laplas | a9ba63a83e9b72084122461508f66d9a445093500396e02b67f1dcd7e052f15a

General

Target

dawxa.exe
Size

727.1MB
MD5

6804b55133ae5596dbe5f66dadbf2b6c
SHA1

e86f29cab01ff8e8aa3c2b6eaf6ebed92b548d55
SHA256

a9ba63a83e9b72084122461508f66d9a445093500396e02b67f1dcd7e052f15a
SHA512

1735412f459375a393c0a3da305fcdcae961d9b4ba16fbf521ec7af1b9521ab637404c95362abc19cefc77ba726083430ac37280e976588bd0874e24e9276543
SSDEEP

98304:/+l8XYIVemDeKL2VfHg3spY6hqLgE9ywuFtA40s/sTr0DfxxSJZfpqbTU7VZd6H3:l/ftL2f+6MLr0wsf0HTr0D5mmGdbe

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://212.113.106.172

Attributes

api_key
a8f23fb9332db9a7947580ee498822bfe375b57ad7eb47370c7209509050c298

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	dawxa.exe

Executes dropped EXE 1 IoCs

pid	Process
5096	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	dawxa.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4424	dawxa.exe
4424	dawxa.exe
5096	svcservice.exe
5096	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4424	dawxa.exe
4424	dawxa.exe
4424	dawxa.exe
4424	dawxa.exe
5096	svcservice.exe
5096	svcservice.exe
5096	svcservice.exe
5096	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 5096	4424	dawxa.exe	89
PID 4424 wrote to memory of 5096	4424	dawxa.exe	89
PID 4424 wrote to memory of 5096	4424	dawxa.exe	89

C:\Users\Admin\AppData\Local\Temp\dawxa.exe
"C:\Users\Admin\AppData\Local\Temp\dawxa.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:5096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
725.1MB

MD5
850a4c7295a3eefb57a9cfc116eae77f

SHA1
293ff6126a15a05787985daf10dfc1eaf8c57b6f

SHA256
8024e739ffbe6062a9a97105efba9e00d2e2231503fc348b196270ddc1aa4c2c

SHA512
a69c0277a591d81e8b7dc09fdd704dafe088745ea2aa31e753018dc9fe7a949228155b456cb2b5ad90e86dbd6acec2cdf95cff36734bcd22558133a40e60ec46

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
719.1MB

MD5
272d044cf34de04b7c0a7a94db0e0639

SHA1
c3e86b3be4dbf4c55e5ed95d844cedb57345862d

SHA256
66f3e2a5f25629d715321fb72b1825609021381cc0757ef96ea9c036ec73ab4e

SHA512
f28b372b462c9fffcda278232a30c80c1e6bd4f8972c0b89733c852a600c38ae46e0f1b4ffee0a673d91bcd9b6207bd03aa6e000923348a4a5239363e92183af

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
720.0MB

MD5
50541f362a5e50ddc837e90bbc588222

SHA1
1076e972430ac31c2f477ca5bd8a64ae7f15f9a9

SHA256
9b3256f05e8b33725e79b4dbc059a824ecc492350bc7cd36a690993217706d00

SHA512
23effa8ab4c9ed053b9866baf60c7cfd7db418e5c87e7fbb28cb7cfb8e78566274f69fc66b7ef2470c864ca03925816447bf569449b149ec129e59b4bb85cee5

Download Submit
memory/4424-138-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/4424-137-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/4424-133-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4424-139-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/4424-140-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/4424-141-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download
memory/4424-136-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/4424-135-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4424-134-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/5096-154-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/5096-155-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/5096-156-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/5096-157-0x0000000002680000-0x0000000002681000-memory.dmp

Filesize
4KB

Download
memory/5096-153-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/5096-159-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/5096-158-0x0000000002690000-0x0000000002691000-memory.dmp

Filesize
4KB

Download
memory/5096-160-0x00000000026B0000-0x00000000026B1000-memory.dmp

Filesize
4KB

Download
memory/5096-161-0x0000000000400000-0x0000000000B2B000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing