laplas | c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

General

Target

sima.exe
Size

7.2MB
MD5

c5e0fb4ecaa8a7481a283099d604f7a0
SHA1

df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256

c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512

375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
SSDEEP

196608:5HatuBgIpTVbThhJLvzwKVKgvFXv1bbPC:5/gEVTpZVKSFvo

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
468	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
1092	sima.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	sima.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1092	sima.exe
1092	sima.exe
468	svcservice.exe
468	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1092	sima.exe
468	svcservice.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 468	1092	sima.exe	28
PID 1092 wrote to memory of 468	1092	sima.exe	28
PID 1092 wrote to memory of 468	1092	sima.exe	28
PID 1092 wrote to memory of 468	1092	sima.exe	28

C:\Users\Admin\AppData\Local\Temp\sima.exe
"C:\Users\Admin\AppData\Local\Temp\sima.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\regex[2].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UOYUJSME\online[2].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
771.2MB

MD5
771a655a6bb533dbe36a24dd8fee70ad

SHA1
75b0016240daf5c08112bfff86c29f75c771f5b0

SHA256
cbfab9847e2ff33aaab9fe8e158768a30debae62da3a63bc566187190207dca5

SHA512
08a7ca83670f7cd2bc275aacf7697088f0aacf3f5cbfda1976613d9c52c33f6735c4721b592a0a5e75aef4a1557eac47feade97bcd9d99db0bd73e7058268a4b

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
771.2MB

MD5
771a655a6bb533dbe36a24dd8fee70ad

SHA1
75b0016240daf5c08112bfff86c29f75c771f5b0

SHA256
cbfab9847e2ff33aaab9fe8e158768a30debae62da3a63bc566187190207dca5

SHA512
08a7ca83670f7cd2bc275aacf7697088f0aacf3f5cbfda1976613d9c52c33f6735c4721b592a0a5e75aef4a1557eac47feade97bcd9d99db0bd73e7058268a4b

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
771.2MB

MD5
771a655a6bb533dbe36a24dd8fee70ad

SHA1
75b0016240daf5c08112bfff86c29f75c771f5b0

SHA256
cbfab9847e2ff33aaab9fe8e158768a30debae62da3a63bc566187190207dca5

SHA512
08a7ca83670f7cd2bc275aacf7697088f0aacf3f5cbfda1976613d9c52c33f6735c4721b592a0a5e75aef4a1557eac47feade97bcd9d99db0bd73e7058268a4b

Download Submit
memory/468-76-0x0000000000DA0000-0x00000000018DA000-memory.dmp

Filesize
11.2MB

Download
memory/468-75-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/468-72-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1092-57-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1092-60-0x00000000008A0000-0x00000000013DA000-memory.dmp

Filesize
11.2MB

Download
memory/1092-59-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1092-58-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1092-54-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1092-56-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1092-55-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing