laplas | 6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f

Analysis

max time kernel
87s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VoiceControlEngine.exe
Size

5.9MB
MD5

aa57f0d7a099773175006624cc891b29
SHA1

44598d94dac6e9c72ffe65f9e17cf77c2c73e6fe
SHA256

6227df9ce53429b024cb2fa118a7a735ec1c048117cb1a46247e92f1b839814f
SHA512

e0fff8e7d8de1dc5b3d84bdea90828f9739499183aabb11eb5b7600af132f8fa0569bc49d4ca21ec5df925482ec2149d0134a88a4e8a632cb0326444a6bc31b0
SSDEEP

98304:5fsK1JWzYls9x4CwqEZSK84oBfrNy+yvsHrj0XXrmca/mDU9vf2eESEGMeNR:hbJWzY4x4Tq7Kx4ybsHEnrmyg9vsSEps

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.189.105

Attributes

api_key
6a2714906f1325d666e4cf9f6269c2352ccfb7e7f1a23c114287dc69ddf27cb0

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	VoiceControlEngine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	VoiceControlEngine.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	svcservice.exe

Executes dropped EXE 1 IoCs

pid	Process
1680	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	VoiceControlEngine.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 1112	4016	VoiceControlEngine.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4384	powershell.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4384	powershell.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe
4016	VoiceControlEngine.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4016	VoiceControlEngine.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeDebugPrivilege	1680	svcservice.exe
Token: SeDebugPrivilege	2532	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4384	4016	VoiceControlEngine.exe	78
PID 4016 wrote to memory of 4384	4016	VoiceControlEngine.exe	78
PID 4016 wrote to memory of 4384	4016	VoiceControlEngine.exe	78
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 4016 wrote to memory of 1112	4016	VoiceControlEngine.exe	91
PID 1112 wrote to memory of 1680	1112	VoiceControlEngine.exe	92
PID 1112 wrote to memory of 1680	1112	VoiceControlEngine.exe	92
PID 1112 wrote to memory of 1680	1112	VoiceControlEngine.exe	92
PID 1680 wrote to memory of 2532	1680	svcservice.exe	93
PID 1680 wrote to memory of 2532	1680	svcservice.exe	93
PID 1680 wrote to memory of 2532	1680	svcservice.exe	93

C:\Users\Admin\AppData\Local\Temp\VoiceControlEngine.exe
"C:\Users\Admin\AppData\Local\Temp\VoiceControlEngine.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\VoiceControlEngine.exe
  C:\Users\Admin\AppData\Local\Temp\VoiceControlEngine.exe
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQA1AA==
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2532
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      4⤵
      PID:1372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
4280e36a29fa31c01e4d8b2ba726a0d8

SHA1
c485c2c9ce0a99747b18d899b71dfa9a64dabe32

SHA256
e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

SHA512
494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9cd5263e114e014e1be52eb11ecf49d8

SHA1
401bed7ad5dd70ebd755fc70a736cca10c670a76

SHA256
2325cefab61c4a78306a4b271a253f86e704629fa7465cd2f42573ffb58490ac

SHA512
f40e05f43a3c02e0a55b74831f1d4bd1325629fc8f87e8eddb4de3e3e36151157e2ea5723dd4525064d04f05b7d53da5875fae8b3a9712df47d1795a027f8428

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vhl0msu4.tef.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
650.6MB

MD5
37b6addceef59ce1bd11372f8baddef3

SHA1
93f5bc8f600e13f40e3fec0428832bb9ce1cc5b5

SHA256
820c2e67d6a2053ad287fe68c3a102bdf54f35a9048281602fe3d2f4f5175b05

SHA512
7b60d8644fded418b49ca1f0fc36e23c4c3dd9f8354cb89b845dfbbac117efabbef96b16e19c159df663f6644107ee38cb8ed1fb5ce814dcc0520fc52fb033f7

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
582.6MB

MD5
3b65c96b84808e33c166f7a212245ddc

SHA1
f524f256623bca270d4204ef5d8c5e8229e9ec3b

SHA256
f21c4c0fc645299e5732ade76e2e7f44edb70d4ce8978f69ffbf6fb9b88e4df9

SHA512
9e1af05857a792f559ba0075b3168dccd9f825a827aea5f611b289078522cd2ad001c23804bb0e84950496438e5562804e101dd69849b9c4e5d0a71319962a71

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
562.1MB

MD5
651f4a5a34f87475a14f7eb483a9f5e8

SHA1
03facf366f79f891ee386687fb44d64cda3160ad

SHA256
7e2ab90bfbf2ee87e3fc3cf838461e1a495939c3b357b73817bcdd81f7b301b4

SHA512
b033d15004d1ed70efb3b82427dad758288dfe4d8d98769452131c9b75f5a73a72a42b425a42f43bd5b93b70587dad16c2dad2c922c4f94b39e9145bfe8158a1

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
95.8MB

MD5
8268333f375d6915762936d50a9a53f4

SHA1
6278a633a944d98fe8c2380a2baabf1ad033d8f6

SHA256
cce0fa8cf24593c51927f66bbaa10f9691fb1a77cb9488dafef152f5733ce53b

SHA512
00977c43180ca78b324a819ab885a996b0d6ebca0561e90d80dd94309ea5af71b29aa49d6a0a2a384ded671dbfdc4c7327ff2dc39b96f029f9b9d41f533e6182

Download Submit
memory/1112-162-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-163-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-180-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-166-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-165-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1372-201-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1372-203-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1372-204-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1680-181-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/1680-183-0x00000000052F0000-0x0000000005300000-memory.dmp

Filesize
64KB

Download
memory/2532-197-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2532-196-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/2532-184-0x0000000004FF0000-0x0000000005000000-memory.dmp

Filesize
64KB

Download
memory/4016-155-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4016-135-0x0000000006220000-0x0000000006242000-memory.dmp

Filesize
136KB

Download
memory/4016-133-0x0000000000C80000-0x0000000000EC8000-memory.dmp

Filesize
2.3MB

Download
memory/4016-134-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4384-139-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4384-138-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4384-137-0x0000000005720000-0x0000000005D48000-memory.dmp

Filesize
6.2MB

Download
memory/4384-146-0x0000000005F40000-0x0000000005FA6000-memory.dmp

Filesize
408KB

Download
memory/4384-140-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/4384-136-0x0000000002F90000-0x0000000002FC6000-memory.dmp

Filesize
216KB

Download
memory/4384-158-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4384-157-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4384-156-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4384-154-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/4384-153-0x0000000006A60000-0x0000000006A7A000-memory.dmp

Filesize
104KB

Download
memory/4384-152-0x0000000007BD0000-0x000000000824A000-memory.dmp

Filesize
6.5MB

Download
memory/4384-151-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download