laplas | 6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f

Analysis

max time kernel
244s
max time network
249s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
Size

5.9MB
MD5

aa57f0d7a099773175006624cc891b29
SHA1

44598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA256

6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512

e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
SSDEEP

98304:5fsK1JWzYls9x4CwqEZSK84oBfrNy+yvsHrj0XXrmca/mDU9vf2eESEGMeNR:hbJWzY4x4Tq7Kx4ybsHEnrmyg9vsSEps

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 2 IoCs

pid	Process
1624	svcservice.exe
1128	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
868	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1704 set thread context of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1624 set thread context of 1128	1624	svcservice.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
556	powershell.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
1624	svcservice.exe
1624	svcservice.exe
1624	svcservice.exe
1624	svcservice.exe
1624	svcservice.exe
1624	svcservice.exe
1624	svcservice.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1624	svcservice.exe
Token: SeDebugPrivilege	1752	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 556	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	28
PID 1704 wrote to memory of 556	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	28
PID 1704 wrote to memory of 556	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	28
PID 1704 wrote to memory of 556	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	28
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 1704 wrote to memory of 868	1704	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	30
PID 868 wrote to memory of 1624	868	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	31
PID 868 wrote to memory of 1624	868	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	31
PID 868 wrote to memory of 1624	868	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	31
PID 868 wrote to memory of 1624	868	6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe	31
PID 1624 wrote to memory of 1752	1624	svcservice.exe	32
PID 1624 wrote to memory of 1752	1624	svcservice.exe	32
PID 1624 wrote to memory of 1752	1624	svcservice.exe	32
PID 1624 wrote to memory of 1752	1624	svcservice.exe	32
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34
PID 1624 wrote to memory of 1128	1624	svcservice.exe	34

C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
"C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
  C:\Users\Admin\AppData\Local\Temp\6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1752
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      4⤵
      Executes dropped EXE
      PID:1128

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HLGL04FLX0H0BZ8M7T9I.temp

Filesize
7KB

MD5
6e55e8e0ec6b4714afac193a9f018ad3

SHA1
5edbc512984be126a3ac0ef8a8547b76693abe06

SHA256
0db7779f79e247b810e45941239e2aa33dcba741d0ee030dcf48c9924324d90b

SHA512
0ebea634e7cb21d0cb85b6871546869e6d59b6318be344ef30cb934d82d6a8f966a819d392321fa1df2c841da9d75a004e15887e9f472c8819eaf874eeee545b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6e55e8e0ec6b4714afac193a9f018ad3

SHA1
5edbc512984be126a3ac0ef8a8547b76693abe06

SHA256
0db7779f79e247b810e45941239e2aa33dcba741d0ee030dcf48c9924324d90b

SHA512
0ebea634e7cb21d0cb85b6871546869e6d59b6318be344ef30cb934d82d6a8f966a819d392321fa1df2c841da9d75a004e15887e9f472c8819eaf874eeee545b

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
830.9MB

MD5
7d44be292eb09551be1653fa7547af3a

SHA1
3f05a7f137e4e868a23e50b3edc57b560adf29d3

SHA256
bf325835275c7934077e26155dd2863c777c5f154b0b229217874f15ae9f366a

SHA512
cee7e39073f3b665bb4828db58a9d81916ee5717a64590e17d61effe27a233f19bc197b452f481ec643d4ec967a6e2c3ae309d48b08db5d75ea851df61ac53eb

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
830.9MB

MD5
7d44be292eb09551be1653fa7547af3a

SHA1
3f05a7f137e4e868a23e50b3edc57b560adf29d3

SHA256
bf325835275c7934077e26155dd2863c777c5f154b0b229217874f15ae9f366a

SHA512
cee7e39073f3b665bb4828db58a9d81916ee5717a64590e17d61effe27a233f19bc197b452f481ec643d4ec967a6e2c3ae309d48b08db5d75ea851df61ac53eb

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
830.9MB

MD5
7d44be292eb09551be1653fa7547af3a

SHA1
3f05a7f137e4e868a23e50b3edc57b560adf29d3

SHA256
bf325835275c7934077e26155dd2863c777c5f154b0b229217874f15ae9f366a

SHA512
cee7e39073f3b665bb4828db58a9d81916ee5717a64590e17d61effe27a233f19bc197b452f481ec643d4ec967a6e2c3ae309d48b08db5d75ea851df61ac53eb

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
830.9MB

MD5
7d44be292eb09551be1653fa7547af3a

SHA1
3f05a7f137e4e868a23e50b3edc57b560adf29d3

SHA256
bf325835275c7934077e26155dd2863c777c5f154b0b229217874f15ae9f366a

SHA512
cee7e39073f3b665bb4828db58a9d81916ee5717a64590e17d61effe27a233f19bc197b452f481ec643d4ec967a6e2c3ae309d48b08db5d75ea851df61ac53eb

Download Submit
memory/556-62-0x0000000002760000-0x00000000027A0000-memory.dmp

Filesize
256KB

Download
memory/868-64-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-71-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-67-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-69-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-68-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/868-65-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-73-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-74-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/868-80-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1128-107-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1128-102-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1624-93-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/1624-83-0x0000000000C50000-0x0000000000E98000-memory.dmp

Filesize
2.3MB

Download
memory/1624-84-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/1704-59-0x0000000004400000-0x0000000004492000-memory.dmp

Filesize
584KB

Download
memory/1704-57-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1704-56-0x0000000005400000-0x0000000005534000-memory.dmp

Filesize
1.2MB

Download
memory/1704-58-0x0000000000820000-0x0000000000856000-memory.dmp

Filesize
216KB

Download
memory/1704-63-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/1704-55-0x0000000005260000-0x00000000053FE000-memory.dmp

Filesize
1.6MB

Download
memory/1704-54-0x0000000000860000-0x0000000000AA8000-memory.dmp

Filesize
2.3MB

Download
memory/1752-91-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1752-92-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1752-94-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download
memory/1752-95-0x00000000028F0000-0x0000000002930000-memory.dmp

Filesize
256KB

Download