Overview

overview

10

Static

static

1

sdax.exe

windows7-x64

1

sdax.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2023 17:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sdax.exe

  • Size

    725.8MB

  • MD5

    0207380aa8e83e8aaf7a7defc60ddd6e

  • SHA1

    ceb93d22de83ad1c993096c12e66929a605c013c

  • SHA256

    74e2e74a0115644594768d827af3b6bf70190be406fc783e78133e7b42498b50

  • SHA512

    cef4a45b7b9c73e66f6c901267a8b9edb71e0bcad150ab82afb50ef892a5cc4b06c50522f74c29818cd83e0049b116044f33a0921ffe1e741ab1ba67cdb0019f

  • SSDEEP

    98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hmP:ueVyrLg/onGl9pMbtJjKiOpAqCN7h8

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\sdax.exe
    "C:\Users\Admin\AppData\Local\Temp\sdax.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3860

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    531.9MB

    MD5

    ca5b44b2235fcde939ea532d2e48ebb8

    SHA1

    4a4b3f54a6ef2697a568816bb4c5bb9b7fc88980

    SHA256

    273172efad291ce5f5b27bb255b4fcf5502327a5514dad4466144a55c9a6248b

    SHA512

    8d0c3da7968e69f3e4e245227ec114be93bde869c73d01ddd12ba00fbff7001a4e8011f7ee9976f54312009ae91a9763514cf2056bcc09e3e595af7c3b206444

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    607.2MB

    MD5

    622af70af756e339f6fa93835eeaf097

    SHA1

    4fa574cf77508ffa889ad5f2b917f5e7b9323cc9

    SHA256

    7dcd6dd56ddf1ff6adac0226ec0b58f1bae6fe402eae2d3030162176268e4d51

    SHA512

    1fa133460c7088d525216f1c1008b424e3d3e589c8a468f0c545516198ef76a8efd9eb6e139fa9ba0171e70dfeb3c62d514ebc28772aa8178a6b8a7f60367e4d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    535.9MB

    MD5

    e317d023e778b4bb11179fec5286b0ec

    SHA1

    5b18ccb848504f9057e3450f42f7e26e804ba0ff

    SHA256

    f6e82c06a15b7fae508380eb27052fdce0ab0d9791f7cc693149d978779d7ac5

    SHA512

    9317159d800965cfe2a0ff94294f133a2355c21fb20dfc937a939bcdadeafaaf88dfd50c915c8ae3e7ffd68c97d38e83e1f102bdc3978be399ba3d1854a7499b

    Download Submit

  • memory/3860-148-0x0000000000D50000-0x0000000000D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3860-149-0x0000000000400000-0x0000000000D10000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/4840-133-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4840-134-0x0000000000400000-0x0000000000D10000-memory.dmp

    Filesize

    9.1MB

    Download