Analysis

  • max time kernel
    148s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    23-07-2023 01:18

General

  • Target

    DriverSuite_for_win.exe

  • Size

    691.4MB

  • MD5

    0921de5d31e038e028c90c0896e3795b

  • SHA1

    4d387009c73e2109d39c8973f41539e695fd5af3

  • SHA256

    53a2b56b6038b74e6b7a14a99bbe2c519beea909ff054a2aa8581f15691a40a3

  • SHA512

    735fe3254771d223ba57d69054f33b4deb8657ee6ffd80935ed9e83b20c64d2241c647b9b6cc1de34118fc2d7846627200a91e4cab114ae84c358566343dfed6

  • SSDEEP

    6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KMC:H3lCO0Jbbujnb

Malware Config

Extracted

Family

laplas

C2

http://45.159.188.125

Attributes
  • api_key

    31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:2992

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    969.0MB

    MD5

    7e26d573deedb93245765c04e4f7c6e8

    SHA1

    c46bbdd52169d528903e958221c999eaadcae8a5

    SHA256

    65ff6ff37ce2df411262223d4a22142357bbc7141cc4a9df525d75bdd75fe5fd

    SHA512

    701dc7175e1600055664bf2a87fe82d49f94508500e322d4bf86ad1eb1c4bf5810bccbe42edf64da999076d7c0dcaeb57a16e6e65cd007ac38116e46e31cdfdd

  • \Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    966.5MB

    MD5

    3024772f440a23881c1a70dd2679f442

    SHA1

    e412a12d309b5ba42296b2eb7c749fd2393ba689

    SHA256

    8b35357fc0b195e8dd3f9d5ce3018a2282526c227033262d20c5ccb64733e975

    SHA512

    2e42d35f7288a5a0f9760248923627a92ddeefb3fad7b968d3a443af7d1c344faa9d690251ff3260767d1b598aaf9e3b29dfac1503260df471b6a274c0e532b5