Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    130s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2023 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    231KB

  • MD5

    ebb91f36dddcc249a0a99fe6c91b3327

  • SHA1

    46823571b6adc8278ae0031ee8843a67cb8eda47

  • SHA256

    42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9

  • SHA512

    ee575500efc7cab52802b5936dc92eb5effb157987b24fe3190957c69a544fd2c37016fa3a6e8c3f5cf79e90454290b71872f9453eeb4d1521302175fbe57460

  • SSDEEP

    3072:wXUhQztlGtv5H3IboGhDuqaoBHZ9AWoKIJaBnS0sztA4lmS/r+KWVOAg0FujDFkF:MzM54bisZ9ACIQBgz/ldnAOtsv

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    805.2MB

    MD5

    94b8a318360f750565ddd61b5f23e95c

    SHA1

    a63b2b029c06f0d4b210ed6245993b94594e8c27

    SHA256

    95b0a24c48f910802810e7da0b666c640de60fc8389df450278185a563e577a7

    SHA512

    36e8e71153e4f8aca132d23b68468759dcb5c0a5f1a59f508e9c188e93b23b398c3bedf8682f49801e414f49c1aefef86b130b0ad938ac4fb653a3df85c5484b

    Download Submit
  • \Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    805.2MB

    MD5

    94b8a318360f750565ddd61b5f23e95c

    SHA1

    a63b2b029c06f0d4b210ed6245993b94594e8c27

    SHA256

    95b0a24c48f910802810e7da0b666c640de60fc8389df450278185a563e577a7

    SHA512

    36e8e71153e4f8aca132d23b68468759dcb5c0a5f1a59f508e9c188e93b23b398c3bedf8682f49801e414f49c1aefef86b130b0ad938ac4fb653a3df85c5484b

    Download Submit