laplas | 30438a48463c536433c61446a1f8e874ad7ba451180c1bff69461b2a9d7abdd9

Analysis

max time kernel
123s
max time network
163s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-07-2023 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DriverSuite_for_win.exe
Size

691.4MB
MD5

0921de5d31e038e028c90c0896e3795b
SHA1

4d387009c73e2109d39c8973f41539e695fd5af3
SHA256

53a2b56b6038b74e6b7a14a99bbe2c519beea909ff054a2aa8581f15691a40a3
SHA512

735fe3254771d223ba57d69054f33b4deb8657ee6ffd80935ed9e83b20c64d2241c647b9b6cc1de34118fc2d7846627200a91e4cab114ae84c358566343dfed6
SSDEEP

6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KMC:H3lCO0Jbbujnb

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.188.125

Attributes

api_key
31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2172	svcservice.exe

Loads dropped DLL 1 IoCs

pid	Process
2508	DriverSuite_for_win.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	DriverSuite_for_win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2172	2508	DriverSuite_for_win.exe	30
PID 2508 wrote to memory of 2172	2508	DriverSuite_for_win.exe	30
PID 2508 wrote to memory of 2172	2508	DriverSuite_for_win.exe	30
PID 2508 wrote to memory of 2172	2508	DriverSuite_for_win.exe	30

C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe
"C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
797.4MB

MD5
6bbacf674e0e1d4cb992c6caa0301411

SHA1
c779b62103b4b6e487e8848da71ae3c320ab95ba

SHA256
5c6c1d774c5a8b5124105f171b9a0776b5909a1af483e3263ebaf6af82a0d920

SHA512
da14fc58c3bf0f9dad0b8cb0553b8a0146d4d2c5b783c39fd886394cd6474969d77a4e479bce18a351a48a567c57d6457354897dc1b63b06beebe0c8905ceb77

Download Submit
\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
798.9MB

MD5
eb8b636767adb2c27ca9ff591c9ed8c6

SHA1
c5b114404a39d86205dce70f5050a40c5e4f0285

SHA256
c865d84fb93309b0fa7059bcce4e135d67a1eb403ed05d28e18d73e541e49d1b

SHA512
aa0418f824f39b9b3d74dabfc169b3117e643c13746fc12c775e42a77324420b838e36bf3cd95c06fc49ee198bc546ccaea13284288aec33d17628eeea1d9ee1

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads