Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    65s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    17/05/2023, 11:25

General

  • Target

    conhost.exe

  • Size

    4.0MB

  • MD5

    feccda803ece2e7a3b7e9798714ad47e

  • SHA1

    e97182adccf8a7692e6ad2614b0fb7fd3898a1a2

  • SHA256

    14529dca41abfea65abb51c84ec34ba0a951581586f98cef60213ae949a78320

  • SHA512

    dec5fd4d184772ca590333b2382706c6e5a7b5050f9ae98af813192e06500424870e8332a1406c763e5cc6d266ddd7e09280b6bf118392fa6edea6fab5843287

  • SSDEEP

    49152:jEjwvlIKv05z+UERnIcYmWjc3Cdh+5E9UFiqeb0/B1:RlhWzZ6hjEciqe

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.251

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1716

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    531.6MB

    MD5

    eda06e99d629aaa4aba1599b37a26a0a

    SHA1

    9dd085c95c8c4b348fafc04c5aafc863dbab2dff

    SHA256

    c51d9cea110ff23e8bc9507ff953262376102c19653a745cb7ce8102c58e58d1

    SHA512

    b4c7bdb7d49a27050f2dce5d090604d4920efcaa5810c02e4eb2c52b54733dc15de085bb1939740e5bf6381ff7cf7b99e0b0b83c28bbeb6537f3d31822dfdecf

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    395.6MB

    MD5

    1396707e1808a73baba8cde89f753de1

    SHA1

    afb3414f447ef994eda60790132150da04ec752a

    SHA256

    03505deec99793c062339374a6391e23787aced80f9523bcf1eda334fc9b9206

    SHA512

    6f89170c57dc7008302438d4621161d7b098c8ccc5fb2f7e8bbf750d7b537dc34b84c0bfa33b8d31753f399cf2c60a08f99df9a8359dddb6b95478d8918f3007

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    387.4MB

    MD5

    13709acb722c8a9d0514e074164a9c34

    SHA1

    a39c011ec44d663745a976a89afacca22db8672a

    SHA256

    9fd3d8d5f8b91144039a524c1d849e94406d9c82c6c623f55ee2870adae85747

    SHA512

    6bc3e4af210102e7f3607c704b32d64da505fcd3a0363ab7582ec9e9c3f2dceaa85172a92ad619894b3af6dea82c08154e23a33c208e06832a00cae6f10f3940