Analysis
-
max time kernel
112s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
30-03-2023 17:54
General
-
Target
vddsc.exe
-
Size
5.8MB
-
MD5
e7a69210f26c7944b6e267d0d73af320
-
SHA1
cc03fe693690e4f45a7cca31782292f69e505801
-
SHA256
64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2
-
SHA512
44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07
-
SSDEEP
98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hm:ueVyrLg/onGl9pMbtJjKiOpAqCN7h
Malware Config
Extracted
laplas
http://212.113.106.172
-
api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\vddsc.exe"C:\Users\Admin\AppData\Local\Temp\vddsc.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
741.8MB
MD521db6567d19bd31c06c2cc442cbcaa2a
SHA1f63c72ccde5f2aa59dc1463dbf0307e9900a3b7d
SHA256f176058b35ce4aa7b27b96c03cb051208de6b8e5412cf43385854e92d141dbfd
SHA512416e46fcbc0e4d3cd7afebe2bf9056e190e035d5f9bdecff799691cdbbbe77e02a743e1e113b730acea201fe04e8c5d90c78e04ed9e60b90b251de38933fbc0a
-
Filesize
741.8MB
MD521db6567d19bd31c06c2cc442cbcaa2a
SHA1f63c72ccde5f2aa59dc1463dbf0307e9900a3b7d
SHA256f176058b35ce4aa7b27b96c03cb051208de6b8e5412cf43385854e92d141dbfd
SHA512416e46fcbc0e4d3cd7afebe2bf9056e190e035d5f9bdecff799691cdbbbe77e02a743e1e113b730acea201fe04e8c5d90c78e04ed9e60b90b251de38933fbc0a
-
Filesize
741.8MB
MD521db6567d19bd31c06c2cc442cbcaa2a
SHA1f63c72ccde5f2aa59dc1463dbf0307e9900a3b7d
SHA256f176058b35ce4aa7b27b96c03cb051208de6b8e5412cf43385854e92d141dbfd
SHA512416e46fcbc0e4d3cd7afebe2bf9056e190e035d5f9bdecff799691cdbbbe77e02a743e1e113b730acea201fe04e8c5d90c78e04ed9e60b90b251de38933fbc0a
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
4KB
-
Filesize
9.1MB