laplas | 74e2e74a0115644594768d827af3b6bf70190be406fc783e78133e7b42498b50

Analysis

max time kernel
109s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sdax.exe
Size

725.8MB
MD5

0207380aa8e83e8aaf7a7defc60ddd6e
SHA1

ceb93d22de83ad1c993096c12e66929a605c013c
SHA256

74e2e74a0115644594768d827af3b6bf70190be406fc783e78133e7b42498b50
SHA512

cef4a45b7b9c73e66f6c901267a8b9edb71e0bcad150ab82afb50ef892a5cc4b06c50522f74c29818cd83e0049b116044f33a0921ffe1e741ab1ba67cdb0019f
SSDEEP

98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hmP:ueVyrLg/onGl9pMbtJjKiOpAqCN7h8

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	sdax.exe

Executes dropped EXE 1 IoCs

pid	Process
640	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	sdax.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1452	sdax.exe
1452	sdax.exe
1452	sdax.exe
1452	sdax.exe
640	svcservice.exe
640	svcservice.exe
640	svcservice.exe
640	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 640	1452	sdax.exe	89
PID 1452 wrote to memory of 640	1452	sdax.exe	89
PID 1452 wrote to memory of 640	1452	sdax.exe	89

C:\Users\Admin\AppData\Local\Temp\sdax.exe
"C:\Users\Admin\AppData\Local\Temp\sdax.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
308.5MB

MD5
a22ce3f3a9a40812ed6ad8feb7844cc9

SHA1
da1c8df96ab3f7d3c179f0449a34ff6d17c341fc

SHA256
364f211c84373c6dc2e5097c69374ee959e711fb093cbb4b9da7a59692160661

SHA512
bc12ae49a814e36f4b8acf169eb958a105b0d888cc3894ef6d96f2a3a1a7b24fdb8f1b6a98ec847eddaad5f9a60dce3e9e5af7eaa1b25a842f5fe0b231a7a39a

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
302.8MB

MD5
86099593ae05027765f866eb24d787ad

SHA1
8d0d13c332080d5522f2055397e9a13165b1d76d

SHA256
7e62c9a57752cc1e686650b345d6da447bdc57f75b3dce9496a0e9874c689bfd

SHA512
87a01b149f506b5a96c66cbd476ca3561b01001aa47b56069aab2a67004387245581b3cf9dfbe08cc96aca4e21cb6567886ad35224dc306d5dfb8976e2f6f797

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
307.8MB

MD5
d02846e44c39a6e1f0f50cad31f38d89

SHA1
bc18c7fc602ca4cb4f150a7fbff0b1586b943517

SHA256
f5e42a17d2987926f1201806fce03f1ca38395f3dfdf00dc730e8759f3ffa49a

SHA512
0270701c8934de54c4faf48def6d3ba1d6d2b38815036568c2ac5d902a7db133321f66a7121c078dc3d50693d16ae9b76c560460a2eb244b71015351067eb6b8

Download Submit
memory/640-148-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/640-149-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download
memory/1452-133-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/1452-134-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download