Analysis

  • max time kernel
    167s
  • max time network
    212s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-07-2023 01:18

General

  • Target

    DriverSuite_for_win.exe

  • Size

    691.4MB

  • MD5

    0921de5d31e038e028c90c0896e3795b

  • SHA1

    4d387009c73e2109d39c8973f41539e695fd5af3

  • SHA256

    53a2b56b6038b74e6b7a14a99bbe2c519beea909ff054a2aa8581f15691a40a3

  • SHA512

    735fe3254771d223ba57d69054f33b4deb8657ee6ffd80935ed9e83b20c64d2241c647b9b6cc1de34118fc2d7846627200a91e4cab114ae84c358566343dfed6

  • SSDEEP

    6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KMC:H3lCO0Jbbujnb

Malware Config

Extracted

Family

laplas

C2

http://45.159.188.125

Attributes
  • api_key

    31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe
    "C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    686.3MB

    MD5

    274c9b58e75f204260daf4de19fbe047

    SHA1

    b86e5ab66d994bae4ef8fdfd2eba9b8e61a8559a

    SHA256

    fdb608cf46238d74d38cb7a83b65e0ec62f3af6c2d5510d806248a65227e5250

    SHA512

    cb131e5e56097ce8a9462720299cc767f0e4a120817fad70077b2d506e7c2bfb4658696e29f8c2bec3b1a923e864bbf0dd023bb32755bc42b55d5ce25e7099e6

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    464.1MB

    MD5

    3461ad14976fe2376fa41928044b8b5d

    SHA1

    13208966ced85025d7b82dafbd5763d966bca12e

    SHA256

    1cc7e3e13435f902d25537d166e3088c47237e5ec0792f2b4d7948148679f02e

    SHA512

    733fa7c9f12db7b90d39e4d33319230ba09e9ad2ae5775d752d29a15981f66960b2bc11b6061466ab8c5221df2183238d2bb7dff87f5179eb28f8af38a39d0fa

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

    Filesize

    401.6MB

    MD5

    6f8c0d667dfde50dcc2bbd7d29b62dd8

    SHA1

    adf8d915a1582208f73d5c44c5c9a5387103a35f

    SHA256

    c148ba8c4a139801f0cf16aea8c02f722ae7d8b4a711c6c52b31de1d2c488951

    SHA512

    b394ea570f28c32353bb365aa66e52245ca565dd24b6f97798be2bfb5bcb3b22eb478649e769af3d86c2337846e99549de3f23bb9e3ef947ebaa1b43e0115b12