Overview

overview

10

Static

static

1

vddsc.exe

windows7-x64

1

vddsc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-03-2023 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vddsc.exe

  • Size

    5.8MB

  • MD5

    e7a69210f26c7944b6e267d0d73af320

  • SHA1

    cc03fe693690e4f45a7cca31782292f69e505801

  • SHA256

    64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2

  • SHA512

    44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07

  • SSDEEP

    98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hm:ueVyrLg/onGl9pMbtJjKiOpAqCN7h

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes
  • api_key

    a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\vddsc.exe
    "C:\Users\Admin\AppData\Local\Temp\vddsc.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3772
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2876

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    710.8MB

    MD5

    80bf7bf76c95cb206e70b93bb0e50a94

    SHA1

    db766ba6f6b5d341ed134b6466f639eedbe0a0c5

    SHA256

    3477ecd7835de7e7b3c9eb5673a3d8af99df574333a248e41be3eb85d553502a

    SHA512

    017df6fd9150f362867e2b8b4a8dcda928934c24e1ee66ab305ebdd080d7680bc9dbd62698e92455a84e922de7f706d3f80423abe933857074a2b50c11645220

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    710.8MB

    MD5

    80bf7bf76c95cb206e70b93bb0e50a94

    SHA1

    db766ba6f6b5d341ed134b6466f639eedbe0a0c5

    SHA256

    3477ecd7835de7e7b3c9eb5673a3d8af99df574333a248e41be3eb85d553502a

    SHA512

    017df6fd9150f362867e2b8b4a8dcda928934c24e1ee66ab305ebdd080d7680bc9dbd62698e92455a84e922de7f706d3f80423abe933857074a2b50c11645220

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    710.8MB

    MD5

    80bf7bf76c95cb206e70b93bb0e50a94

    SHA1

    db766ba6f6b5d341ed134b6466f639eedbe0a0c5

    SHA256

    3477ecd7835de7e7b3c9eb5673a3d8af99df574333a248e41be3eb85d553502a

    SHA512

    017df6fd9150f362867e2b8b4a8dcda928934c24e1ee66ab305ebdd080d7680bc9dbd62698e92455a84e922de7f706d3f80423abe933857074a2b50c11645220

    Download Submit

  • memory/2876-148-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2876-149-0x0000000000400000-0x0000000000D10000-memory.dmp

    Filesize

    9.1MB

    Download

  • memory/3772-133-0x0000000000E60000-0x0000000000E61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3772-134-0x0000000000400000-0x0000000000D10000-memory.dmp

    Filesize

    9.1MB

    Download