Overview

overview

10

Static

static

3

a38740f27d...4c.exe

windows7-x64

10

a38740f27d...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-05-2023 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a38740f27d72f631a071f9b8d4707b4c.exe

  • Size

    238KB

  • MD5

    a38740f27d72f631a071f9b8d4707b4c

  • SHA1

    3dae530f1fa4329bdb10d79ae20fa56e77b19ae5

  • SHA256

    967c720bf123abc4385306cd0ce6c25fa515b2c107c2ae6f670e4d863912a660

  • SHA512

    da87468cebb4f835c6b5ca84bdef1852ec242e269173f344c85bab821e974dda16f7ce1d07c72c94916b8a59fade6e053a8bea3381e7702789ce5870c312e735

  • SSDEEP

    6144:yKvu7/cjSdN2K5YU13i3o4Ms2eXAOt3va:yQEgSdNjeXby

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://65.109.140.234

Attributes
  • api_key

    df447cf68e10f5a0e77c16bf0c96d9b97c6c34c9cb2157c2676b9d321b5633cc

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe
    "C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:3340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    797.2MB

    MD5

    05fef1c4047f3fcb871c99de543d2c10

    SHA1

    fe8bd3f185b365b68b8fe604b86ebe7ff8fd4019

    SHA256

    8d7567c177148a7cfcc1346c909311c3790622ac6a1c078463176cb2628c5870

    SHA512

    f5afc3b8b93aa48929356ef8b53c0d3e89991d3de194be744e671017135a910051443b02e06b98f69c15b6598b66fa8968f84e5952875229ebd0bb1a2f44bbd2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    590.6MB

    MD5

    2f7c92957bd901e5a9b78a2fc0d7dd0c

    SHA1

    3d4cf389e14147db74ddb1e818c92acf709e3d15

    SHA256

    ca82baf03183d1138d9f348e7665a0db5e6e4a12fb9a665f3a898940e803d1e8

    SHA512

    0f458684018cad2b539a01d37b6364cd6e69f9076cfedd40418c846db78f688b21c00ccf641f327862d216d087959d68209d119d7cfd9dba2a23c4b6594a6ebf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    638.4MB

    MD5

    a38e8296a5decb5208dc389656cd6bd3

    SHA1

    0f7462df545eeb4d7428485d47b17ca97db7ba73

    SHA256

    ce128bbece365ff8528effb418e505aca0a2b62745abc470e2ec9d20d84b2f8a

    SHA512

    810a87d9f78e7bf67fd66dab79ead9c57355282aa1ae6bf9f7a1b4eff7705da7837f173729f93d8b341e72d5743dd803bbd7f5a7c3bda37a70b8723f427b27cd

    Download Submit