laplas | b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6

Analysis

max time kernel
133s
max time network
153s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msvs.exe
Size

4.0MB
MD5

e1cd1c30f4761a2bf4c878ef0a723435
SHA1

8fe5aaf4f0906bbc33c73819fd27eb838cc096e0
SHA256

b20d74c759e6d677148c3cf1ddac1056631d69ec738f098d2c8103782d8d82c6
SHA512

ecf459342f3d6aa775fa471e9b80d457a8a6bdaae18ffe0495fb044c1a665bd6efcfe9fbf27f8e977939797b1caff468e3b5e2a41b433f080e7b63c7fc8d32d8
SSDEEP

98304:jBFr1GYY6ihQXeuhAgNcpdWK07pWUd/nwdAS:1/7kdEQUd/nwuS

Score

10^/10

laplas clipper evasion persistence stealer trojan

Malware Config

Extracted

Family

laplas

http://lpls.tuktuk.ug

Attributes

api_key
a0f588021b58e0c7908a163f8750678efedf2a66bf739a12427b379aef47ccde

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	msvs.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ntlhost.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	msvs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	msvs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ntlhost.exe

Executes dropped EXE 1 IoCs

pid	Process
2560	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
1308	msvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	msvs.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ntlhost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	msvs.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1308	msvs.exe
2560	ntlhost.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	3	Go-http-client/1.1

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2560	1308	msvs.exe	28
PID 1308 wrote to memory of 2560	1308	msvs.exe	28
PID 1308 wrote to memory of 2560	1308	msvs.exe	28

C:\Users\Admin\AppData\Local\Temp\msvs.exe
"C:\Users\Admin\AppData\Local\Temp\msvs.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
754.5MB

MD5
4c0bd8bbaf93f7bb55afc0bb4feea855

SHA1
8c74056472b5ff02866919be04b07390ee3f09da

SHA256
29a2a317b6655bf1145c5df9fa52f528c20d8f3f14464fa2fdeddd6b4ea8079d

SHA512
4f8e7365fe3d850e155306f75558fbb69f840d61d36eccb3b52015b66a3e6b4d95dc6f3785c213ad6dcd2a4d2c276f4e0e74f4f88a08bf0ce7c61f8d93379bc6

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
758.9MB

MD5
5f01ac460591d06f895b27a6a38724c5

SHA1
07fd7810dfd115bc2a2086d27ee173666945618a

SHA256
3e0cf3da07aba31a8a9fa72ffbf1da37c53381978acebfd64716e7867a9d3b99

SHA512
7fda080fcbc90c8ebc04f8d647fbe89eacb3f1bc0adcc8febc7f1a401f50cd406fc6b46e8be3eda7e25ec73ba8c9c56ce2d6d445899d329548c1089b46ca8d2f

Download Submit
memory/1308-64-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-65-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-59-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-71-0x00000000288E0000-0x000000002923E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-58-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-57-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-56-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-55-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/1308-54-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-60-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-66-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-67-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-68-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/1308-61-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-62-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-75-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-63-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-74-0x0000000000DB0000-0x000000000170E000-memory.dmp

Filesize
9.4MB

Download
memory/1308-77-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2560-78-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2560-91-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-79-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-80-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-82-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-81-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-83-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-84-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-85-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-87-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-86-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-88-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-90-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2560-76-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-92-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-93-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-94-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-95-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-98-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-99-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-100-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-101-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-102-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-103-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download
memory/2560-104-0x0000000001250000-0x0000000001BAE000-memory.dmp

Filesize
9.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads