laplas | d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396

Resubmissions

01-02-2024 21:27

240201-1at8kaggbk 7

01-02-2024 21:16

240201-z4xecaece3 7

01-02-2024 21:11

240201-z1185ageem 7

11-04-2023 18:10

230411-wr28aafg6y 10

Analysis

max time kernel
138s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-04-2023 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

McFree.exe
Size

3.9MB
MD5

fbb8b46f249d59713c89ce8f4d802a2b
SHA1

5aaaeb71083e189b07bcc30134689e326b42806d
SHA256

d0e05d14d752a572c57ccc42b3d79c8ea55c93062c2a3b73bf2e128f77678396
SHA512

d81b7aa5eea4bb46aaa2aec5cb5b39304ec864cc9be3ebf48bdce80c9b43d24dc61d11b290ae23330292f2babef329d2f892d9cb2f755b55b0619fb5fc293392
SSDEEP

98304:7ws/7iR7W3TBrHJWGs2NyqeoNE/7SRYY8CU:7wY0W3TVHJack+KCU

Score

10^/10

laplas vidar clipper discovery persistence spyware stealer upx

Malware Config

Extracted

Family

laplas

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Ruzvelt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	71809567992795162921.exe

Executes dropped EXE 4 IoCs

pid	Process
3488	Ruzvelt.exe
4772	71809567992795162921.exe
4692	90483909308143088912.exe
3560	svcservice.exe

Loads dropped DLL 2 IoCs

pid	Process
3488	Ruzvelt.exe
3488	Ruzvelt.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0002000000022cb9-428.dat	upx
behavioral2/files/0x0002000000022cb9-430.dat	upx
behavioral2/files/0x0002000000022cb9-431.dat	upx
behavioral2/memory/4692-432-0x0000000000300000-0x0000000001163000-memory.dmp	upx
behavioral2/memory/4692-434-0x0000000000300000-0x0000000001163000-memory.dmp	upx

Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	71809567992795162921.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4772	71809567992795162921.exe
4772	71809567992795162921.exe
3560	svcservice.exe
3560	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4304	3488	WerFault.exe	85

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Ruzvelt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Ruzvelt.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1576	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3488	Ruzvelt.exe
3488	Ruzvelt.exe
4772	71809567992795162921.exe
4772	71809567992795162921.exe
3560	svcservice.exe
3560	svcservice.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1148	javaw.exe
1148	javaw.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 1148	3520	McFree.exe	80
PID 3520 wrote to memory of 1148	3520	McFree.exe	80
PID 1148 wrote to memory of 2488	1148	javaw.exe	83
PID 1148 wrote to memory of 2488	1148	javaw.exe	83
PID 3868 wrote to memory of 3488	3868	explorer.exe	85
PID 3868 wrote to memory of 3488	3868	explorer.exe	85
PID 3868 wrote to memory of 3488	3868	explorer.exe	85
PID 3488 wrote to memory of 4772	3488	Ruzvelt.exe	87
PID 3488 wrote to memory of 4772	3488	Ruzvelt.exe	87
PID 3488 wrote to memory of 4772	3488	Ruzvelt.exe	87
PID 3488 wrote to memory of 4692	3488	Ruzvelt.exe	88
PID 3488 wrote to memory of 4692	3488	Ruzvelt.exe	88
PID 4692 wrote to memory of 1512	4692	90483909308143088912.exe	89
PID 4692 wrote to memory of 1512	4692	90483909308143088912.exe	89
PID 3488 wrote to memory of 2120	3488	Ruzvelt.exe	90
PID 3488 wrote to memory of 2120	3488	Ruzvelt.exe	90
PID 3488 wrote to memory of 2120	3488	Ruzvelt.exe	90
PID 1512 wrote to memory of 2236	1512	cmd.exe	95
PID 1512 wrote to memory of 2236	1512	cmd.exe	95
PID 2120 wrote to memory of 1576	2120	cmd.exe	96
PID 2120 wrote to memory of 1576	2120	cmd.exe	96
PID 2120 wrote to memory of 1576	2120	cmd.exe	96
PID 4772 wrote to memory of 3560	4772	71809567992795162921.exe	98
PID 4772 wrote to memory of 3560	4772	71809567992795162921.exe	98
PID 4772 wrote to memory of 3560	4772	71809567992795162921.exe	98

C:\Users\Admin\AppData\Local\Temp\McFree.exe
"C:\Users\Admin\AppData\Local\Temp\McFree.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\McFree.exe" org.develnext.jphp.ext.javafx.FXLauncher
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Windows\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\Ruzvelt.exe
    3⤵
    PID:2488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\Ruzvelt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ruzvelt.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\ProgramData\71809567992795162921.exe
    "C:\ProgramData\71809567992795162921.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      PID:3560
- - C:\ProgramData\90483909308143088912.exe
    "C:\ProgramData\90483909308143088912.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\90483909308143088912.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Ruzvelt.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:1576
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 1864
    3⤵
    - Program crash
    PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3488 -ip 3488
1⤵
PID:4064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\71809567992795162921.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\71809567992795162921.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\71809567992795162921.exe

Filesize
7.2MB

MD5
c5e0fb4ecaa8a7481a283099d604f7a0

SHA1
df4b0c0cc823da2b0443076650c292b43dd9de33

SHA256
c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

SHA512
375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57

Download Submit
C:\ProgramData\90483909308143088912.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\90483909308143088912.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\90483909308143088912.exe

Filesize
4.3MB

MD5
c4ab3149ef02a36d663699a8c541933e

SHA1
67088f5eff9ec575775b711c9e3650d12d7f4d5c

SHA256
0a0fbd6af9e5d110118f02b87f9a92f9f58fb100f6d9883d55a6aae6c548b4ce

SHA512
88b10f81b2cd273fefeffb4c2078807e89b4b756d50110b61e9f89092715f29ba8d1803f64bc971c1293dc624b92d0b7f05612ae661dd8d24e47d39047a4b7b4

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruzvelt.exe

Filesize
323KB

MD5
8df55f8e4ab4239038acf21740a4f87d

SHA1
0083cb226b4ee13bb8969c986b7a0f5231f3ddb9

SHA256
75ef360d79e718d7beea4d9be1d884fe6330acc849a2847ed99d0f9dc5108458

SHA512
675db6678e433f3d5607c771374d5bb779ef3241547fbb36bdc6f5b08ea5311bd050643c6589b8aa6613ee4ad7d1f55e0220cd7e5379b7962a5426a1190611c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ruzvelt.exe

Filesize
323KB

MD5
8df55f8e4ab4239038acf21740a4f87d

SHA1
0083cb226b4ee13bb8969c986b7a0f5231f3ddb9

SHA256
75ef360d79e718d7beea4d9be1d884fe6330acc849a2847ed99d0f9dc5108458

SHA512
675db6678e433f3d5607c771374d5bb779ef3241547fbb36bdc6f5b08ea5311bd050643c6589b8aa6613ee4ad7d1f55e0220cd7e5379b7962a5426a1190611c2

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
458.1MB

MD5
3ea1e6ce02d10fdb9ddff5175fc47711

SHA1
1fd44986f8c8540652435357ad13d0c41a57f8bc

SHA256
93b34f26ff2b27c870e9afa4ce85b98ce174da99a5c9dcd9a98f676d975e7db8

SHA512
add62c1f9bf547b3b36c224ef54824faa80ef6ab52945770b72395fd27168d1f773cb5125f5e72169cb9cc7c9d5bd6c02faf042ecfa608161ad2680e5bd77eec

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
480.8MB

MD5
cd4a6c7ec0489557d5b07e22de10d275

SHA1
91c747deeac24041907e4664e9c19f2da80e3ae0

SHA256
8526ff7471b560831027528142829fe36d4881c17c2ed2ccc3fad6981efc179e

SHA512
b3846a48612493d39dbc193b251fdae75bfe63e116ef3a3cf2cb09871e7b232cfbd2ee8b7607641f4485546963ebb60af69ce1a61ee251387f6358e765d144a7

Download Submit
memory/1148-241-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-224-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-144-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-316-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-291-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-274-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-177-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-234-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-185-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/1148-220-0x0000000000980000-0x0000000000981000-memory.dmp

Filesize
4KB

Download
memory/3488-317-0x0000000000610000-0x0000000000667000-memory.dmp

Filesize
348KB

Download
memory/3488-330-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3520-133-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3560-453-0x0000000001720000-0x0000000001721000-memory.dmp

Filesize
4KB

Download
memory/4692-432-0x0000000000300000-0x0000000001163000-memory.dmp

Filesize
14.4MB

Download
memory/4692-434-0x0000000000300000-0x0000000001163000-memory.dmp

Filesize
14.4MB

Download
memory/4772-423-0x0000000001190000-0x0000000001191000-memory.dmp

Filesize
4KB

Download