laplas | 26c995530de0bd37914392b2ebb46cacb8f873415d1155703ebfcbef0a953fb6

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-04-2023 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe
Size

297KB
MD5

c1378f7991f51df8a693533c12d87b77
SHA1

a158c289e1f6016dbb9f31924e7bf3879f09653f
SHA256

7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6
SHA512

7537668e6851d415dbf2635aee2daff4348664ee16bb58e2d14f8fcb6b8f314ec1a65c7286341012727a1902e1f31b71c6a9dd00c9cd4be6b03d248f9deb68d7
SSDEEP

3072:0n7mRSVeIn8O9iyGvSzQb6SEZ5Q3tmsvL88dXa23CcxsD4zpS9uSRh5qHeNNrAjp:AQkTiyGvSzhsvL8K3Cv4g9vh0Gof

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Executes dropped EXE 1 IoCs

Processes:

svcservice.exe

pid process

1756 svcservice.exe

pid	process
1756	svcservice.exe

Loads dropped DLL 2 IoCs

Processes:

7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe

pid	process
1676	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe
1676	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe

description	pid	process	target process
PID 1676 wrote to memory of 1756	1676	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe	svcservice.exe
PID 1676 wrote to memory of 1756	1676	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe	svcservice.exe
PID 1676 wrote to memory of 1756	1676	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe	svcservice.exe
PID 1676 wrote to memory of 1756	1676	7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe	svcservice.exe

C:\Users\Admin\AppData\Local\Temp\7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe
"C:\Users\Admin\AppData\Local\Temp\7ab2228581a86441739dfb6f4e8057cd220abdabe13fa2f2a8d9ee904e5612f6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
2⤵
- Executes dropped EXE
PID:1756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
515.0MB

MD5
16ae3b3e337d3f85aaa6b33e08b38275

SHA1
2b0e0b326927ec121da72d79374536d6a804f504

SHA256
5981efbc5bfde6fb469988bed79030a22277e0ad6c3668e0d055e2a026f2f1e2

SHA512
6ea5c82ff62a537c7b3d6c159e25b54d3cd3e66764b8377ffea6e28cdcb785bc607b63e65b491b2926d8a971fae4128a43e67c6fd14833c9e12d66008fd326ce

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
536.6MB

MD5
5bca76c68cfcce6b3d063fed0a61aa96

SHA1
10252bdb41856ea17e480b24a2a15f4ee1155098

SHA256
cf96a9c51cf4e0788aeeed9951e46f4a5797902841abc1c07126b4948be49bb6

SHA512
6a96236b000ee09bfa9bd48b06d31702d76c97591205ec6e8327d2bd693f49765069d59f9308eab5a1a3ae0f5962bde9f1612d8fc7d54b73e2909014258ff4c9

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
371.9MB

MD5
3c9c2c32b59814b5267ef7fc3ced6bf8

SHA1
4d20898f05e0fa4b45289749218b9291d45effe6

SHA256
2d67c41c33c214aa27e27c6f7ba170c607e777b9ee93fcaca07dab485963ae84

SHA512
c8520cb9c02a44949448d790472c7b524295bbb521f3fe3acdc7ada101fee9691f2ed52b769825b728e457baf4b439c4aef626b7ff82d4df59fabf4e060b770e

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
Filesize
564.9MB

MD5
f65e23f7824e15354df16b8c61cdaf2b

SHA1
b0e722e5e696dc2313df5a5be8b6e804c793c623

SHA256
2624b90e243a2079b7186d57a12ee78be4c86405bcd4f53416c93ab781195f33

SHA512
296b2d69529182d637068cfda2184a2eb03ae519386a53db7add309217ece75da96c6d7f9d7cad0d491b9b75943c7c734b4906836e12e83bad7828ec18a9f12b

Download Submit
memory/1676-55-0x0000000000220000-0x000000000025B000-memory.dmp

Filesize
236KB

Download
memory/1676-64-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/1756-67-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download