laplas | a361b930ea3e7336d0101bab97323603e1b06c23a42352237ad5272c464d728e

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2023 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

2.5MB
MD5

913d760e2231966514afd45953222d8d
SHA1

427e0ea23ff895e648dcbdce89d404f671d815ad
SHA256

a361b930ea3e7336d0101bab97323603e1b06c23a42352237ad5272c464d728e
SHA512

bb284b728de9d38d5e8096e6072cab4e6bf9f559aff2a302baf33371cc891adb5a441e45aee3888f2c5b643641fb1fd48489ed8e533b7593d7626653be6ee5b0
SSDEEP

49152:IBJnvmysJFzbwJX/2WjX+/hlnRSf2Eri/ZFydl8wZQkn/M918gW9DTG/utBf5QS8:yJvmys0X/2WIRbEr6ZFyD8w24M91m9DI

Score

10^/10

laplas redline red clipper infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

RED

79.137.202.0:81

Attributes

auth_value
49e32ec54afd3f75dadad05dbf2e524f

Extracted

Family

laplas

http://79.137.199.252

Attributes

api_key
ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Coek3uKK.exe

Executes dropped EXE 4 IoCs

pid	Process
3988	KR934ie2.exe
4936	Mi430uW3.exe
752	Coek3uKK.exe
4652	svcservice.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	Coek3uKK.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3988 set thread context of 3932	3988	KR934ie2.exe	88
PID 4936 set thread context of 4360	4936	Mi430uW3.exe	93

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3932	AppLaunch.exe
3932	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 3988	1368	file.exe	85
PID 1368 wrote to memory of 3988	1368	file.exe	85
PID 1368 wrote to memory of 3988	1368	file.exe	85
PID 3988 wrote to memory of 3932	3988	KR934ie2.exe	88
PID 3988 wrote to memory of 3932	3988	KR934ie2.exe	88
PID 3988 wrote to memory of 3932	3988	KR934ie2.exe	88
PID 3988 wrote to memory of 3932	3988	KR934ie2.exe	88
PID 3988 wrote to memory of 3932	3988	KR934ie2.exe	88
PID 1368 wrote to memory of 4936	1368	file.exe	89
PID 1368 wrote to memory of 4936	1368	file.exe	89
PID 1368 wrote to memory of 4936	1368	file.exe	89
PID 4936 wrote to memory of 4552	4936	Mi430uW3.exe	91
PID 4936 wrote to memory of 4552	4936	Mi430uW3.exe	91
PID 4936 wrote to memory of 4552	4936	Mi430uW3.exe	91
PID 4936 wrote to memory of 872	4936	Mi430uW3.exe	92
PID 4936 wrote to memory of 872	4936	Mi430uW3.exe	92
PID 4936 wrote to memory of 872	4936	Mi430uW3.exe	92
PID 4936 wrote to memory of 4360	4936	Mi430uW3.exe	93
PID 4936 wrote to memory of 4360	4936	Mi430uW3.exe	93
PID 4936 wrote to memory of 4360	4936	Mi430uW3.exe	93
PID 4936 wrote to memory of 4360	4936	Mi430uW3.exe	93
PID 4936 wrote to memory of 4360	4936	Mi430uW3.exe	93
PID 1368 wrote to memory of 752	1368	file.exe	95
PID 1368 wrote to memory of 752	1368	file.exe	95
PID 1368 wrote to memory of 752	1368	file.exe	95
PID 752 wrote to memory of 4652	752	Coek3uKK.exe	96
PID 752 wrote to memory of 4652	752	Coek3uKK.exe	96
PID 752 wrote to memory of 4652	752	Coek3uKK.exe	96

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3932
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:4552
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
    3⤵
    PID:4360
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
    3⤵
    - Executes dropped EXE
    PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Coek3uKK.exe

Filesize
1.1MB

MD5
a316af84a4a0b9eaa9d13b2e9a10a79c

SHA1
33f663b2ce7f5d2d50c303db135cd3edd98cd95d

SHA256
9986545e363a843599fde75d31fa4f611daaaa3c64ac6d8e27d24c9b5874240f

SHA512
c763cc79a7c2eded3e7e83498d553d6c15eccb77dbb6baea69591ddfc8d985152fde20909df5b71a30802d7680ac6865264444acd5833f52cbdf896b3a1dd59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\KR934ie2.exe

Filesize
342KB

MD5
913f8b43a0a737d366bbd9aa04ea2cf3

SHA1
80766d487a578b3175734a253997c6f062bc2bb0

SHA256
e571056f83ea8ec1d2973f40847fec85f17d26fa685187ad152ee5fb6cb2a26f

SHA512
af3232674b3fa4efb01b793d6f160a8bb7840e9df79639f6b0cf6833107966ac4a81139ff88364556463fb480675b78ffe0a1a8d9ee87f9788b5da2786c0fa5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Mi430uW3.exe

Filesize
2.6MB

MD5
6cf1a766a001c14ab610cf8b0d49a519

SHA1
f6972ce0388ad64fc9ecc793dacf19fcb0f98887

SHA256
d4dcde6d1d1bb0b9592816c04a3f2bb1f0958dc0e9ef4fd5a016fad1a9527024

SHA512
b7707976392d3f80ab8d54bf9609eb673b352dd3a29e65c502ee11f902bd099239ac4a1c6476f71b0e5ef820e8b1934cb0e4b37d20c85b657bfe997371d670b6

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
320.4MB

MD5
5f7e1657190439a43f60aac253ea01c2

SHA1
dd0fff78cdf4b3caf09bb532f617578de33b377f

SHA256
5be9e3ed02ed1a0bed7374aabd82cea78ae0ace2f6ca5553f8f61e55aa307ace

SHA512
5a2dd901dc5e9bdb8de3e4845fec7793395ed6152c8693f15ea408093a0cde0cf551cb91e12d63f2278a8f6e329208d6dc9e908cb45014c4d63125777107b3dc

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
326.0MB

MD5
e1d879199dc5df044de6a2699c7ee1ff

SHA1
5d4b3f5a6c84f05c7980df4ac99d2faa3b02f85a

SHA256
72aa42912b228e483d12624dfea1cb8e64ebb3dafe906d84bcbb1abd58435255

SHA512
5c91b7818daf85d90df05ce518efd577138a226d6546c05575cebfd1c453944658044f8a33beb390ee36ee43292e4b1e0c53092ff1a366d2168646380115319e

Download Submit
memory/3932-192-0x0000000004E40000-0x0000000004F4A000-memory.dmp

Filesize
1.0MB

Download
memory/3932-652-0x0000000009430000-0x000000000995C000-memory.dmp

Filesize
5.2MB

Download
memory/3932-193-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3932-181-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/3932-196-0x0000000004D70000-0x0000000004DAC000-memory.dmp

Filesize
240KB

Download
memory/3932-150-0x0000000000610000-0x000000000063E000-memory.dmp

Filesize
184KB

Download
memory/3932-199-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3932-571-0x0000000006400000-0x0000000006450000-memory.dmp

Filesize
320KB

Download
memory/3932-644-0x0000000008D30000-0x0000000008EF2000-memory.dmp

Filesize
1.8MB

Download
memory/3932-473-0x0000000005060000-0x00000000050D6000-memory.dmp

Filesize
472KB

Download
memory/3932-476-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/3932-489-0x0000000004C20000-0x0000000004C30000-memory.dmp

Filesize
64KB

Download
memory/3932-534-0x0000000006710000-0x0000000006CB4000-memory.dmp

Filesize
5.6MB

Download
memory/3932-543-0x0000000006240000-0x00000000062A6000-memory.dmp

Filesize
408KB

Download
memory/4360-166-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4360-200-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4360-201-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4360-197-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/4360-195-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download