Overview

overview

10

Static

static

1

c90442c160...6c.exe

windows7-x64

10

c90442c160...6c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-04-2023 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c90442c160b897ea1e79e1aaca50296c.exe

  • Size

    10.9MB

  • MD5

    c90442c160b897ea1e79e1aaca50296c

  • SHA1

    88589ab90bc29923cb42e36cda6d534702ed1f57

  • SHA256

    c5c70d32d8ad4b655b43c14548aebd22c1c500ed0639dbb85580d1a8013329e4

  • SHA512

    c6bee6fae6b7534258c853ddfec03217e83e11bf11e7bb1af9ffbd3e734944a9f3d142f47962b32a81455ce5e97e3e2949ea2786efd72161ddc693a5115b692c

  • SSDEEP

    196608:5HatuBgIpTVbThhJLvzwKVKgvFXv1bbPCQHHB:5/gEVTpZVKSFvoQHHB

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.106.92.74

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c90442c160b897ea1e79e1aaca50296c.exe
    "C:\Users\Admin\AppData\Local\Temp\c90442c160b897ea1e79e1aaca50296c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    726.9MB

    MD5

    806121dc14d214b0677a9dcb22ab9cc8

    SHA1

    b9a72e57e548b0a4e6612ee57a1b71303f428b23

    SHA256

    7f3b37dda095b1dec6a1b79c9c5c2dea9abaab02e0a04d6418207fed064ad7a8

    SHA512

    da7d2e47ac5fd98c0e123c21654e34574efa85f059bbaa3414226c00ef051e2c9d74a7c15ebf300f6f7296c321397701b29daf5b37e770457d14a765a8a16bb0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    726.9MB

    MD5

    806121dc14d214b0677a9dcb22ab9cc8

    SHA1

    b9a72e57e548b0a4e6612ee57a1b71303f428b23

    SHA256

    7f3b37dda095b1dec6a1b79c9c5c2dea9abaab02e0a04d6418207fed064ad7a8

    SHA512

    da7d2e47ac5fd98c0e123c21654e34574efa85f059bbaa3414226c00ef051e2c9d74a7c15ebf300f6f7296c321397701b29daf5b37e770457d14a765a8a16bb0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    726.9MB

    MD5

    806121dc14d214b0677a9dcb22ab9cc8

    SHA1

    b9a72e57e548b0a4e6612ee57a1b71303f428b23

    SHA256

    7f3b37dda095b1dec6a1b79c9c5c2dea9abaab02e0a04d6418207fed064ad7a8

    SHA512

    da7d2e47ac5fd98c0e123c21654e34574efa85f059bbaa3414226c00ef051e2c9d74a7c15ebf300f6f7296c321397701b29daf5b37e770457d14a765a8a16bb0

    Download Submit

  • memory/1256-133-0x00000000013E0000-0x00000000013E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1256-134-0x00000000013F0000-0x00000000013F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1256-135-0x0000000000350000-0x0000000000E8A000-memory.dmp

    Filesize

    11.2MB

    Download

  • memory/2736-149-0x0000000000850000-0x0000000000851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-150-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2736-151-0x0000000000880000-0x00000000013BA000-memory.dmp

    Filesize

    11.2MB

    Download