Resubmissions

30-07-2023 22:58

230730-2x5s9acf5s 10

30-07-2023 22:02

230730-1xt63sbe79 10

Analysis

  • max time kernel
    32s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-07-2023 22:58

General

  • Target

    svchost.exe

  • Size

    4.0MB

  • MD5

    d076c4b5f5c42b44d583c534f78adbe7

  • SHA1

    c35478e67d490145520be73277cd72cd4e837090

  • SHA256

    2c63c61e0adaaf669c9c674edfc9081d415c05b834611944a682f120ab9559d8

  • SHA512

    b2dfcf98695e7e40578f02a104a1c2fa1de29d13b0056d3dc4a5689168546f437bfd6acbc99e3766f94efb01bac5c908f3e80795f017e1629c97b6b1026ce638

  • SSDEEP

    49152:hGXwGFfpgG2Gv0l1YzzsYvbQaWfG85EIUFiqeb0/B1:MFaTGsgB4ENiqe

Malware Config

Extracted

Family

laplas

C2

http://185.209.161.189

Attributes
  • api_key

    f0cd0c3938331a84425c6e784f577ccd87bb667cfdb44cc24f97f402ac5e15b7

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2200
    • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
      2⤵
      • Executes dropped EXE
      PID:1636
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    662.8MB

    MD5

    b44581e5c6b16f3d75dbb9c735a0d5b2

    SHA1

    82e7d86c91cc7735bd7a59355c943c334ab615c8

    SHA256

    0b33bd9efe958eb414f1780ed3837bc4f7aa648d7e9a512bde416a0c70fffdb9

    SHA512

    d5cd3f975adcbc64b55cdf905d4ca3dfe21a36b4f553f4b6cdb8beccc65ac22cf7483df79a6733afcdd95731db55135bd0f88092a4c42e369c513bb6c12f60d8

  • C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

    Filesize

    661.2MB

    MD5

    f2f547fe91e285152e33d01244ac076b

    SHA1

    520f9829b7ed3c91eb7b465871be97d55cd81f3e

    SHA256

    50e1f9e65da3b3bba975a685ccfbc6e13b04244f3e1629cf71b20d80c4c50250

    SHA512

    287b2f6b9b5ac0038a10d0f129291c946738b74c6e8627decfd14b7345575f80bae42bd0bd6a56a75b4326d6e71871ce19a19a4f89aac0d78470743057dd5ee3

  • memory/3932-137-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-138-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-139-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-143-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-144-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-145-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-146-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-147-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-149-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB

  • memory/3932-148-0x000001F893FD0000-0x000001F893FD1000-memory.dmp

    Filesize

    4KB