Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    152s
  • max time network
    269s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/07/2023, 14:21

General

  • Target

    DriverSuite_for_win.exe

  • Size

    691.4MB

  • MD5

    0921de5d31e038e028c90c0896e3795b

  • SHA1

    4d387009c73e2109d39c8973f41539e695fd5af3

  • SHA256

    53a2b56b6038b74e6b7a14a99bbe2c519beea909ff054a2aa8581f15691a40a3

  • SHA512

    735fe3254771d223ba57d69054f33b4deb8657ee6ffd80935ed9e83b20c64d2241c647b9b6cc1de34118fc2d7846627200a91e4cab114ae84c358566343dfed6

  • SSDEEP

    6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KMC:H3lCO0Jbbujnb

Malware Config

Extracted

Family

laplas

C2

http://45.159.188.125

Attributes
  • api_key

    31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:1656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    708.2MB

    MD5

    e9559684edaab34bff65f873b3ed76dd

    SHA1

    8060c8667af3d6cbc7efb5aa4637ce748152ee7d

    SHA256

    1878f09536edc44111653869822767770cb8918b53fe3fd5c5673db86b19203e

    SHA512

    dd290527066f8d3900ad63c1ec929b48efcc6de440ad6d5d060521b760015ff52d2acd31062c4827e951995665daa8f6fa9532fcec595476288f5322cff8f1e4

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    404.2MB

    MD5

    d62dcdeb5f38e59b5db76b9c47b9478b

    SHA1

    26957abd008d56ac3082e870c09ebdd0bf10c913

    SHA256

    aedeca4037e530b363372b3bc691d1ed7002c716c6cf0cb8280f8f442e3edf5c

    SHA512

    608e1df137b1403f4843f7223edd8d530bf36213feada554d6a1865244add43ec510d2c56e1a76f1e2ea0c30391efbebc8a3b80af57bf5e736c3802dd7100212

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    441.1MB

    MD5

    12bfe60b6e7920ea953a97cb16ee0507

    SHA1

    a757924c0615db35013ecdd6e5fcd7e7c437480a

    SHA256

    5430475018df13fbfb956092ac5b779f537253f79dc1e7e66b38ed66faf0d40c

    SHA512

    0a351ce7c4b83efbdeee77c871f34d079e11553245f699871710add408bf6fa3e63ca0174ad2b42b89fb9db2c733eff539f2bff1caa8bbfaa4c8017311b27b3c