laplas | 30438a48463c536433c61446a1f8e874ad7ba451180c1bff69461b2a9d7abdd9

Analysis

max time kernel
152s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DriverSuite_for_win.exe
Size

691.4MB
MD5

0921de5d31e038e028c90c0896e3795b
SHA1

4d387009c73e2109d39c8973f41539e695fd5af3
SHA256

53a2b56b6038b74e6b7a14a99bbe2c519beea909ff054a2aa8581f15691a40a3
SHA512

735fe3254771d223ba57d69054f33b4deb8657ee6ffd80935ed9e83b20c64d2241c647b9b6cc1de34118fc2d7846627200a91e4cab114ae84c358566343dfed6
SSDEEP

6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KMC:H3lCO0Jbbujnb

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://45.159.188.125

Attributes

api_key
31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation	DriverSuite_for_win.exe

Executes dropped EXE 1 IoCs

pid	Process
1656	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	DriverSuite_for_win.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1656	1704	DriverSuite_for_win.exe	92
PID 1704 wrote to memory of 1656	1704	DriverSuite_for_win.exe	92
PID 1704 wrote to memory of 1656	1704	DriverSuite_for_win.exe	92

C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe
"C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
708.2MB

MD5
e9559684edaab34bff65f873b3ed76dd

SHA1
8060c8667af3d6cbc7efb5aa4637ce748152ee7d

SHA256
1878f09536edc44111653869822767770cb8918b53fe3fd5c5673db86b19203e

SHA512
dd290527066f8d3900ad63c1ec929b48efcc6de440ad6d5d060521b760015ff52d2acd31062c4827e951995665daa8f6fa9532fcec595476288f5322cff8f1e4

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
404.2MB

MD5
d62dcdeb5f38e59b5db76b9c47b9478b

SHA1
26957abd008d56ac3082e870c09ebdd0bf10c913

SHA256
aedeca4037e530b363372b3bc691d1ed7002c716c6cf0cb8280f8f442e3edf5c

SHA512
608e1df137b1403f4843f7223edd8d530bf36213feada554d6a1865244add43ec510d2c56e1a76f1e2ea0c30391efbebc8a3b80af57bf5e736c3802dd7100212

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
441.1MB

MD5
12bfe60b6e7920ea953a97cb16ee0507

SHA1
a757924c0615db35013ecdd6e5fcd7e7c437480a

SHA256
5430475018df13fbfb956092ac5b779f537253f79dc1e7e66b38ed66faf0d40c

SHA512
0a351ce7c4b83efbdeee77c871f34d079e11553245f699871710add408bf6fa3e63ca0174ad2b42b89fb9db2c733eff539f2bff1caa8bbfaa4c8017311b27b3c

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads