laplas | d6bded6019229818ccf6ee5bb74dd5eb73cbe05ccadd30793e31ea7393738d9f

General

Target

d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe
Size

7.2MB
MD5

79f92f15ae5abceeaf487bf041aec54d
SHA1

05cd320d0a7f52a3511c05e54360d4512fd4da57
SHA256

d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14
SHA512

36c65db2149eb8b43356982533e79749a715174cf220ae519861117eaebd239531b4dc6a6db303d06171dd43d2d4371d6be40b7ea6a1cf590d7f919f2148431f
SSDEEP

196608:TOZKfeUTUAYVz1ayJz2kzxXuzg6CF9X2G:TYKmUzaz1BJ2oxXAg6CLX

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes

api_key
282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1456	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
1980	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe
1456	svcservice.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1456	1980	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe	28
PID 1980 wrote to memory of 1456	1980	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe	28
PID 1980 wrote to memory of 1456	1980	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe	28
PID 1980 wrote to memory of 1456	1980	d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe	28

C:\Users\Admin\AppData\Local\Temp\d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe
"C:\Users\Admin\AppData\Local\Temp\d79c7afdc8721f4f547c931ce6e0b20ac24193bdc63e4fee1e700e930199bc14.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
713.2MB

MD5
e53bed6885b59fb2fea52b06527a4641

SHA1
3592206fadc456671c61e779fc7aa4683a837b28

SHA256
32d7b3cc8785a7b3f88640d0e5dcf7cd1b7bcdf14dd4d547e8976d5d2ece7a2b

SHA512
d576287b282b1c32a559b9a19cf46c74700e604c25a9d87f88522acf5ee562ee993ce486bede4b3ac1f387f0451b14b83066104275c6fbf69af5297f625c7133

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
736.2MB

MD5
15a3737dd2465cdaca20d3afcd07cd53

SHA1
aa43bd52acf7832a2620b0f7e1632e66cd4361e3

SHA256
73e9811bf0a0db69b32828b4a8dfbe01b380174de9bd3936a699ffe0fb3de5b7

SHA512
9679f2a2d647161fdb08e07fb0f1ae32a16611e0266f450436a534eb1153357f6b0fda9c3b52ec5160ecc4d24e1e8bf2250b74aaacdd20ddf17bd75a319bea00

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
635.2MB

MD5
c2104e563cea9d9be35635c6dc2197b1

SHA1
37de977986c705b18c283ec6a7472fe24fd445e1

SHA256
8552c03e0002130232d692c5c15cc3ae630fef59bc18f50280a510ff768244ff

SHA512
d08afb2e355f30d2f01e5a460996952d30fa81a4340d25247f92998094f02d232ae598d173657018c56f96c61212ee1cb000dc780b59cf069415170a3c1bb76e

Download Submit
memory/1456-95-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1456-87-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1456-106-0x0000000001070000-0x0000000001B9B000-memory.dmp

Filesize
11.2MB

Download
memory/1456-105-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1456-104-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1456-102-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1456-101-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1456-99-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1456-98-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1456-96-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1456-93-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1456-92-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1456-90-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1456-86-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1456-89-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1980-68-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1980-54-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1980-65-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1980-74-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1980-57-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1980-75-0x00000000010B0000-0x0000000001BDB000-memory.dmp

Filesize
11.2MB

Download
memory/1980-73-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/1980-71-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1980-70-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1980-60-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1980-58-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1980-67-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1980-55-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1980-64-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1980-62-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1980-61-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1980-56-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1980-59-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing