Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    28s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2023, 07:43

General

  • Target

    08732699.exe

  • Size

    4.0MB

  • MD5

    d076c4b5f5c42b44d583c534f78adbe7

  • SHA1

    c35478e67d490145520be73277cd72cd4e837090

  • SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

  • SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • SSDEEP

    49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\08732699.exe
    "C:\Users\Admin\AppData\Local\Temp\08732699.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1788
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1284

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    660.6MB

    MD5

    db538511d2f5c4f73b1880699b43f713

    SHA1

    16ceae602ecff67bb23d4b094bf14819b9575cc4

    SHA256

    d4277e800baf7a3f2b823e9b340e23fd8c575edcf5cb7bb36024d8f642034482

    SHA512

    7262aaf007e55e3c86fce2c3eb38c8ffb09fe622da1000144cd9aed8e4636d03fa270cfb9e345b90f920a95923f6365e3e56d8e97b87a8b24d0b117b9cb39e65

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    682.9MB

    MD5

    927b596e89af77d91b435fa10bc60bb6

    SHA1

    18fc323a054b4171f0cd2931cdc644de2bcb26ff

    SHA256

    b698f01f026ea7427b075d06f1875fefe647d06406fb86732a799d7a76ab2cd6

    SHA512

    3a2910a594a1cf5cbf5d1fef09e9d14d92b64dea795e563b1379146cf1109ffc857a66cab49b73026d4c2a415f7746617b8ba57e263e1ad6cd1942d52c283116

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    693.9MB

    MD5

    7445dd75574c3a994286ad1c550babc1

    SHA1

    69f63348296ec330dc8612922fd3c40ba6f2de8f

    SHA256

    4070e022afdffe50146c7fa440710b1c804396ea8ab86d93957c4826f4b6c09e

    SHA512

    778e0f0ba5f4daebe37031cdc3effc5dd8776915f33ea852e757e7941f7df85ff24f97d42c8e9a31c5d6f16d95e7c2a69dcbe4d545248e57109a655ac067340e