laplas | 1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56

General

Target

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
Size

7.4MB
MD5

156590a4560236d1fe20019c6babbc49
SHA1

d9f5033f58f0fef0e8165b08c7a41f7b4b10a9fd
SHA256

1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56
SHA512

9f4be44f2b4b3318fe48895c0221385d5cefd0303da5da51e6788cfc0eaecd7a3c3e5db4183e829114d68d3c89ce86d630096fa91318376f105d935f8e355cc0
SSDEEP

196608:dZkKDdWzNLqrZQRcFE7qQGshXJbs0+XHeOeKpd:8WdoN2K97msvQD

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

C2

http://185.223.93.223

Attributes

api_key
afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Executes dropped EXE 1 IoCs

pid	Process
2608	ntlhost.exe

Loads dropped DLL 1 IoCs

pid	Process
2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe"	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
2608	ntlhost.exe
2608	ntlhost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
2608	ntlhost.exe
2608	ntlhost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2840	mspaint.exe
2352	mspaint.exe
664	mspaint.exe
2840	mspaint.exe
2352	mspaint.exe
2352	mspaint.exe
2352	mspaint.exe
2840	mspaint.exe
2840	mspaint.exe
664	mspaint.exe
664	mspaint.exe
664	mspaint.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2608	2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	28
PID 2788 wrote to memory of 2608	2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	28
PID 2788 wrote to memory of 2608	2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	28
PID 2788 wrote to memory of 2608	2788	1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe	28

C:\Users\Admin\AppData\Local\Temp\1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe
"C:\Users\Admin\AppData\Local\Temp\1d6781892cee8a3c195490c7476e20e3a16b5c0e398a519d83849ca7d11e1c56-1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectRestore.wmf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2840

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectRestore.wmf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectRestore.wmf"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
4.9MB

MD5
a7c030bb43ff023ef60a6660584909a7

SHA1
566b919c1026ec347748f2ecd2af3c461161a53d

SHA256
ace5cef539028c2a7e790132365be1be469441d0774779f3ce6dacc005d1cbd1

SHA512
284a9bcd92d62e6567c0a71005d6e6d0251eecb3b44039e544a5d2965c226b2d20fbc941253ac8f74c68c842bc37db626ed230e9cc3edd07d8535a53fc2990e8

Download Submit
\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe

Filesize
3.4MB

MD5
8d460678b3e54f3ac6400d40d6fbb77a

SHA1
cc59581ab72dc1250ecf4be0ae444eac59ee05be

SHA256
953e3b2326585271fd4de6866ee5d943b6356333ab7ea997fca678db2da67630

SHA512
810ad1a6034e6c7c0e9124a619bd670594d671d95102704f0e81dc8f03a8e04da50544cf49a3867aadd5ab9faed1ce4cc46209eccdfdf09c8c35abb86d9b0823

Download Submit
memory/664-61-0x000007FEF57E0000-0x000007FEF582C000-memory.dmp

Filesize
304KB

Download
memory/664-60-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/664-58-0x000007FEF57E0000-0x000007FEF582C000-memory.dmp

Filesize
304KB

Download
memory/2352-62-0x000007FEF57E0000-0x000007FEF582C000-memory.dmp

Filesize
304KB

Download
memory/2352-59-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2352-55-0x000007FEF57E0000-0x000007FEF582C000-memory.dmp

Filesize
304KB

Download
memory/2608-54-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2608-42-0x0000000003980000-0x0000000003D83000-memory.dmp

Filesize
4.0MB

Download
memory/2608-53-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2608-52-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/2608-51-0x0000000003980000-0x0000000003D83000-memory.dmp

Filesize
4.0MB

Download
memory/2608-50-0x0000000003980000-0x0000000003D83000-memory.dmp

Filesize
4.0MB

Download
memory/2608-49-0x0000000003980000-0x0000000003D83000-memory.dmp

Filesize
4.0MB

Download
memory/2608-44-0x0000000002D10000-0x0000000002D50000-memory.dmp

Filesize
256KB

Download
memory/2608-35-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/2788-31-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/2788-6-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2788-14-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2788-30-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/2788-26-0x0000000003BA0000-0x0000000003FA3000-memory.dmp

Filesize
4.0MB

Download
memory/2788-19-0x0000000003BA0000-0x0000000003FA3000-memory.dmp

Filesize
4.0MB

Download
memory/2788-21-0x0000000003BA0000-0x0000000003FA3000-memory.dmp

Filesize
4.0MB

Download
memory/2788-1-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/2788-11-0x0000000003BA0000-0x0000000003FA3000-memory.dmp

Filesize
4.0MB

Download
memory/2788-0-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2788-5-0x0000000000400000-0x000000000135B000-memory.dmp

Filesize
15.4MB

Download
memory/2788-12-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2788-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2788-20-0x0000000003BA0000-0x0000000003FA3000-memory.dmp

Filesize
4.0MB

Download
memory/2840-57-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2840-56-0x000007FEF57E0000-0x000007FEF582C000-memory.dmp

Filesize
304KB

Download
memory/2840-63-0x000007FEF57E0000-0x000007FEF582C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads