laplas | 967c720bf123abc4385306cd0ce6c25fa515b2c107c2ae6f670e4d863912a660

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2023 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a38740f27d72f631a071f9b8d4707b4c.exe
Size

238KB
MD5

a38740f27d72f631a071f9b8d4707b4c
SHA1

3dae530f1fa4329bdb10d79ae20fa56e77b19ae5
SHA256

967c720bf123abc4385306cd0ce6c25fa515b2c107c2ae6f670e4d863912a660
SHA512

da87468cebb4f835c6b5ca84bdef1852ec242e269173f344c85bab821e974dda16f7ce1d07c72c94916b8a59fade6e053a8bea3381e7702789ce5870c312e735
SSDEEP

6144:yKvu7/cjSdN2K5YU13i3o4Ms2eXAOt3va:yQEgSdNjeXby

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://65.109.140.234

Attributes

api_key
df447cf68e10f5a0e77c16bf0c96d9b97c6c34c9cb2157c2676b9d321b5633cc

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	a38740f27d72f631a071f9b8d4707b4c.exe

Executes dropped EXE 1 IoCs

pid	Process
3840	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	a38740f27d72f631a071f9b8d4707b4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 3840	2428	a38740f27d72f631a071f9b8d4707b4c.exe	83
PID 2428 wrote to memory of 3840	2428	a38740f27d72f631a071f9b8d4707b4c.exe	83
PID 2428 wrote to memory of 3840	2428	a38740f27d72f631a071f9b8d4707b4c.exe	83

C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe
"C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:3840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
753.2MB

MD5
5b6458ceb6d8f24d8104d2dedf60917a

SHA1
c1fe843b25e02148cac6e16ca0484cf82cd7176b

SHA256
e73cd6c159076aece2b6fecad4ab4499374afff47e27f2a29e5daf8759a38958

SHA512
924a01dbc87ddbc0014c9aa4236018947779714f4c7827370e2ed4e53a379bde9777e383a59da38232c3bc6edb29087af898adbd8c9ebad6e2939533f99bcf2b

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
491.7MB

MD5
0329ef8beef7a6688ccffb03a318d3d8

SHA1
a8ed7f87735d2f19d687c331b9745e8a010c3e2f

SHA256
5d508e5465603f5477dcabee4fe296f124e80083ade06f8c4372b550ae4746b8

SHA512
6324d4ffb7dbb4c8ec4067328b178d4f4b19300acf152341f5215ac11317a3498b417cfd6fd8855a770d150194ad163bdbe9118daa81c0794c60375af971d9cf

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
564.8MB

MD5
a408aaac73e3255ef854018b9702951f

SHA1
887cac8235c77f2ece49f67bbf9f98f9c19e0679

SHA256
fcc059d2f9dff74e2314a8a31f15d7e738bc9edd1c267e322b05c7a1f767d007

SHA512
3a9adfeab6a54517f8c780385ebd02ea86421e9c602cf53e65dbc473a3079179e5856d6e091fcd9b2a310acb74eb6b8b449da6ed619500b31c641cb581a0165f

Download Submit