Overview

overview

10

Static

static

3

clifdthjsj...er.exe

windows7-x64

5

clifdthjsj...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2023 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clifdthjsjkdgaoker.exe

  • Size

    7.5MB

  • MD5

    fb0deff37fe12bbc4f0c1fe21e2d15ef

  • SHA1

    180325b8b6e64638e167601c67cd9c53331ba9f6

  • SHA256

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

  • SHA512

    9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

  • SSDEEP

    196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\clifdthjsjkdgaoker.exe
    "C:\Users\Admin\AppData\Local\Temp\clifdthjsjkdgaoker.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:3484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    756.5MB

    MD5

    1de5ce660740b2493b536a4c5ab48bf8

    SHA1

    b9b55a828e058452e0e633219f44bdfd2c89508a

    SHA256

    0068134861d3efdcd1782644238e68c8876fa069e41f2a0dfc4303ceadc84d1b

    SHA512

    247c368514e5d0f24367fa6bf70ee2d2a50d2e931bdbd66103f995a8aaad27ddede962eaed9c936df551f086bb080a5935f1e4a8e8944e0787ba90d5473d91ff

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    733.9MB

    MD5

    b561219bd475429132ff628b8ddd0653

    SHA1

    dcde09629848972128502b528a7ea226ac7b912b

    SHA256

    a3ade6a1e269639e2de033a886f832919112973c20d5a28549126bb7afa37c86

    SHA512

    6731442052d85f0fa27c8447879617dbf82500c11bfc96c207b5734be24dd1087275bf1d94b64c3bd5839587bf725cd3c57a5f04ea0fb94cd7fd6732853ebfc2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    720.1MB

    MD5

    4cb17ba810397e152525db2587822835

    SHA1

    0870d09c26bf1bcc0dbcae60709a8cbe56c87cab

    SHA256

    ceefb20e2ae97ed7c63c39d59b17f08b92c11870827ee65b54a02229c723abc1

    SHA512

    993d607ceb1c6571f5437d34978c5320d89cf5d0d701d09c8a5ca0a36dfcff58f8217ed09b6b44ab42336729efebd8b5cc668af14c7f5f5a682a8ead853259e8

    Download Submit

  • memory/3128-138-0x0000000002F20000-0x0000000002F21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-137-0x0000000001470000-0x0000000001471000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-133-0x0000000001420000-0x0000000001421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-139-0x0000000002F30000-0x0000000002F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-140-0x0000000002F50000-0x0000000002F51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-141-0x00000000000E0000-0x0000000000C8B000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/3128-136-0x0000000001460000-0x0000000001461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-135-0x0000000001440000-0x0000000001441000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3128-134-0x0000000001430000-0x0000000001431000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-155-0x0000000000F80000-0x0000000000F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-156-0x0000000001B40000-0x0000000001B41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-157-0x0000000001B50000-0x0000000001B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-160-0x0000000003800000-0x0000000003801000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-158-0x00000000037E0000-0x00000000037E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-161-0x0000000003810000-0x0000000003811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-159-0x00000000037F0000-0x00000000037F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-162-0x0000000003820000-0x0000000003821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3484-163-0x0000000000F90000-0x0000000001B3B000-memory.dmp

    Filesize

    11.7MB

    Download