Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

08169599.exe

windows7-x64

10

08169599.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2023, 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    08169599.exe

  • Size

    3.8MB

  • MD5

    68be007bd3fa09d26fcee584a9157770

  • SHA1

    6f191c0587c8055f26367f25ce0f7787ca272714

  • SHA256

    71acc9e68e019bd99d89f1bc2efa859bdb16b13cb69abb02dba8b993265aed6e

  • SHA512

    f6c774453eae56e95761951315d37700e44b6c04ea07e0e6b46fe4a87943f051206a5dd618b4f632ff926fbb4be94fe7925c46d115a25941c084cb8fb513a245

  • SSDEEP

    49152:VeCseICR7NWm8qpHakXvLQh0/50OicF5pDRXxRv0VF14L:VeCrXv0W/tpDRX5L

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Extracted

Family

laplas

C2

http://45.159.189.105

Attributes
  • api_key

    ab77c1513d42148558312d676282a204d8aa055051d315af2056241c7f79c6f4

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08169599.exe
    "C:\Users\Admin\AppData\Local\Temp\08169599.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1628

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    364.4MB

    MD5

    a2c30a952c1d51d7d9e8d5e70660ceba

    SHA1

    516f570ecd557a9254ef06d535386d4e07d7643b

    SHA256

    be4d159114c95b5a329876bbfd01e2764f97b97ad3d902c88f45bbf77a45433b

    SHA512

    b13e8c62bd7f49457fd8045c38845ad4873be49481fbcc93606d6ecc95836e2b3dc7a24ca60633d713a67d50178b12bc551f05fc74e459fb336232c84cefcaf2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    611.6MB

    MD5

    5ed691e9d0ea98fe0e88b577e7918037

    SHA1

    9044207df4dcb3ff052d83947dbe73a560b52f8f

    SHA256

    ada436bb3dbb8772269eb6a52d07539991a00acf103ce75ae7f49424d638d74a

    SHA512

    c06c9610dcf16679ef7f599adb9077b03df077df3db6fca2d8feaa8d13b9967247312748297b3c3290a0e179fef25f3280f53c5b135e677eeb763a8da991a8ba

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    606.9MB

    MD5

    e2f5d4066c003f76abbe9c3a45aa3636

    SHA1

    86f94eec43562772a706407808a5ae2330027ee0

    SHA256

    9b286ee5c607712f7843affd65542295e0cf10e6fcfec5c03661ce199edf5ea0

    SHA512

    e07e39d0f9ed4590ced199c6d6aea4900560cf634d5164817483e27b2a9fa74cc2be931de1dfb9331a448bd34faf57a0cf1ba9803ecda295d79b99df02862c63

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    352.6MB

    MD5

    0958dc13e32df03bfd816f63bac5028a

    SHA1

    0e6f679f00ca10b2fe7f6b20c790758af8cbe4e7

    SHA256

    cd6725bb452c9c6570ae6f63781277b5b415f39db7984bf2fc019f35435fe421

    SHA512

    36f638e43d33d15fc2dca65d947d4a750e61ce630c4a2af754cfc0a92932180533c6f693ac09a63a61fb94a7487af642f453671160ee4b8c06720091ac51724e

    Download Submit