Overview

overview

10

Static

static

3

clifdthjsj...er.exe

windows7-x64

5

clifdthjsj...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-05-2023 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clifdthjsjkdgaoker.exe

  • Size

    7.5MB

  • MD5

    fb0deff37fe12bbc4f0c1fe21e2d15ef

  • SHA1

    180325b8b6e64638e167601c67cd9c53331ba9f6

  • SHA256

    ece100b8240f7eb032cb319a019eba1552ac19f563a291cf8422b1090ccf9b76

  • SHA512

    9fc013111994e943fd800abeb543563713eebebcd940b28973809a40d85271f0ed781dd95ca508e55788de2e2a575b1cb8734636f15b51a9d68f773b2cb4e73d

  • SSDEEP

    196608:bdj1WcTeKCVpVAKegYv6Pvz7xCVfQeYDprOtpN6x1Cd:RReKaAlRgxMfvihOwxy

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://185.174.137.94

Attributes
  • api_key

    b54641cc29f95948635d659de94166b4528e39706396a99bb9c54497b2ee3421

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\clifdthjsjkdgaoker.exe
    "C:\Users\Admin\AppData\Local\Temp\clifdthjsjkdgaoker.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:5052
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2604

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    718.5MB

    MD5

    dbf66e2f2326310424d0fbdda89a67f3

    SHA1

    1327756d0ea790c3e0cd8d69259269e04ee9f857

    SHA256

    9cb77d490d8501398b0167913d0f2d8520b97e9ea6964d128f1761a3ae2c95eb

    SHA512

    fd63e9b026a291c0980d756d25c1cf0205d648e112046360215e9823ee91426f46936442ceaa423acf78f703f4a8dae5bebe9ed268ee2eae3cdf4ec70bfb1d30

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    718.5MB

    MD5

    dbf66e2f2326310424d0fbdda89a67f3

    SHA1

    1327756d0ea790c3e0cd8d69259269e04ee9f857

    SHA256

    9cb77d490d8501398b0167913d0f2d8520b97e9ea6964d128f1761a3ae2c95eb

    SHA512

    fd63e9b026a291c0980d756d25c1cf0205d648e112046360215e9823ee91426f46936442ceaa423acf78f703f4a8dae5bebe9ed268ee2eae3cdf4ec70bfb1d30

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    718.5MB

    MD5

    dbf66e2f2326310424d0fbdda89a67f3

    SHA1

    1327756d0ea790c3e0cd8d69259269e04ee9f857

    SHA256

    9cb77d490d8501398b0167913d0f2d8520b97e9ea6964d128f1761a3ae2c95eb

    SHA512

    fd63e9b026a291c0980d756d25c1cf0205d648e112046360215e9823ee91426f46936442ceaa423acf78f703f4a8dae5bebe9ed268ee2eae3cdf4ec70bfb1d30

    Download Submit

  • memory/2604-157-0x00000000014F0000-0x00000000014F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-159-0x0000000001520000-0x0000000001521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-163-0x0000000000830000-0x00000000013DB000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/2604-160-0x0000000001530000-0x0000000001531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-162-0x0000000001550000-0x0000000001551000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-161-0x0000000001540000-0x0000000001541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-158-0x0000000001510000-0x0000000001511000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-156-0x00000000014E0000-0x00000000014E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-155-0x0000000000820000-0x0000000000821000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-134-0x0000000001960000-0x0000000001961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-135-0x0000000001970000-0x0000000001971000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-136-0x0000000001AA0000-0x0000000001AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-133-0x0000000001950000-0x0000000001951000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-137-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-141-0x00000000008E0000-0x000000000148B000-memory.dmp

    Filesize

    11.7MB

    Download

  • memory/5052-140-0x0000000003580000-0x0000000003581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-139-0x0000000003570000-0x0000000003571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5052-138-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

    Filesize

    4KB

    Download