laplas | 64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2

Analysis

max time kernel
62s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-04-2023 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

vddsc.exe
Size

5.8MB
MD5

e7a69210f26c7944b6e267d0d73af320
SHA1

cc03fe693690e4f45a7cca31782292f69e505801
SHA256

64b965beccd214a869629c202905642aec12eb0814bd773c264f845cb7a211e2
SHA512

44345416a657e5612fe6af6d6203f25e5bb501862f83c0a688b8fbab0cdd4929b309e32fa6770fe18a47bf62d91688fc761761d0f457e37bbc11abe16adace07
SSDEEP

98304:udcR2OyrVRPLlO/otpGnOYwxR7hv88+MqgtJjKniUDsMsqAnqCN7hm:ueVyrLg/onGl9pMbtJjKiOpAqCN7h

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	vddsc.exe

Executes dropped EXE 1 IoCs

pid	Process
3348	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	vddsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4284	vddsc.exe
4284	vddsc.exe
4284	vddsc.exe
4284	vddsc.exe
3348	svcservice.exe
3348	svcservice.exe
3348	svcservice.exe
3348	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 3348	4284	vddsc.exe	87
PID 4284 wrote to memory of 3348	4284	vddsc.exe	87
PID 4284 wrote to memory of 3348	4284	vddsc.exe	87

C:\Users\Admin\AppData\Local\Temp\vddsc.exe
"C:\Users\Admin\AppData\Local\Temp\vddsc.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
112.4MB

MD5
ccedb498681681d2cad71ea6e5fa18f6

SHA1
2608e18f64e9945562bdfadc5a8588eae11aee59

SHA256
b3030bd300fcc907c267bb79046429497040aa87fe86acd26984e7dccf1ca2ac

SHA512
f86620c55ef36a4a4eeb2ae6c4edffc18cb73a48c55f701bf6e8986271ac91eabdad096d4b19cbf01bfe831ee2f1769abea1d64f4343206daef02c4b14fbe72d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
92.2MB

MD5
3d0bf1b0ff6ed51e4744648b7e006efe

SHA1
5c3eef1eadfdc36615789db9dadc16243405b3f1

SHA256
10de3bdc04e110df2e5bf929a6c299ff9b8ec1e73dbd79652a9c165c37985787

SHA512
5d6eacbdfb5362814c2a1c2c33774db3e0a7ad5f7fbd5f6bf3599dbe1b83177d2c03445f68bdf5ecc4f05bc93fe536b16234eeee4e9e7cb23ee4f58bfe29e203

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
93.4MB

MD5
f015aad26b541189b35f7e393c0905ba

SHA1
df337093eaa73435025b7b546fbde901c6704c9d

SHA256
a799b4c4ac6d01fa2df7687a6af89f55c07f65d35d49a5be2a2d254ebac50408

SHA512
e0c6b615f8f30b56e15cfe603678eba5e76b2d1768fe2dd5477cd96c3f0128ac9f10651ecb88204fbbceaef5829b41c6fed37b9cdda3ec08f9a7bb1f2da28928

Download Submit
memory/3348-148-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/3348-149-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download
memory/4284-133-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4284-134-0x0000000000400000-0x0000000000D10000-memory.dmp

Filesize
9.1MB

Download