laplas | 42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9

Analysis

max time kernel
139s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

231KB
MD5

ebb91f36dddcc249a0a99fe6c91b3327
SHA1

46823571b6adc8278ae0031ee8843a67cb8eda47
SHA256

42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9
SHA512

ee575500efc7cab52802b5936dc92eb5effb157987b24fe3190957c69a544fd2c37016fa3a6e8c3f5cf79e90454290b71872f9453eeb4d1521302175fbe57460
SSDEEP

3072:wXUhQztlGtv5H3IboGhDuqaoBHZ9AWoKIJaBnS0sztA4lmS/r+KWVOAg0FujDFkF:MzM54bisZ9ACIQBgz/ldnAOtsv

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 1 IoCs

pid	Process
4828	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 4828	3612	file.exe	84
PID 3612 wrote to memory of 4828	3612	file.exe	84
PID 3612 wrote to memory of 4828	3612	file.exe	84

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:4828

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
690.8MB

MD5
69f0530f7f66f8564823bdd5e60b2564

SHA1
1f5717c2009013e26a87e6361cabdacf388e7559

SHA256
5f5f6614b70fcad7ad36f5d672b966c715fa9aa59ee08589bdcc49e214d1a6ff

SHA512
322673b03285acb31631d9c06271b96fc4dbae814f93204c41ef563d86fc1ac75955d0df0b6814a35ebf35097f70f53bbb5ad478986a7a720919b1917475d8b5

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
555.1MB

MD5
42ed2e16ad5559941219cfafc0846ab7

SHA1
968c949161685183f33d0805fc200e13430e27ab

SHA256
cb633cb157f91772fc16976159421d181e07d10f0345a6cdd08cdc8fbd794a23

SHA512
86cd77d0c0c48a9942e4009c0912efb52fbb72e67efb3390575edd91dc76ab9e4785dac83a9c70c86344d5b205c3f56f251c182afdc20d14b3faa8bf809eb1d7

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
550.1MB

MD5
3877e4c6344cb993931a457462aa09f0

SHA1
7599d321ef850ad392c4bd556ae40b478500e080

SHA256
8eb4da0a410d1cd1f689e0c6589a404996723f1a6c5de75e9f2c8ca6071930ef

SHA512
3cf2be06ce085429656ede88fb36cfd91670daca271cbb3dc51308926c0ad5e6bd75573837a61ce46bcfa24d9aff70c8d433e4fb734c09f4cdd18ec5e0210677

Download Submit