laplas | a361b930ea3e7336d0101bab97323603e1b06c23a42352237ad5272c464d728e

Analysis

max time kernel
133s
max time network
136s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
19-04-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.5MB
MD5

913d760e2231966514afd45953222d8d
SHA1

427e0ea23ff895e648dcbdce89d404f671d815ad
SHA256

a361b930ea3e7336d0101bab97323603e1b06c23a42352237ad5272c464d728e
SHA512

bb284b728de9d38d5e8096e6072cab4e6bf9f559aff2a302baf33371cc891adb5a441e45aee3888f2c5b643641fb1fd48489ed8e533b7593d7626653be6ee5b0
SSDEEP

49152:IBJnvmysJFzbwJX/2WjX+/hlnRSf2Eri/ZFydl8wZQkn/M918gW9DTG/utBf5QS8:yJvmys0X/2WIRbEr6ZFyD8w24M91m9DI

Score

10^/10

laplas redline red clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RED

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
320	KR934ie2.exe
1480	Mi430uW3.exe
1916	Coek3uKK.exe
1604	svcservice.exe

Loads dropped DLL 14 IoCs

pid	Process
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
2040	file.exe
1916	Coek3uKK.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	Coek3uKK.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 320 set thread context of 472	320	KR934ie2.exe	30
PID 1480 set thread context of 1052	1480	Mi430uW3.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
472	AppLaunch.exe
472	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	472	AppLaunch.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 320	2040	file.exe	28
PID 2040 wrote to memory of 320	2040	file.exe	28
PID 2040 wrote to memory of 320	2040	file.exe	28
PID 2040 wrote to memory of 320	2040	file.exe	28
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 320 wrote to memory of 472	320	KR934ie2.exe	30
PID 2040 wrote to memory of 1480	2040	file.exe	31
PID 2040 wrote to memory of 1480	2040	file.exe	31
PID 2040 wrote to memory of 1480	2040	file.exe	31
PID 2040 wrote to memory of 1480	2040	file.exe	31
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 604	1480	Mi430uW3.exe	34
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 1480 wrote to memory of 1052	1480	Mi430uW3.exe	33
PID 2040 wrote to memory of 1916	2040	file.exe	36
PID 2040 wrote to memory of 1916	2040	file.exe	36
PID 2040 wrote to memory of 1916	2040	file.exe	36
PID 2040 wrote to memory of 1916	2040	file.exe	36
PID 1916 wrote to memory of 1604	1916	Coek3uKK.exe	37
PID 1916 wrote to memory of 1604	1916	Coek3uKK.exe	37
PID 1916 wrote to memory of 1604	1916	Coek3uKK.exe	37
PID 1916 wrote to memory of 1604	1916	Coek3uKK.exe	37

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:472
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:1052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:604
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
704.1MB

MD5
02a03347e46ccfca8d6c834d63d563f2

SHA1
ac2ba613a7f1bb7f184f0a416fac9eba5103b061

SHA256
2c78c80a57ff2c186ad4b885de33715a4f8885bbbb04a4701a574ec4578610f6

SHA512
e3e3ede87373da7548d7d0be86689a58fa9da34eb46249bbbe725ccbc9b4c79045c6c2ba0ca16dc62775e80d4e1c6685d9fe040b87f93576fad99d9642016842

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
704.1MB

MD5
02a03347e46ccfca8d6c834d63d563f2

SHA1
ac2ba613a7f1bb7f184f0a416fac9eba5103b061

SHA256
2c78c80a57ff2c186ad4b885de33715a4f8885bbbb04a4701a574ec4578610f6

SHA512
e3e3ede87373da7548d7d0be86689a58fa9da34eb46249bbbe725ccbc9b4c79045c6c2ba0ca16dc62775e80d4e1c6685d9fe040b87f93576fad99d9642016842

Download Submit
memory/472-84-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-77-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-86-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-303-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/472-82-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/472-78-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/472-302-0x0000000004B60000-0x0000000004BA0000-memory.dmp

Filesize
256KB

Download
memory/472-254-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1052-141-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1052-103-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1052-127-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1052-139-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1052-138-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/1052-104-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download