cc3ed51870ecd89963428c4d3638c8a99d0ea991
SHA25611b80af6cb8bffedc46b7586644a29e9854ec440421926d7acd40e80b5ba08be
SHA5128a9ab5f164b7268ff56529c35bf97dccedff20f822e2a4daabc97e0af7cfd9f31593df440a337e6b9d84db60e5ed0be6f238545f367dada3012c54f4c61bd7d6
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
596.1MB
MD5101439accfca914b118c4f5a240228f3
SHA16f04334b7fb7b2efe31437ea73204c8d2ad9c4c0
SHA2563358a6f42627c24aca7fd7cc6bd0be279a9c31bc886bd3769cc5437f828e40c6
SHA51252aa4f0735667bd859342da8288cc38ceafddcf6fee2b9a4898e0de354cff847b3cd562439adab0bd21f5252fd3e2066f75a042db433f34e2ecd39c1a9296a87
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
597.4MB
MD53c5ff4042294d60381f6d6a904de2436
SHA1efa037520feab67d91e1d15154683a208103ef39
SHA256cd2e3086a3cc4884efbfb618ef26fd10050dde53f98d04ef36a193c4015e5288
SHA512277ae7a7780e6e172f492a7090d8affade996c1961b3eaa49eafb3c9c6d2639a7945b4ca874bc2d695a920227df97b9d149e4bfff0493a0630286b9269364c2f
-
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeFilesize
575.9MB
MD57e56dd347681485514999b040e926743
SHA1cf6880d55d734f54aa7dd5e3a2895e55aedd8ee4
SHA256f790a4edaaa7dba55a06bb9ee3aec6f6ea9b1baf89841190855cc4c272083cbd
SHA512e7b9fe2fbf56ed18e2233bbf477ffa11f4a6c837f9ee6321bfc19de21132ac800e3e568a623330da192a8a2a50a9043378bedb05697c41cc47a70d375ba22cbc
-
memory/1012-254-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-264-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-260-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-262-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-263-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-253-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-261-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-252-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-259-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1012-265-0x0000018533760000-0x0000018533761000-memory.dmpFilesize
4KB
-
memory/1548-238-0x0000000003DD0000-0x00000000041D3000-memory.dmpFilesize
4.0MB
-
memory/1548-247-0x0000000000C90000-0x0000000001DB7000-memory.dmpFilesize
17.2MB
-
memory/1548-241-0x0000000003DD0000-0x00000000041D3000-memory.dmpFilesize
4.0MB
-
memory/1548-227-0x0000000000C90000-0x0000000001DB7000-memory.dmpFilesize
17.2MB
-
memory/1548-223-0x0000000000C90000-0x0000000001DB7000-memory.dmpFilesize
17.2MB
-
memory/1548-225-0x0000000000C90000-0x0000000001DB7000-memory.dmpFilesize
17.2MB
-
memory/1548-226-0x0000000000C90000-0x0000000001DB7000-memory.dmpFilesize
17.2MB
-
memory/1548-237-0x0000000003DD0000-0x00000000041D3000-memory.dmpFilesize
4.0MB
-
memory/1548-236-0x0000000003DD0000-0x00000000041D3000-memory.dmpFilesize
4.0MB
-
memory/1548-235-0x0000000003DD0000-0x00000000041D3000-memory.dmpFilesize
4.0MB
-
memory/1548-229-0x0000000003DD0000-0x00000000041D3000-memory.dmpFilesize
4.0MB
-
memory/3184-138-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/3184-134-0x00000000028D0000-0x0000000002AF8000-memory.dmpFilesize
2.2MB
-
memory/3288-255-0x0000000000B90000-0x0000000001CB7000-memory.dmpFilesize
17.2MB
-
memory/3288-251-0x0000000000B90000-0x0000000001CB7000-memory.dmpFilesize
17.2MB
-
memory/3288-250-0x0000000000B90000-0x0000000001CB7000-memory.dmpFilesize
17.2MB
-
memory/3288-248-0x0000000000B90000-0x0000000001CB7000-memory.dmpFilesize
17.2MB
-
memory/3288-275-0x0000000004310000-0x0000000004713000-memory.dmpFilesize
4.0MB