laplas | c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42

General

Target

sima.exe
Size

7.2MB
MD5

c5e0fb4ecaa8a7481a283099d604f7a0
SHA1

df4b0c0cc823da2b0443076650c292b43dd9de33
SHA256

c6c03e97c5de0c9eb264e4914d8c7f64d7e3528cc696f613e451a294262f3c42
SHA512

375677d0cc802b09c7d1532d162a91a8eec4679f7639ef38dca9a9d3a03e20b3ab54707af7ffb138d00ec93ea4b34b6db0b33f365dc888ff9056c808a239bc57
SSDEEP

196608:5HatuBgIpTVbThhJLvzwKVKgvFXv1bbPC:5/gEVTpZVKSFvo

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	sima.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	sima.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4172	sima.exe
4172	sima.exe
2252	svcservice.exe
2252	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4172	sima.exe
4172	sima.exe
2252	svcservice.exe
2252	svcservice.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4172 wrote to memory of 2252	4172	sima.exe	84
PID 4172 wrote to memory of 2252	4172	sima.exe	84
PID 4172 wrote to memory of 2252	4172	sima.exe	84

C:\Users\Admin\AppData\Local\Temp\sima.exe
"C:\Users\Admin\AppData\Local\Temp\sima.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4172
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BMP3ERH\online[1].txt

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y624AVVJ\regex[1].txt

Filesize
633B

MD5
c5298d2c78be8fdfc264eb6fe3e275f8

SHA1
f09de5f443da081efaff0155f422ca0375edd164

SHA256
de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

SHA512
5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
784.2MB

MD5
c486db95ad6f61116cb15ca12a1979b4

SHA1
dc964dc5a54cb24389d2c25c6dc7a445ea0e7d67

SHA256
e85d225a9739e81367f41d57d09228ef9f63918b554758f2d48ac3403ada039a

SHA512
1511d843788c74a031af14e52a92cb8b0428c666b30026bb4f1dd05548da39ba777eb0c9f6b5a5cc9b49ae248578686644aabf99a77c229e9955d3583491a845

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
784.2MB

MD5
c486db95ad6f61116cb15ca12a1979b4

SHA1
dc964dc5a54cb24389d2c25c6dc7a445ea0e7d67

SHA256
e85d225a9739e81367f41d57d09228ef9f63918b554758f2d48ac3403ada039a

SHA512
1511d843788c74a031af14e52a92cb8b0428c666b30026bb4f1dd05548da39ba777eb0c9f6b5a5cc9b49ae248578686644aabf99a77c229e9955d3583491a845

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
784.2MB

MD5
c486db95ad6f61116cb15ca12a1979b4

SHA1
dc964dc5a54cb24389d2c25c6dc7a445ea0e7d67

SHA256
e85d225a9739e81367f41d57d09228ef9f63918b554758f2d48ac3403ada039a

SHA512
1511d843788c74a031af14e52a92cb8b0428c666b30026bb4f1dd05548da39ba777eb0c9f6b5a5cc9b49ae248578686644aabf99a77c229e9955d3583491a845

Download Submit
memory/2252-149-0x00000000014B0000-0x00000000014B1000-memory.dmp

Filesize
4KB

Download
memory/2252-150-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2252-151-0x0000000000190000-0x0000000000CCA000-memory.dmp

Filesize
11.2MB

Download
memory/4172-133-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/4172-134-0x00000000037C0000-0x00000000037C1000-memory.dmp

Filesize
4KB

Download
memory/4172-135-0x0000000000A40000-0x000000000157A000-memory.dmp

Filesize
11.2MB

Download

Analysis

Sharing