Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

3469724e57...ac.exe

windows7-x64

10

3469724e57...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2023, 23:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe

  • Size

    3.5MB

  • MD5

    f5548281bcdcec5c1d151d3417412042

  • SHA1

    be6d9b40b6ede0f3c5582b8f48bde7f44f2ed792

  • SHA256

    3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac

  • SHA512

    387d864aca4be8691c20b0ec4b11906491cdb7b0fc435f59699c0596a47ad086d711ed97c47a611b58adf1096203ab7a488e26c307d885e566f56db6dcecab4c

  • SSDEEP

    98304:k4SaRf9WEiCfCO55VCKCwKmLE323hOViL6IEifjGV9J:k431WwDCbfj23hOViLZEif0

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://89.23.97.128

Attributes
  • api_key

    bc2dceabe69fa26dbf4dd8295d65e03e1990633a88c1c8410825c9266b239396

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe
    "C:\Users\Admin\AppData\Local\Temp\3469724e57612ca20c888a5a86719c3e4b6fe71f2cfcfecff2fb3950fd0a32ac.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    676.4MB

    MD5

    931c215094c1fa18b46a5bb24fa01364

    SHA1

    546edf2f30d55ba98bb2d657b6fe0bba30ec37e6

    SHA256

    8c7e57387a5ff91db61cf9ca86938267f90ae8010d63a4df483015937fc8e795

    SHA512

    f3989df857ebd6e1595ac1153b02c8c434cbd591f608426dfdc9ee3bcf7de0042473468924d58ad4852db2395cee067a5be5f4e6f28ea347e1285423ff9ca465

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    698.1MB

    MD5

    a2cd9c538f1ec2f7d01444c21a527d63

    SHA1

    e94ff84cac52c6f557d749b57d49e665de16ab6e

    SHA256

    2b8479d9686c776065ce2d1060842d918b20f903716bdc715c89525efe758d69

    SHA512

    db15b9271e13ddec9020c0dc5734fed1fcb658f424ad4dc6b5b408c30c38d5f73c56ff915f9f075718fac55091b4259ab4bc6ebf58b3bb12ba86042f060ca7d1

    Download Submit

  • memory/668-77-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-82-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-88-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-87-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-86-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-85-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-84-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-83-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-74-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-73-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-68-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-69-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-70-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-71-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-81-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-80-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-72-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-75-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/668-76-0x00000000009E0000-0x0000000001248000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-55-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-54-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-57-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-67-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-56-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-62-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-61-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-60-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-59-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/1240-58-0x0000000000C30000-0x0000000001498000-memory.dmp

    Filesize

    8.4MB

    Download