Overview

overview

10

Static

static

1

0a862ce47a...d7.exe

windows7-x64

10

0a862ce47a...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-04-2023 20:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a862ce47af25310f82df569077085d7.exe

  • Size

    2.6MB

  • MD5

    0a862ce47af25310f82df569077085d7

  • SHA1

    942ed7ab805c05b4e566156056f50f41c5883aab

  • SHA256

    a2ddb2901e7b54c98ad8eb17a8b2a019b344a8c459aa15b29b4fda8962931486

  • SHA512

    163996246fd143a651950a9c025b327210178f894e214284c57bf2f3a77699992803e63e5e080621d5840e1cd0155f60649e8a6e00dc5aca696a84948256ea22

  • SSDEEP

    49152:u5FxxOfxEu+vX22XptSVBNUd9kPZdBTy1tGnsQt/E4R4jYoj306sBcz2:uxYPElncYkZyMlE4Cjx7scz2

Score
10/10
laplasclipperpersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://79.137.199.252

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a862ce47af25310f82df569077085d7.exe
    "C:\Users\Admin\AppData\Local\Temp\0a862ce47af25310f82df569077085d7.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:220
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4980
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
          PID:2656
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2208
        • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
          "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
          3⤵
          • Executes dropped EXE
          PID:5452

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe
      Filesize

      300KB

      MD5

      9080948267a458604407980a97e49ddf

      SHA1

      22bf92ca411b5c82a2b8514b6dc879948d102364

      SHA256

      be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

      SHA512

      4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe
      Filesize

      300KB

      MD5

      9080948267a458604407980a97e49ddf

      SHA1

      22bf92ca411b5c82a2b8514b6dc879948d102364

      SHA256

      be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

      SHA512

      4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Kern64.exe
      Filesize

      300KB

      MD5

      9080948267a458604407980a97e49ddf

      SHA1

      22bf92ca411b5c82a2b8514b6dc879948d102364

      SHA256

      be6b9947e555556d2f0f68ba190c9f6eda09130e1c317a50fbfcb5b4772f24fb

      SHA512

      4452b139ef97eb6f1625bbf921abc1851872efc146388775cbc63d3da46352ac7636dcc32bbaac296ee174c606ded8be9ecb06410fba979ffe49438708b8fd62

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe
      Filesize

      1.1MB

      MD5

      b2bcaf962c911923aa169127143a5589

      SHA1

      799b694371e2714b1d50df28352b14061988b1e3

      SHA256

      5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

      SHA512

      f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe
      Filesize

      1.1MB

      MD5

      b2bcaf962c911923aa169127143a5589

      SHA1

      799b694371e2714b1d50df28352b14061988b1e3

      SHA256

      5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

      SHA512

      f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\shalam6.exe
      Filesize

      1.1MB

      MD5

      b2bcaf962c911923aa169127143a5589

      SHA1

      799b694371e2714b1d50df28352b14061988b1e3

      SHA256

      5f47afef3b9b62355e522f33f7e1580dbb1c9ed5839068ece852b638479bfc6e

      SHA512

      f0e73a3987e930d183bddd693958ec57cf1fa909fa3cfb67780dd4ce91361dd7d771799579047f9b4e50f7386675c5caddd4fef0b9af8bf13d77a460b3b9ff11

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe
      Filesize

      2.6MB

      MD5

      16457f30f822a8e4b8bca94e0bdda049

      SHA1

      3ba55585357fd146e588720702717a1263c0718e

      SHA256

      090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

      SHA512

      394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe
      Filesize

      2.6MB

      MD5

      16457f30f822a8e4b8bca94e0bdda049

      SHA1

      3ba55585357fd146e588720702717a1263c0718e

      SHA256

      090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

      SHA512

      394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\studiowin32.exe
      Filesize

      2.6MB

      MD5

      16457f30f822a8e4b8bca94e0bdda049

      SHA1

      3ba55585357fd146e588720702717a1263c0718e

      SHA256

      090bdcfc40a6ddc235d8442e6f084a4f446a0047d4d6874647fea8118f7cd21a

      SHA512

      394bab3577439173e489e6b615872ee2fd9eea5c370fc1a1b2a3afe4fc4c034fa73497b8a2cca06dc25643a0947f22b49a3f33b41c7aea28f54d0ee3d129b139

      Download Submit

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      442.1MB

      MD5

      fa969ee0cf8137964487625dd8356ff5

      SHA1

      4a6831cfb97e67c6114559c61fc65477e2eb7eb3

      SHA256

      814f45e40c1836c3ecaed1133c180b6f35184cdec4f8256bb9a38cbb58b307d0

      SHA512

      58756c40f3cf22e9047fc084913a63273a7e6e81c91d29e0b6f14ade3a323eaf6669656bca047720ee8a6349d0bbf17f2f0281be962350214c7072c1e099bf4d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      Filesize

      457.3MB

      MD5

      e9a5a506f3205d898f654c782fbe0ca9

      SHA1

      b41bce4e44f4a4d4f66ba19e3738adc0495eea1b

      SHA256

      c3e609efa491fab4ae4c21c6dbdd2c390fc129159a80041f742a56c84701854b

      SHA512

      d233b994385e210e5aad40e991c95a0f82b20f79af669365bab1b9174aac1e8cafabe9c60988e196b11f848e4b66cac9a12e008375941c8e5619ce2039eece18

      Download Submit

    • memory/220-280-0x0000000008B60000-0x0000000008BD6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/220-326-0x0000000009F80000-0x000000000A142000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/220-149-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/220-164-0x0000000007D40000-0x0000000008358000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/220-492-0x0000000007810000-0x0000000007820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-334-0x000000000A680000-0x000000000ABAC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/220-214-0x0000000007BA0000-0x0000000007C06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/220-248-0x0000000008C50000-0x00000000091F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/220-251-0x0000000008780000-0x0000000008812000-memory.dmp

      Filesize

      584KB

      Download

    • memory/220-277-0x0000000008920000-0x0000000008970000-memory.dmp

      Filesize

      320KB

      Download

    • memory/220-185-0x0000000007860000-0x000000000789C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/220-307-0x0000000008970000-0x000000000898E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/220-169-0x0000000007910000-0x0000000007A1A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/220-184-0x0000000007810000-0x0000000007820000-memory.dmp

      Filesize

      64KB

      Download

    • memory/220-165-0x00000000077E0000-0x00000000077F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2656-166-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2656-192-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2656-194-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2656-191-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2656-190-0x0000000000400000-0x000000000056C000-memory.dmp

      Filesize

      1.4MB

      Download