Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/05/2023, 01:30

General

  • Target

    a38740f27d72f631a071f9b8d4707b4c.exe

  • Size

    238KB

  • MD5

    a38740f27d72f631a071f9b8d4707b4c

  • SHA1

    3dae530f1fa4329bdb10d79ae20fa56e77b19ae5

  • SHA256

    967c720bf123abc4385306cd0ce6c25fa515b2c107c2ae6f670e4d863912a660

  • SHA512

    da87468cebb4f835c6b5ca84bdef1852ec242e269173f344c85bab821e974dda16f7ce1d07c72c94916b8a59fade6e053a8bea3381e7702789ce5870c312e735

  • SSDEEP

    6144:yKvu7/cjSdN2K5YU13i3o4Ms2eXAOt3va:yQEgSdNjeXby

Malware Config

Extracted

Family

laplas

C2

http://65.109.140.234

Attributes
  • api_key

    df447cf68e10f5a0e77c16bf0c96d9b97c6c34c9cb2157c2676b9d321b5633cc

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe
    "C:\Users\Admin\AppData\Local\Temp\a38740f27d72f631a071f9b8d4707b4c.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    777.2MB

    MD5

    e6497a99b32af3324b3e4883a29e9b67

    SHA1

    e502e05c2aade220b3070a82ad6fc681f67fff04

    SHA256

    2d75727e885b9ddd6ab0c7665d6a842616a4fd26e2ff25192ea8eca11eaec5f6

    SHA512

    3e00375119683c30cde504168b317dbf83559ce50f0ca5e3e31d86b824e35f147e734bf80c498274c479882cd0f02940eda83749b220c72b14f08664a56f1c8a

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    620.0MB

    MD5

    e1666159121c35a10d3b01ab420027a8

    SHA1

    2ae219f4583f3c940a5ce46ec92aa7f473a05d2e

    SHA256

    6153da2d2a0c15b30d660dc6ec3bceac5d27db07023860c7fc70c201b3aa44f6

    SHA512

    15f33a4c7cbca07dc2227d30721d7908f87b1db128ce8c6f85127065507cc168a32f17b0b5b7a1ef01a2f598cb4c12a02ef1066dd42b61adc565b9a837b18462

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    747.2MB

    MD5

    aaf1f43b28e94c8bf70bf9ca074e0bd6

    SHA1

    6470ffcea0ba58d1e922875b98e747e685687855

    SHA256

    bf8a41365084d1d7f77ae89d39f258b3cdd9174bf0048ad52ed264dd6475f24b

    SHA512

    d3a6da9d22ab2ad1508aec10279e30b8a9fe737c257132e75962bdd8fb49d093dc9e55b4b0562e7b4eb22eb67d63b446276f4a2aa343b0d767493cfdadb84da1