Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-07-2023 07:26

General

  • Target

    DriverSuiteforwin.exe

  • Size

    248KB

  • MD5

    5204e5160631e610268e2f9c37e0e0fd

  • SHA1

    62894f9984688dfa89c107d87468299880a8423e

  • SHA256

    977576b2524a137c9477d4ecbe5530a63c3b40e143dbf499f58cd1c5dfd5a2b2

  • SHA512

    895111cdb7014ec3c985f3f4b901d42d68a85a674d4bf08df568f6df7ad34e1bd18024cf0b3652b35ee6f7072999ed043625b3ec36a427e90e5370835770cd92

  • SSDEEP

    6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KM:H3lCO0Jbbujn

Malware Config

Extracted

Family

laplas

C2

http://45.159.188.125

Attributes
  • api_key

    31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DriverSuiteforwin.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverSuiteforwin.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:5080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    700.2MB

    MD5

    97b1bb0ecde3685d1b8840b46749f190

    SHA1

    2c6d7c8a374fe5fd2fc3430046189895081efd7e

    SHA256

    09d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57

    SHA512

    2c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    700.2MB

    MD5

    97b1bb0ecde3685d1b8840b46749f190

    SHA1

    2c6d7c8a374fe5fd2fc3430046189895081efd7e

    SHA256

    09d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57

    SHA512

    2c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    700.2MB

    MD5

    97b1bb0ecde3685d1b8840b46749f190

    SHA1

    2c6d7c8a374fe5fd2fc3430046189895081efd7e

    SHA256

    09d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57

    SHA512

    2c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0