Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
06-12-2024 03:49
General
-
Target
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe
-
Size
6.1MB
-
MD5
48978e12606c69a14525441154e7bfd5
-
SHA1
7402deebde1bb439be4c938458f9139ff8ba16ce
-
SHA256
e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab
-
SHA512
08f7389f19c51b0070c87a129068867cdb1ea24d768ed29001796290182fa1fcb9a3a9a1fc1cd22c49ff251e0366f5dd380ddac7c64e08a2851f8cea287fe9f1
-
SSDEEP
98304:dSPwB+aOipCWBR6K4OIiGMprhRp8kBdQ9UEUvQxXf1tpqinVruk:vB+aOiDUKzDrhQLZK0f1tQpk
Malware Config
Extracted
laplas
clipper.guru
-
api_key
7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e
Signatures
-
Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
-
Laplas family
-
Executes dropped EXE 1 IoCs
-
VMProtect packed file 3 IoCs
Detects executables packed with VMProtect commercial packer.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C schtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {F3CA28C2-BE02-40AB-B2AB-74D5CDED9A5B} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exeC:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
13.4MB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
13.4MB
-
Filesize
13.4MB