laplas | c5c70d32d8ad4b655b43c14548aebd22c1c500ed0639dbb85580d1a8013329e4

General

Target

c90442c160b897ea1e79e1aaca50296c.exe
Size

10.9MB
MD5

c90442c160b897ea1e79e1aaca50296c
SHA1

88589ab90bc29923cb42e36cda6d534702ed1f57
SHA256

c5c70d32d8ad4b655b43c14548aebd22c1c500ed0639dbb85580d1a8013329e4
SHA512

c6bee6fae6b7534258c853ddfec03217e83e11bf11e7bb1af9ffbd3e734944a9f3d142f47962b32a81455ce5e97e3e2949ea2786efd72161ddc693a5115b692c
SSDEEP

196608:5HatuBgIpTVbThhJLvzwKVKgvFXv1bbPCQHHB:5/gEVTpZVKSFvoQHHB

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes

api_key
bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
1472	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
2036	c90442c160b897ea1e79e1aaca50296c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	c90442c160b897ea1e79e1aaca50296c.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2036	c90442c160b897ea1e79e1aaca50296c.exe
2036	c90442c160b897ea1e79e1aaca50296c.exe
1472	svcservice.exe
1472	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	c90442c160b897ea1e79e1aaca50296c.exe
1472	svcservice.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1472	2036	c90442c160b897ea1e79e1aaca50296c.exe	26
PID 2036 wrote to memory of 1472	2036	c90442c160b897ea1e79e1aaca50296c.exe	26
PID 2036 wrote to memory of 1472	2036	c90442c160b897ea1e79e1aaca50296c.exe	26
PID 2036 wrote to memory of 1472	2036	c90442c160b897ea1e79e1aaca50296c.exe	26

C:\Users\Admin\AppData\Local\Temp\c90442c160b897ea1e79e1aaca50296c.exe
"C:\Users\Admin\AppData\Local\Temp\c90442c160b897ea1e79e1aaca50296c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
589.9MB

MD5
76e31cfb7c9184026a14152e071e1a49

SHA1
ec2fdb377c6caa368e9c94bc1f429d8e2cf93cbd

SHA256
5423e9416aa2f090f34ce0464b5ca318b21c0f1239b596d35c673aae1cdd51d3

SHA512
a6b56e39d8132aaef5b45d62b35286803b8181f010788c442ecc01561e03dc9d780d6be7ed55c6b62d3b8734a4f02ff3f7f39585cc08baff98d886d8426fc884

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
614.0MB

MD5
486c43a59288293be6a6d6e4780ca7c3

SHA1
173a615889f5b25daa94b6e2a3ef181bd26e5e07

SHA256
9296520b90a1fa4c13b276b3dd1809cd13fedc59bb8bc70d3284ba7cf3013b01

SHA512
5122bdec04c0da6b07012b9230807e4faf1d111d88624a6b4705031fff0c8b8d41139471007dc9bd5a6c6b0130b91868e5cea0c821ca9e80d41d5d81488edbb4

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
560.2MB

MD5
0727a5cc5eb93def5bf029626eb9bbbe

SHA1
4380cca9851eb946247ba5dc84b61013969a0542

SHA256
d4be75339c732a368ef6c59cffa9db546a60de20c87dbc637b2f4bf20d325646

SHA512
bca2758142d0979314835ad542fd2a91e9ca5a8b08619958cbe0d34031300a85cdbfbbdcd931c02e807d8e7ab2e551ed7ae460025954c0822f26ae2d7ac7a97f

Download Submit
memory/1472-76-0x0000000000CA0000-0x00000000017DA000-memory.dmp

Filesize
11.2MB

Download
memory/1472-75-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1472-74-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1472-72-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1472-71-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2036-57-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2036-60-0x00000000000D0000-0x0000000000C0A000-memory.dmp

Filesize
11.2MB

Download
memory/2036-59-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2036-58-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2036-54-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2036-56-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2036-55-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing