laplas | 3d5c016ded8af42241a278854c40414fc57dfc9b27751aaa92a25d6b8a187e0d

Analysis

max time kernel
108s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
17-05-2023 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe Premiere Pro Crack/Set-up.exe
Size

1021.2MB
MD5

20bb576a3863d7d4de2e69ab113b58de
SHA1

be884fa3b406d031fbfefd2307314447d16f3aa6
SHA256

0136126495313b29e1726a57684dbd5ac282f4acc804c6ed7d39cfc319edbdf4
SHA512

6228ad98edbec74203efc41d3943e30b084bcee640b6e372fb04f63c72fed1d966b75d4a74429c9744c41c44efbf363c6a12f6d0b82f2cb58c5a3b562feffb7b
SSDEEP

12288:CPqHB7etS1aWOvxVU5VA+oHVdvrD02kFpGaHk/R+HLYlEgyUQ8D0FDIhtUShMMsf:CsBGS1X7mIFpRHkgydtQ8DswY7B9/Ql

Score

10^/10

laplas clipper persistence spyware stealer

Malware Config

Extracted

Family

laplas

http://185.223.93.251

Attributes

api_key
f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4664	DUph0ntn.exe
2908	ntlhost.exe

Loads dropped DLL 3 IoCs

pid	Process
2452	RegSvcs.exe
2452	RegSvcs.exe
2452	RegSvcs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	DUph0ntn.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 2452	2020	Set-up.exe	67

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	Taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	Taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	10	Go-http-client/1.1

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	Taskmgr.exe
Token: SeSystemProfilePrivilege	2880	Taskmgr.exe
Token: SeCreateGlobalPrivilege	2880	Taskmgr.exe
Token: 33	2880	Taskmgr.exe
Token: SeIncBasePriorityPrivilege	2880	Taskmgr.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe
2880	Taskmgr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2020 wrote to memory of 2452	2020	Set-up.exe	67
PID 2452 wrote to memory of 4664	2452	RegSvcs.exe	68
PID 2452 wrote to memory of 4664	2452	RegSvcs.exe	68
PID 1936 wrote to memory of 2880	1936	launchtm.exe	70
PID 1936 wrote to memory of 2880	1936	launchtm.exe	70
PID 4664 wrote to memory of 2908	4664	DUph0ntn.exe	71
PID 4664 wrote to memory of 2908	4664	DUph0ntn.exe	71

C:\Users\Admin\AppData\Local\Temp\Adobe Premiere Pro Crack\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe Premiere Pro Crack\Set-up.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Users\Admin\AppData\Local\Temp\DUph0ntn.exe
    "C:\Users\Admin\AppData\Local\Temp\DUph0ntn.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      4⤵
      Executes dropped EXE
      PID:2908

C:\Windows\system32\launchtm.exe
launchtm.exe /2
1⤵
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /2
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DUph0ntn.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Local\Temp\DUph0ntn.exe

Filesize
4.0MB

MD5
feccda803ece2e7a3b7e9798714ad47e

SHA1
e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

SHA256
14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

SHA512
dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
709.9MB

MD5
9cb8233963bca5ac7cd7780e810dbdcb

SHA1
3613c2955af7cbb5426f40c518f9f5ebcd1da1d5

SHA256
82263a4d06078bbf15ff4e0e3ae10087f9783b0f7317ba178b01fa5a3eee7a1f

SHA512
ad3b197c3fae955b745f891f6992d76e841664bff6dffd4f8a193f8ab4e89412c1bef37abf16f498d0b4b74d682e444c9d87689986e537e91951cf11a6ba5227

Download Submit
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
612.9MB

MD5
acf488b8fe98225f8c367b375ae7c5a4

SHA1
82e7cd1e1510012d04aea5fc14cb3e6341c2d677

SHA256
3b75da016e4c234d587ed39b6252e95ea36434c5adc94e3b1c61cd32b2c28799

SHA512
04ce9b5d28c9f53e7c3d95f2dcda6e81984e43c602953235c473394d92e93a5094ea731b5da249ea898417c924559095d9e6d1152af99cedaeeb0510a4ac3da4

Download Submit
\Users\Admin\AppData\LocalLow\mozglue.dll

Filesize
612KB

MD5
f07d9977430e762b563eaadc2b94bbfa

SHA1
da0a05b2b8d269fb73558dfcf0ed5c167f6d3877

SHA256
4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862

SHA512
6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

Download Submit
\Users\Admin\AppData\LocalLow\nss3.dll

Filesize
1.9MB

MD5
f67d08e8c02574cbc2f1122c53bfb976

SHA1
6522992957e7e4d074947cad63189f308a80fcf2

SHA256
c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e

SHA512
2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

Download Submit
\Users\Admin\AppData\LocalLow\sqlite3.dll

Filesize
1.0MB

MD5
dbf4f8dcefb8056dc6bae4b67ff810ce

SHA1
bbac1dd8a07c6069415c04b62747d794736d0689

SHA256
47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68

SHA512
b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

Download Submit
memory/2020-122-0x0000000001980000-0x00000000019A0000-memory.dmp

Filesize
128KB

Download
memory/2020-121-0x0000000000F10000-0x0000000001154000-memory.dmp

Filesize
2.3MB

Download
memory/2452-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2452-161-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2452-160-0x0000000061E00000-0x0000000061EF1000-memory.dmp

Filesize
964KB

Download
memory/2452-127-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2452-123-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download