laplas | 42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9

Analysis

max time kernel
130s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

231KB
MD5

ebb91f36dddcc249a0a99fe6c91b3327
SHA1

46823571b6adc8278ae0031ee8843a67cb8eda47
SHA256

42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9
SHA512

ee575500efc7cab52802b5936dc92eb5effb157987b24fe3190957c69a544fd2c37016fa3a6e8c3f5cf79e90454290b71872f9453eeb4d1521302175fbe57460
SSDEEP

3072:wXUhQztlGtv5H3IboGhDuqaoBHZ9AWoKIJaBnS0sztA4lmS/r+KWVOAg0FujDFkF:MzM54bisZ9ACIQBgz/ldnAOtsv

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
892	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
1704	file.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 892	1704	file.exe	27
PID 1704 wrote to memory of 892	1704	file.exe	27
PID 1704 wrote to memory of 892	1704	file.exe	27
PID 1704 wrote to memory of 892	1704	file.exe	27

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
805.2MB

MD5
94b8a318360f750565ddd61b5f23e95c

SHA1
a63b2b029c06f0d4b210ed6245993b94594e8c27

SHA256
95b0a24c48f910802810e7da0b666c640de60fc8389df450278185a563e577a7

SHA512
36e8e71153e4f8aca132d23b68468759dcb5c0a5f1a59f508e9c188e93b23b398c3bedf8682f49801e414f49c1aefef86b130b0ad938ac4fb653a3df85c5484b

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
805.2MB

MD5
94b8a318360f750565ddd61b5f23e95c

SHA1
a63b2b029c06f0d4b210ed6245993b94594e8c27

SHA256
95b0a24c48f910802810e7da0b666c640de60fc8389df450278185a563e577a7

SHA512
36e8e71153e4f8aca132d23b68468759dcb5c0a5f1a59f508e9c188e93b23b398c3bedf8682f49801e414f49c1aefef86b130b0ad938ac4fb653a3df85c5484b

Download Submit