Overview

overview

10

Static

static

1

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2023 14:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    231KB

  • MD5

    ebb91f36dddcc249a0a99fe6c91b3327

  • SHA1

    46823571b6adc8278ae0031ee8843a67cb8eda47

  • SHA256

    42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9

  • SHA512

    ee575500efc7cab52802b5936dc92eb5effb157987b24fe3190957c69a544fd2c37016fa3a6e8c3f5cf79e90454290b71872f9453eeb4d1521302175fbe57460

  • SSDEEP

    3072:wXUhQztlGtv5H3IboGhDuqaoBHZ9AWoKIJaBnS0sztA4lmS/r+KWVOAg0FujDFkF:MzM54bisZ9ACIQBgz/ldnAOtsv

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3612
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:4828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    690.8MB

    MD5

    69f0530f7f66f8564823bdd5e60b2564

    SHA1

    1f5717c2009013e26a87e6361cabdacf388e7559

    SHA256

    5f5f6614b70fcad7ad36f5d672b966c715fa9aa59ee08589bdcc49e214d1a6ff

    SHA512

    322673b03285acb31631d9c06271b96fc4dbae814f93204c41ef563d86fc1ac75955d0df0b6814a35ebf35097f70f53bbb5ad478986a7a720919b1917475d8b5

    Download Submit
  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    555.1MB

    MD5

    42ed2e16ad5559941219cfafc0846ab7

    SHA1

    968c949161685183f33d0805fc200e13430e27ab

    SHA256

    cb633cb157f91772fc16976159421d181e07d10f0345a6cdd08cdc8fbd794a23

    SHA512

    86cd77d0c0c48a9942e4009c0912efb52fbb72e67efb3390575edd91dc76ab9e4785dac83a9c70c86344d5b205c3f56f251c182afdc20d14b3faa8bf809eb1d7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    550.1MB

    MD5

    3877e4c6344cb993931a457462aa09f0

    SHA1

    7599d321ef850ad392c4bd556ae40b478500e080

    SHA256

    8eb4da0a410d1cd1f689e0c6589a404996723f1a6c5de75e9f2c8ca6071930ef

    SHA512

    3cf2be06ce085429656ede88fb36cfd91670daca271cbb3dc51308926c0ad5e6bd75573837a61ce46bcfa24d9aff70c8d433e4fb734c09f4cdd18ec5e0210677

    Download Submit