Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

clifdthjsj...er.exe

windows7-x64

5

clifdthjsj...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/05/2023, 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clifdthjsjkdgaoker.exe

  • Size

    7.5MB

  • MD5

    fb0deff37fe12bbc4f0c1fe21e2d15ef

  • SHA1

    180325b8b6e64638e167601c67cd9c53331ba9f6

  • SHA256

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

  • SHA512

    9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

  • SSDEEP

    196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\clifdthjsjkdgaoker.exe
    "C:\Users\Admin\AppData\Local\Temp\clifdthjsjkdgaoker.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    687.0MB

    MD5

    41145eabaec3da676f64f9b297114b61

    SHA1

    c6fe16d87752662a6549421be044c921952a312a

    SHA256

    36d35f748fc9250bbc216d14e3b82fc3aaf24461330ca6c13271a9ab3a2ad98f

    SHA512

    f74c52aff79988760195fd52735316d428ecbd1def7d0b02032a08e82a2d8066e71f15b54e149c284ad18e498c6a8b5f01ffb8af6db6b7b6fd2c3d759290af41

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    478.1MB

    MD5

    f064405d33e11f7143735015c22dbde0

    SHA1

    a1342923aa918aa121c7c2c0703e4dcd62fec473

    SHA256

    b69fb7a0e464fbaaf8263a3eea5bf9d293c952f7b831a3463aa7d47e99724aff

    SHA512

    3d929584ce8c45c3357f7ae59a9d0d08a77a02cb716d90f1b592895ea8026ecc123cab59a82c67b831ad4373fad371ffad03d013e8ee7c6492070bf24bfa16be

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    562.6MB

    MD5

    c3bd4a092e396137493c0f1afbc905d5

    SHA1

    08353b53ec2da088d27407fb0a5df437e7dbb1f5

    SHA256

    05de60648875b1a267e54d7218246148cbebec8ab973a9dd1fbdcf14d36fede1

    SHA512

    faff5324b377c5c02854f89033119e58c800091f5f86d127fc88000881e2307026ac6826c280f3006bc3e46fc2a7ccb4633002c51f5ed1ed9a45df83987dfb61

    Download Submit

  • memory/1664-138-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-137-0x0000000000860000-0x0000000000861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-133-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-139-0x0000000000B80000-0x0000000000B81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-140-0x0000000000B90000-0x0000000000B91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-141-0x0000000000BC0000-0x000000000176B000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/1664-136-0x0000000000850000-0x0000000000851000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-135-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1664-134-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-155-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-157-0x0000000000610000-0x0000000000611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-158-0x0000000000630000-0x0000000000631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-159-0x0000000000640000-0x0000000000641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-162-0x0000000000670000-0x0000000000671000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-161-0x0000000000660000-0x0000000000661000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-160-0x0000000000650000-0x0000000000651000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-156-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1824-163-0x0000000000C70000-0x000000000181B000-memory.dmp

    Filesize

    11.7MB

    Download