Overview

overview

10

Static

static

1

vddsc.exe

windows7-x64

1

vddsc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 21:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vddsc.exe

  • Size

    5.8MB

  • MD5

    e7a69210f26c7944b6e267d0d73af320

  • SHA1

    cc03fe693690e4f45a7cca31782292f69e505801

  • SHA256

    64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2

  • SHA512

    44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07

  • SSDEEP

    98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hm:ueVyrLg/onGl9pMbtJjKiOpAqCN7h

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vddsc.exe
    "C:\Users\Admin\AppData\Local\Temp\vddsc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    775.8MB

    MD5

    29c22ef42cb9163eb9a079244247fbb8

    SHA1

    8fbf1cb43e41f01a7550d46b2198f3cf8ea93f94

    SHA256

    7f329cdbdcf99feeba58c8cb83c5072fd92e064d594d5164890d117ed95a7a40

    SHA512

    88107a3f04c99a4b268f98944912dbf2c979174fe6cba38d95ab973c6570712047111bae55495b4c696d00b3689ee0d7547107abe95e63e622e46fa61d58b17b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    646.1MB

    MD5

    2fe8a5634805383d1742a7dd9b5a942d

    SHA1

    4c5515dbf794d1ea566700596702d9ecf2cf9005

    SHA256

    0254e310aa2e0054f0df4d8e981211b1f342e748ece9eace1419a77bc7298e25

    SHA512

    5632b90dac25b2438da4f4fae3896bf00423ab6e463395adee895f37921bc1ee3ea72764302cffc33ae4596db04165c1d29d478c988a11dd4e6cca7dc2160b05

    Download Submit
  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    593.7MB

    MD5

    fe3c806c18c5c1f6a9160a71f73126b1

    SHA1

    8029b831cdd0f2479cd2b4d65718a856a6ea3c5f

    SHA256

    439a3b81b6bf467e795e34c761b516186718774a981dce7a64171baafe131ef4

    SHA512

    03d4b4506d2b153aa75a785b2af07721155a245fa9d45c7e3def64d24f1414bd10bef9aebcf13e5aa0eb9f500bf9d581b4ffbced9e9cdc78d21b596d66405c0d

    Download Submit
  • memory/2896-133-0x0000000000D50000-0x0000000000D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2896-134-0x0000000000400000-0x0000000000D10000-memory.dmp
    Filesize

    9.1MB

    Download
  • memory/4172-148-0x0000000000E20000-0x0000000000E21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4172-149-0x0000000000400000-0x0000000000D10000-memory.dmp
    Filesize

    9.1MB

    Download