laplas | 74e2e74a0115644594768d827af3b6bf70190be406fc783e78133e7b42498b50

Analysis

max time kernel
142s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0207380aa8e83e8aaf7a7defc60ddd6e.exe
Size

725.8MB
MD5

0207380aa8e83e8aaf7a7defc60ddd6e
SHA1

ceb93d22de83ad1c993096c12e66929a605c013c
SHA256

74e2e74a0115644594768d827af3b6bf70190be406fc783e78133e7b42498b50
SHA512

cef4a45b7b9c73e66f6c901267a8b9edb71e0bcad150ab82afb50ef892a5cc4b06c50522f74c29818cd83e0049b116044f33a0921ffe1e741ab1ba67cdb0019f
SSDEEP

98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hmP:ueVyrLg/onGl9pMbtJjKiOpAqCN7h8

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	0207380aa8e83e8aaf7a7defc60ddd6e.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	0207380aa8e83e8aaf7a7defc60ddd6e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe
1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe
1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe
1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe
4272	svcservice.exe
4272	svcservice.exe
4272	svcservice.exe
4272	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 4272	1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe	92
PID 1196 wrote to memory of 4272	1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe	92
PID 1196 wrote to memory of 4272	1196	0207380aa8e83e8aaf7a7defc60ddd6e.exe	92

C:\Users\Admin\AppData\Local\Temp\0207380aa8e83e8aaf7a7defc60ddd6e.exe
"C:\Users\Admin\AppData\Local\Temp\0207380aa8e83e8aaf7a7defc60ddd6e.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
697.8MB

MD5
f8ac2204f633779a8b6b1e517a537731

SHA1
1994d318d4c25380e5c09034271f3f5f3e617d8d

SHA256
ae6f58ae72f2f44e5ce34109ace13307477d0562f2f08ec7f50f807b4a558832

SHA512
1215f98d9b9a14595f814770fc10f9142045bc9b3005ca8ddd98afb1b1124a81a0a75b90cd65799f05e0cafa79da1ab1852c9f4c0b200f57c354dd4ab0b72986

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
675.2MB

MD5
57a6c17a1484332fa058aa538417bb99

SHA1
7cbb29ff1f413af410e9c388a28be462525cd462

SHA256
2d3847bd2cd5b032b6d4b372e6b40a4370bd1425b981224570921c72097d48fb

SHA512
f75fe825d74fb0b89f9e1e8f59c1390be11710d15f2046fe54e8c097b8e38c342847c0db0e6e47b5cbcc34a3e1098a25bd11f095cc94e530ea78b97d1032dda8

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
638.0MB

MD5
1b6c13722d180e1d2c4bb6c182413bf8

SHA1
b3b8c99c4da5ad63dc5239c8740a581c14137122

SHA256
bc36750416c33d28a0074bca5c5946f9459f086d366437700b73cb38d420c153

SHA512
6ad8b0ff5730d1ced951c905dd5976581233e5b797e230b26a20d4a3b2d8b5eeb388fd99314024c5b8d77bef27b02c7a3b4663981d3c58b45c741542df5b84fd

Download Submit
memory/1196-133-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1196-134-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download
memory/4272-148-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/4272-149-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download