laplas | 7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315

Analysis

max time kernel
29s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2023 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
Size

2.6MB
MD5

71a0ca15307459ac022cc94745b4e4d6
SHA1

08203769381e9b2593cb4dc525f4bf166892abc5
SHA256

7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315
SHA512

664c0cd101a8d3ad67c1c943c23eaeaf095a700e9c1d7d8e07893b3628a06d7c80af233c6f38f2f6cd4110df3830914f4a641362f211bd3c9e7ec27e39c0d2d4
SSDEEP

49152:IBJ+lPvy/ydUPzMTwt5whOO0BaRPu/TBHXCzjXSZfofdZo6qNx:yMlo1YD+aRPoTB38jlfdZo/Nx

Score

10^/10

laplas clipper persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Mahatga3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe

Executes dropped EXE 4 IoCs

pid	Process
928	Mahatga.exe
3420	Mahatga2.exe
3776	Mahatga3.exe
4068	svcservice.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	Mahatga3.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 928 set thread context of 3812	928	Mahatga.exe	87
PID 3420 set thread context of 2420	3420	Mahatga2.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3644	928	WerFault.exe	84
3620	3420	WerFault.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3812	AppLaunch.exe
3812	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	AppLaunch.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 928	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	84
PID 632 wrote to memory of 928	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	84
PID 632 wrote to memory of 928	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	84
PID 928 wrote to memory of 3812	928	Mahatga.exe	87
PID 928 wrote to memory of 3812	928	Mahatga.exe	87
PID 928 wrote to memory of 3812	928	Mahatga.exe	87
PID 928 wrote to memory of 3812	928	Mahatga.exe	87
PID 928 wrote to memory of 3812	928	Mahatga.exe	87
PID 632 wrote to memory of 3420	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	90
PID 632 wrote to memory of 3420	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	90
PID 632 wrote to memory of 3420	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	90
PID 3420 wrote to memory of 2420	3420	Mahatga2.exe	92
PID 3420 wrote to memory of 2420	3420	Mahatga2.exe	92
PID 3420 wrote to memory of 2420	3420	Mahatga2.exe	92
PID 3420 wrote to memory of 2420	3420	Mahatga2.exe	92
PID 3420 wrote to memory of 2420	3420	Mahatga2.exe	92
PID 632 wrote to memory of 3776	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	96
PID 632 wrote to memory of 3776	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	96
PID 632 wrote to memory of 3776	632	7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe	96
PID 3776 wrote to memory of 4068	3776	Mahatga3.exe	99
PID 3776 wrote to memory of 4068	3776	Mahatga3.exe	99
PID 3776 wrote to memory of 4068	3776	Mahatga3.exe	99

C:\Users\Admin\AppData\Local\Temp\7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe
"C:\Users\Admin\AppData\Local\Temp\7f167b28d9c7abdc22f28b869ff375d421d6bbe12ccbc8299d16d4fbea022315.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3812
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 928 -s 140
    3⤵
    - Program crash
    PID:3644
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3420 -s 148
    3⤵
    - Program crash
    PID:3620
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3776
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 928 -ip 928
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3420 -ip 3420
1⤵
PID:4608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga.exe

Filesize
305KB

MD5
3dccd81da0841771ad6e6d04f50fda00

SHA1
db922c9865666745b40bfa1c6ddca7a982e22092

SHA256
7399db4b856708bf0c72588e1dbdd593aa9bab06d14cb880e6d310e547b4a8d8

SHA512
f0f99612932eabf248704d78f8f39b4b63744e06a8bd80330b5838ca7c28c2d104ee85c8eb078979356a0471cf1632dc5357c89ff93cd25afb47026bce26245c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe

Filesize
2.6MB

MD5
34eebfa094d3c3fbaffda1444ab1f3c1

SHA1
3967ae704065e6b71f01522a3e1bd09d1a364f50

SHA256
34d540287aa2fbd97e74bbcca8ccf1c4936987e800faddfe93ae6a44ea21c409

SHA512
3a7a296f28ccdead0cd9e3dd2ac6264f5689d7ca94bbf5d7e2436c3d3d431237f46761db4fce29a5088d81c63d95b0d399e3f6ad3bce8d6299caf4424858b164

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe

Filesize
2.6MB

MD5
34eebfa094d3c3fbaffda1444ab1f3c1

SHA1
3967ae704065e6b71f01522a3e1bd09d1a364f50

SHA256
34d540287aa2fbd97e74bbcca8ccf1c4936987e800faddfe93ae6a44ea21c409

SHA512
3a7a296f28ccdead0cd9e3dd2ac6264f5689d7ca94bbf5d7e2436c3d3d431237f46761db4fce29a5088d81c63d95b0d399e3f6ad3bce8d6299caf4424858b164

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga2.exe

Filesize
2.6MB

MD5
34eebfa094d3c3fbaffda1444ab1f3c1

SHA1
3967ae704065e6b71f01522a3e1bd09d1a364f50

SHA256
34d540287aa2fbd97e74bbcca8ccf1c4936987e800faddfe93ae6a44ea21c409

SHA512
3a7a296f28ccdead0cd9e3dd2ac6264f5689d7ca94bbf5d7e2436c3d3d431237f46761db4fce29a5088d81c63d95b0d399e3f6ad3bce8d6299caf4424858b164

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe

Filesize
1.1MB

MD5
2994ac192d0367706dcc6c66d3cfe2b5

SHA1
ecb727632df085e815614f8d04471bdcc1e144f1

SHA256
030b72e4aca4c21f22e3c2a52848a49d43ced9c335d6c38f76ef6378d17adc47

SHA512
23653aed37fb2a3fa6156b70c13ea85d76bcb7d075b8d17e74f9664b889cb6a7c561015df9edb4d8b974c8a579cf38f98af3e845b481869ed759562bc6fb831d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe

Filesize
1.1MB

MD5
2994ac192d0367706dcc6c66d3cfe2b5

SHA1
ecb727632df085e815614f8d04471bdcc1e144f1

SHA256
030b72e4aca4c21f22e3c2a52848a49d43ced9c335d6c38f76ef6378d17adc47

SHA512
23653aed37fb2a3fa6156b70c13ea85d76bcb7d075b8d17e74f9664b889cb6a7c561015df9edb4d8b974c8a579cf38f98af3e845b481869ed759562bc6fb831d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mahatga3.exe

Filesize
1.1MB

MD5
2994ac192d0367706dcc6c66d3cfe2b5

SHA1
ecb727632df085e815614f8d04471bdcc1e144f1

SHA256
030b72e4aca4c21f22e3c2a52848a49d43ced9c335d6c38f76ef6378d17adc47

SHA512
23653aed37fb2a3fa6156b70c13ea85d76bcb7d075b8d17e74f9664b889cb6a7c561015df9edb4d8b974c8a579cf38f98af3e845b481869ed759562bc6fb831d

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
66.7MB

MD5
acc2a0274a1ca31627ce932af3b59319

SHA1
6e131834036bb841361e8ff53369eecbe22252a2

SHA256
e6d53a900e8cef85387866cace032aa52367c165198e7c9cbce614a24f8f6e75

SHA512
d602c052ce6abb9ac2549743df69d3d18a082f8153da9d0f0c2aabda0f37aa475bf5b8fa2830b725d2361dfb68693c3bb75f9c031a74dc0b174f8636e900e428

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
70.2MB

MD5
0d093f035845d904583612317535514f

SHA1
d70a44c4bcac7806fb4db37a4e512ad09c1b81dc

SHA256
a02195abbd5361285b20a0a6a1178fb771a1a4b27e78022d6b5301c074a2efcb

SHA512
0f3e51852a543baf116cd4ec586079e0df8d61d6edbee1eadcc51b1a1a6bee6274bedfe230e2a0b7cdc975d2bdda6b6f42e6fc5bc8b98787fe6c20cef8dd4c63

Download Submit
memory/2420-189-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2420-191-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2420-169-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2420-193-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2420-190-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/3812-237-0x0000000008E10000-0x0000000008E86000-memory.dmp

Filesize
472KB

Download
memory/3812-156-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/3812-220-0x0000000009250000-0x00000000097F4000-memory.dmp

Filesize
5.6MB

Download
memory/3812-224-0x0000000008D70000-0x0000000008E02000-memory.dmp

Filesize
584KB

Download
memory/3812-187-0x00000000081B0000-0x0000000008216000-memory.dmp

Filesize
408KB

Download
memory/3812-157-0x0000000007E60000-0x0000000007E9C000-memory.dmp

Filesize
240KB

Download
memory/3812-259-0x0000000008D40000-0x0000000008D5E000-memory.dmp

Filesize
120KB

Download
memory/3812-158-0x00000000081A0000-0x00000000081B0000-memory.dmp

Filesize
64KB

Download
memory/3812-155-0x0000000007E00000-0x0000000007E12000-memory.dmp

Filesize
72KB

Download
memory/3812-433-0x000000000A580000-0x000000000A742000-memory.dmp

Filesize
1.8MB

Download
memory/3812-441-0x000000000AC80000-0x000000000B1AC000-memory.dmp

Filesize
5.2MB

Download
memory/3812-457-0x00000000081A0000-0x00000000081B0000-memory.dmp

Filesize
64KB

Download
memory/3812-484-0x0000000009850000-0x00000000098A0000-memory.dmp

Filesize
320KB

Download
memory/3812-154-0x0000000008370000-0x0000000008988000-memory.dmp

Filesize
6.1MB

Download
memory/3812-149-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download