Overview

overview

10

Static

static

1

71a0ca1530...d6.exe

windows7-x64

7

71a0ca1530...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-04-2023 05:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71a0ca15307459ac022cc94745b4e4d6.exe

  • Size

    2.6MB

  • MD5

    71a0ca15307459ac022cc94745b4e4d6

  • SHA1

    08203769381e9b2593cb4dc525f4bf166892abc5

  • SHA256

    7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315

  • SHA512

    664c0cd101a8d3ad67c1c943c23eaeaf095a700e9c1d7d8e07893b3628a06d7c80af233c6f38f2f6cd4110df3830914f4a641362f211bd3c9e7ec27e39c0d2d4

  • SSDEEP

    49152:IBJ+lPvy/ydUPzMTwt5whOO0BaRPu/TBHXCzjXSZfofdZo6qNx:yMlo1YD+aRPoTB38jlfdZo/Nx

Score
10/10
laplasclipperpersistencespywarestealer

Malware Config

Extracted

Family

laplas

C2

http://79.137.199.252

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71a0ca15307459ac022cc94745b4e4d6.exe
    "C:\Users\Admin\AppData\Local\Temp\71a0ca15307459ac022cc94745b4e4d6.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3212
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3212 -s 148
        3⤵
        • Program crash
        PID:3728
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
          PID:4532
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 272
          3⤵
          • Program crash
          PID:3824
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
          "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
          3⤵
          • Executes dropped EXE
          PID:3680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3212 -ip 3212
      1⤵
        PID:4904
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5032 -ip 5032
        1⤵
          PID:1148

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
          Filesize

          305KB

          MD5

          3dccd81da0841771ad6e6d04f50fda00

          SHA1

          db922c9865666745b40bfa1c6ddca7a982e22092

          SHA256

          7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

          SHA512

          f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
          Filesize

          305KB

          MD5

          3dccd81da0841771ad6e6d04f50fda00

          SHA1

          db922c9865666745b40bfa1c6ddca7a982e22092

          SHA256

          7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

          SHA512

          f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
          Filesize

          305KB

          MD5

          3dccd81da0841771ad6e6d04f50fda00

          SHA1

          db922c9865666745b40bfa1c6ddca7a982e22092

          SHA256

          7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

          SHA512

          f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe
          Filesize

          2.6MB

          MD5

          34eebfa094d3c3fbaffda1444ab1f3c1

          SHA1

          3967ae704065e6b71f01522a3e1bd09d1a364f50

          SHA256

          34d540287aa2fbd97e74bbcca8ccf1c4936987e800faddfe93ae6a44ea21c409

          SHA512

          3a7a296f28ccdead0cd9e3dd2ac6264f5689d7ca94bbf5d7e2436c3d3d431237f46761db4fce29a5088d81c63d95b0d399e3f6ad3bce8d6299caf4424858b164

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe
          Filesize

          2.6MB

          MD5

          34eebfa094d3c3fbaffda1444ab1f3c1

          SHA1

          3967ae704065e6b71f01522a3e1bd09d1a364f50

          SHA256

          34d540287aa2fbd97e74bbcca8ccf1c4936987e800faddfe93ae6a44ea21c409

          SHA512

          3a7a296f28ccdead0cd9e3dd2ac6264f5689d7ca94bbf5d7e2436c3d3d431237f46761db4fce29a5088d81c63d95b0d399e3f6ad3bce8d6299caf4424858b164

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe
          Filesize

          2.6MB

          MD5

          34eebfa094d3c3fbaffda1444ab1f3c1

          SHA1

          3967ae704065e6b71f01522a3e1bd09d1a364f50

          SHA256

          34d540287aa2fbd97e74bbcca8ccf1c4936987e800faddfe93ae6a44ea21c409

          SHA512

          3a7a296f28ccdead0cd9e3dd2ac6264f5689d7ca94bbf5d7e2436c3d3d431237f46761db4fce29a5088d81c63d95b0d399e3f6ad3bce8d6299caf4424858b164

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe
          Filesize

          1.1MB

          MD5

          2994ac192d0367706dcc6c66d3cfe2b5

          SHA1

          ecb727632df085e815614f8d04471bdcc1e144f1

          SHA256

          030b72e4aca4c21f22e3c2a52848a49d43ced9c335d6c38f76ef6378d17adc47

          SHA512

          23653aed37fb2a3fa6156b70c13ea85d76bcb7d075b8d17e74f9664b889cb6a7c561015df9edb4d8b974c8a579cf38f98af3e845b481869ed759562bc6fb831d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe
          Filesize

          1.1MB

          MD5

          2994ac192d0367706dcc6c66d3cfe2b5

          SHA1

          ecb727632df085e815614f8d04471bdcc1e144f1

          SHA256

          030b72e4aca4c21f22e3c2a52848a49d43ced9c335d6c38f76ef6378d17adc47

          SHA512

          23653aed37fb2a3fa6156b70c13ea85d76bcb7d075b8d17e74f9664b889cb6a7c561015df9edb4d8b974c8a579cf38f98af3e845b481869ed759562bc6fb831d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe
          Filesize

          1.1MB

          MD5

          2994ac192d0367706dcc6c66d3cfe2b5

          SHA1

          ecb727632df085e815614f8d04471bdcc1e144f1

          SHA256

          030b72e4aca4c21f22e3c2a52848a49d43ced9c335d6c38f76ef6378d17adc47

          SHA512

          23653aed37fb2a3fa6156b70c13ea85d76bcb7d075b8d17e74f9664b889cb6a7c561015df9edb4d8b974c8a579cf38f98af3e845b481869ed759562bc6fb831d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
          Filesize

          383.8MB

          MD5

          243d08da14bb646590c5fa18aa72eab0

          SHA1

          d2330ef7794089de8824153cdf6c6f3809fdc757

          SHA256

          818fbfbf4e30f580d2dafd94b8a7f25675045de64ddb47d277178e27983ed890

          SHA512

          855ba43e2ffb229c9546997ba8643919fb97923a768535885539a5b34b6739213bdc1c99a6f35c402d6fb7e0dcfe0c1a50374fb9c779646b4691a78e7d71b433

          Download Submit

        • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
          Filesize

          394.5MB

          MD5

          9fd195a6f60c374db0575b7851beb8c5

          SHA1

          e6048ac8c416d013e9d7f52f14f30fcd7cdf1836

          SHA256

          ad289ce8a05848d806f4fec8b615f2561d42787b5f6623113866b0d894781b54

          SHA512

          6c8f31ceca06399f9e7416947cfc06dd0b2e9fb4e99fb696af6758697a1a1c56e16196a95138ffc969a18aca42a8af805ce6610c3c354c9cddcd815ad43a79cb

          Download Submit

        • memory/4532-189-0x0000000000400000-0x000000000056C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4532-191-0x0000000000400000-0x000000000056C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4532-169-0x0000000000400000-0x000000000056C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4532-193-0x0000000000400000-0x000000000056C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4532-190-0x0000000000400000-0x000000000056C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4560-233-0x00000000081D0000-0x0000000008246000-memory.dmp

          Filesize

          472KB

          Download

        • memory/4560-155-0x00000000071A0000-0x00000000071B2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4560-218-0x0000000008610000-0x0000000008BB4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4560-221-0x0000000008130000-0x00000000081C2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4560-187-0x0000000007580000-0x00000000075E6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4560-157-0x0000000007570000-0x0000000007580000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4560-156-0x00000000072D0000-0x00000000073DA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4560-158-0x0000000007200000-0x000000000723C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4560-254-0x0000000002610000-0x000000000262E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/4560-390-0x00000000085A0000-0x00000000085F0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4560-407-0x0000000009940000-0x0000000009B02000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/4560-414-0x000000000A040000-0x000000000A56C000-memory.dmp

          Filesize

          5.2MB

          Download

        • memory/4560-417-0x0000000007570000-0x0000000007580000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4560-154-0x0000000007730000-0x0000000007D48000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/4560-149-0x0000000000700000-0x0000000000728000-memory.dmp

          Filesize

          160KB

          Download