Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

f2e100f576...5c.exe

windows7-x64

10

f2e100f576...5c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2023, 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2e100f576b44fdb37d874db2e48085c.exe

  • Size

    4.4MB

  • MD5

    f2e100f576b44fdb37d874db2e48085c

  • SHA1

    23091a0b5231d69d85866fede573b25577e20414

  • SHA256

    77530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196

  • SHA512

    14bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85

  • SSDEEP

    98304:fqemq9DObUSOLZ27MJuUfg7Jb/0RCh2fc/xVzVALUx:PzD3SFEuUfcLwCh2Q/RAY

Score
10/10
laplasclipperevasionpersistencestealertrojan

Malware Config

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe
    "C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2256

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    743.4MB

    MD5

    3fbf49633fa76fe203f55b1cd98fe6ba

    SHA1

    3f8a742b348cbf8e09e2d12889ac81bcbc09b244

    SHA256

    3c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25

    SHA512

    a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48

    Download Submit

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
    Filesize

    743.4MB

    MD5

    3fbf49633fa76fe203f55b1cd98fe6ba

    SHA1

    3f8a742b348cbf8e09e2d12889ac81bcbc09b244

    SHA256

    3c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25

    SHA512

    a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48

    Download Submit

  • memory/2256-73-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-79-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-90-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-89-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-88-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-87-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-86-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-85-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-67-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-68-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-69-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-71-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-70-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-72-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-84-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-75-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-81-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-76-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-77-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-78-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-74-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/2256-80-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-54-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-58-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-66-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-55-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-57-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-60-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-61-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download

  • memory/3064-59-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

    Download