laplas | a2ddb2901e7b54c98ad8eb17a8b2a019b344a8c459aa15b29b4fda8962931486

Analysis

max time kernel
96s
max time network
100s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13-04-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a862ce47af25310f82df569077085d7.exe
Size

2.6MB
MD5

0a862ce47af25310f82df569077085d7
SHA1

942ed7ab805c05b4e566156056f50f41c5883aab
SHA256

a2ddb2901e7b54c98ad8eb17a8b2a019b344a8c459aa15b29b4fda8962931486
SHA512

163996246fd143a651950a9c025b327210178f894e214284c57bf2f3a77699992803e63e5e080621d5840e1cd0155f60649e8a6e00dc5aca696a84948256ea22
SSDEEP

49152:u5FxxOfxEu+vX22XptSVBNUd9kPZdBTy1tGnsQt/E4R4jYoj306sBcz2:uxYPElncYkZyMlE4Cjx7scz2

Score

10^/10

laplas clipper persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 4 IoCs

pid	Process
984	Kern64.exe
696	studiowin32.exe
1524	shalam6.exe
2052	svcservice.exe

Loads dropped DLL 14 IoCs

pid	Process
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1256	0a862ce47af25310f82df569077085d7.exe
1524	shalam6.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	shalam6.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 984 set thread context of 580	984	Kern64.exe	30
PID 696 set thread context of 324	696	studiowin32.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
580	AppLaunch.exe
580	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	AppLaunch.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 984	1256	0a862ce47af25310f82df569077085d7.exe	28
PID 1256 wrote to memory of 984	1256	0a862ce47af25310f82df569077085d7.exe	28
PID 1256 wrote to memory of 984	1256	0a862ce47af25310f82df569077085d7.exe	28
PID 1256 wrote to memory of 984	1256	0a862ce47af25310f82df569077085d7.exe	28
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 984 wrote to memory of 580	984	Kern64.exe	30
PID 1256 wrote to memory of 696	1256	0a862ce47af25310f82df569077085d7.exe	31
PID 1256 wrote to memory of 696	1256	0a862ce47af25310f82df569077085d7.exe	31
PID 1256 wrote to memory of 696	1256	0a862ce47af25310f82df569077085d7.exe	31
PID 1256 wrote to memory of 696	1256	0a862ce47af25310f82df569077085d7.exe	31
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 696 wrote to memory of 324	696	studiowin32.exe	33
PID 1256 wrote to memory of 1524	1256	0a862ce47af25310f82df569077085d7.exe	35
PID 1256 wrote to memory of 1524	1256	0a862ce47af25310f82df569077085d7.exe	35
PID 1256 wrote to memory of 1524	1256	0a862ce47af25310f82df569077085d7.exe	35
PID 1256 wrote to memory of 1524	1256	0a862ce47af25310f82df569077085d7.exe	35
PID 1524 wrote to memory of 2052	1524	shalam6.exe	37
PID 1524 wrote to memory of 2052	1524	shalam6.exe	37
PID 1524 wrote to memory of 2052	1524	shalam6.exe	37
PID 1524 wrote to memory of 2052	1524	shalam6.exe	37

C:\Users\Admin\AppData\Local\Temp\0a862ce47af25310f82df569077085d7.exe
"C:\Users\Admin\AppData\Local\Temp\0a862ce47af25310f82df569077085d7.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:324
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:2052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe

Filesize
1.1MB

MD5
b2bcaf962c911923aa169127143a5589

SHA1
799b694371e2714b1d50df28352b14061988b1e3

SHA256
5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

SHA512
f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe

Filesize
1.1MB

MD5
b2bcaf962c911923aa169127143a5589

SHA1
799b694371e2714b1d50df28352b14061988b1e3

SHA256
5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

SHA512
f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe

Filesize
1.1MB

MD5
b2bcaf962c911923aa169127143a5589

SHA1
799b694371e2714b1d50df28352b14061988b1e3

SHA256
5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

SHA512
f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
740.1MB

MD5
e0df256a37a24fa8954de7fbb71e4aaa

SHA1
69d64e5b54f7250169f86bb7b036477853cde893

SHA256
d8de648b7c75c2fa04eb32d0fac730b34aaaec46b1385ea4d6d1337d35e03705

SHA512
95afd02bfe627c6abf5c37bb74d3ad142ba0734cc16c3bb6d066be483c643f43356162b570637dd3e4c3f2e09517774bf73fd1e24414f38cc1d6218c186bc143

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe

Filesize
300KB

MD5
9080948267a458604407980a97e49ddf

SHA1
22bf92ca411b5c82a2b8514b6dc879948d102364

SHA256
be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

SHA512
4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe

Filesize
1.1MB

MD5
b2bcaf962c911923aa169127143a5589

SHA1
799b694371e2714b1d50df28352b14061988b1e3

SHA256
5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

SHA512
f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe

Filesize
1.1MB

MD5
b2bcaf962c911923aa169127143a5589

SHA1
799b694371e2714b1d50df28352b14061988b1e3

SHA256
5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

SHA512
f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe

Filesize
1.1MB

MD5
b2bcaf962c911923aa169127143a5589

SHA1
799b694371e2714b1d50df28352b14061988b1e3

SHA256
5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

SHA512
f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe

Filesize
2.6MB

MD5
16457f30f822a8e4b8bca94e0bdda049

SHA1
3ba55585357fd146e588720702717a1263c0718e

SHA256
090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

SHA512
394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
740.1MB

MD5
e0df256a37a24fa8954de7fbb71e4aaa

SHA1
69d64e5b54f7250169f86bb7b036477853cde893

SHA256
d8de648b7c75c2fa04eb32d0fac730b34aaaec46b1385ea4d6d1337d35e03705

SHA512
95afd02bfe627c6abf5c37bb74d3ad142ba0734cc16c3bb6d066be483c643f43356162b570637dd3e4c3f2e09517774bf73fd1e24414f38cc1d6218c186bc143

Download Submit
memory/324-137-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/324-134-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/324-136-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/324-102-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/324-139-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/324-101-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/580-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/580-84-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/580-83-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/580-81-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/580-210-0x0000000000970000-0x00000000009B0000-memory.dmp

Filesize
256KB

Download
memory/580-491-0x0000000000970000-0x00000000009B0000-memory.dmp

Filesize
256KB

Download
memory/580-77-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download