Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 03:44
Behavioral task
behavioral1
Sample
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe
Resource
win7-20241010-en
General
-
Target
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe
-
Size
6.1MB
-
MD5
48978e12606c69a14525441154e7bfd5
-
SHA1
7402deebde1bb439be4c938458f9139ff8ba16ce
-
SHA256
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab
-
SHA512
08f7389f19c51b0070c87a129068867cdb1ea24d768ed29001796290182fa1fcb9a3a9a1fc1cd22c49ff251e0366f5dd380ddac7c64e08a2851f8cea287fe9f1
-
SSDEEP
98304:dSPwB+aOipCWBR6K4OIiGMprhRp8kBdQ9UEUvQxXf1tpqinVruk:vB+aOiDUKzDrhQLZK0f1tQpk
Malware Config
Extracted
laplas
clipper.guru
-
api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e
Signatures
-
Laplas family
-
Executes dropped EXE 1 IoCs
pid Process 2612 wWafNGtsey.exe -
resource yara_rule behavioral2/memory/4864-7-0x0000000000F00000-0x0000000001C5E000-memory.dmp vmprotect behavioral2/memory/2612-22-0x00000000002C0000-0x000000000101E000-memory.dmp vmprotect behavioral2/memory/2612-21-0x00000000002C0000-0x000000000101E000-memory.dmp vmprotect behavioral2/memory/2612-26-0x00000000002C0000-0x000000000101E000-memory.dmp vmprotect -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wWafNGtsey.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5016 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4864 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 4864 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 2612 wWafNGtsey.exe 2612 wWafNGtsey.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4864 wrote to memory of 864 4864 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 82 PID 4864 wrote to memory of 864 4864 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 82 PID 4864 wrote to memory of 864 4864 e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe 82 PID 864 wrote to memory of 5016 864 cmd.exe 84 PID 864 wrote to memory of 5016 864 cmd.exe 84 PID 864 wrote to memory of 5016 864 cmd.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5016
-
-
-
C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exeC:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2612