Overview

overview

10

Static

static

1

c1378f7991...77.exe

windows7-x64

10

c1378f7991...77.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    150s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 15:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1378f7991f51df8a693533c12d87b77.exe

  • Size

    297KB

  • MD5

    c1378f7991f51df8a693533c12d87b77

  • SHA1

    a158c289e1f6016dbb9f31924e7bf3879f09653f

  • SHA256

    7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6

  • SHA512

    7537668e6851d415dbf2635aee2daff4348664ee16bb58e2d14f8fcb6b8f314ec1a65c7286341012727a1902e1f31b71c6a9dd00c9cd4be6b03d248f9deb68d7

  • SSDEEP

    3072:0n7mRSVeIn8O9iyGvSzQb6SEZ5Q3tmsvL88dXa23CcxsD4zpS9uSRh5qHeNNrAjp:AQkTiyGvSzhsvL8K3Cv4g9vh0Gof

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1378f7991f51df8a693533c12d87b77.exe
    "C:\Users\Admin\AppData\Local\Temp\c1378f7991f51df8a693533c12d87b77.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:1928

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    290.6MB

    MD5

    012fc37dd3f2fd4a5b6f88487ad7280f

    SHA1

    a2ad1c653e184178063073d4f1a00a74c9785ad4

    SHA256

    517336729d200a73f9e2ce5f06df90d15431bc0e4e28b472ec1715d20848dad0

    SHA512

    9f1671259c26396d64e88895eb9ef8c8c7c84eecb32c7cf60c3f82fcf637b1c77038e282ee55920835ca1c399b6eaef4e52191f063e171c4c4f61f25e4610c84

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    281.8MB

    MD5

    bc24bc98834474e16b762590042455f0

    SHA1

    219b16b0d3c3a7e5c5e7b084b4713bba6c06448c

    SHA256

    23d011c1a9ef0619dfc9eb2e0836c12751b381ad00c5e4084c015d506232479d

    SHA512

    d6dea377205044637688a7b351039b6b7e87cea1eba90004dbff916516eabeae594d39de609f154801e2ee3b85bae3ea6f21accf6f4b26653b7743400aaa556f

    Download Submit

  • \Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    293.8MB

    MD5

    dc80eb95820ea90356605890773ca88c

    SHA1

    71fd6cc93c697e4794cb604bb3663a10841eeef5

    SHA256

    a6c67bfc22be7ed1ac2f4245bd949e9fc8a133455029afa93228bffe8a09d6c6

    SHA512

    8a20c2952177080c8d687296ea5af434bc55791ffa7310502beec1ee7168cccf64f56071e7b6bfdc0628062f3ceb4d1491f21beaee64c674e5609768e331f3bd

    Download Submit

  • \Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    279.9MB

    MD5

    3ecedf64ca391541d98fbe3a9f4aa8b1

    SHA1

    760cc85e0177ea14bef6d6394d1d592d9d0f2576

    SHA256

    3b7ce16b7d2dbe01afed7911e8c3b3dc8ccbab4e5de9213702b7a281dc829b2d

    SHA512

    704bc946d13eafc4dbc50f91ad7f72acb71be2511f8ad61f20d6548301a2e271418589e5a46a3b3302e50ee3ef653cf787bfc8581784349b060a796dffedf02f

    Download Submit

  • memory/1924-55-0x00000000003C0000-0x00000000003FB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1924-56-0x0000000000400000-0x0000000002B78000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/1924-57-0x00000000003C0000-0x00000000003FB000-memory.dmp

    Filesize

    236KB

    Download

  • memory/1924-68-0x0000000000400000-0x0000000002B78000-memory.dmp

    Filesize

    39.5MB

    Download

  • memory/1928-70-0x0000000000400000-0x0000000002B78000-memory.dmp

    Filesize

    39.5MB

    Download