Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

e785e87f0e...ab.exe

windows7-x64

10

e785e87f0e...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2024, 03:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe

  • Size

    6.1MB

  • MD5

    48978e12606c69a14525441154e7bfd5

  • SHA1

    7402deebde1bb439be4c938458f9139ff8ba16ce

  • SHA256

    e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab

  • SHA512

    08f7389f19c51b0070c87a129068867cdb1ea24d768ed29001796290182fa1fcb9a3a9a1fc1cd22c49ff251e0366f5dd380ddac7c64e08a2851f8cea287fe9f1

  • SSDEEP

    98304:dSPwB+aOipCWBR6K4OIiGMprhRp8kBdQ9UEUvQxXf1tpqinVruk:vB+aOiDUKzDrhQLZK0f1tQpk

Score
10/10
laplasclipperdiscoverystealervmprotect

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    7ee57b1f6d4aff08f9755119b18cf0754b677addcb6a3063066112b10a357a8e

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Laplas family
    laplas
  • Executes dropped EXE 1 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe
    "C:\Users\Admin\AppData\Local\Temp\e785e87f0e16a7b52ec8a725dcb048e6310532c9c535dfef70b0d969a4dd85ab.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4624
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C schtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn yhaPqplDUY /tr C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4124
  • C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe
    C:\Users\Admin\AppData\Roaming\yhaPqplDUY\wWafNGtsey.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2532

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2532-15-0x0000000000880000-0x0000000000881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-26-0x0000000000CE0000-0x0000000001A3E000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/2532-22-0x0000000000CE0000-0x0000000001A3E000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/2532-21-0x0000000000CE0000-0x0000000001A3E000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/2532-20-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-19-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-18-0x0000000002F90000-0x0000000002F91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-17-0x0000000002F80000-0x0000000002F81000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2532-16-0x0000000000890000-0x0000000000891000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4624-6-0x0000000002010000-0x0000000002011000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4624-12-0x000000000138B000-0x00000000015F8000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4624-8-0x0000000000EC0000-0x0000000001C1E000-memory.dmp

    Filesize

    13.4MB

    Download

  • memory/4624-4-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4624-5-0x0000000002000000-0x0000000002001000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4624-0-0x000000000138B000-0x00000000015F8000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4624-3-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4624-1-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4624-2-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

    Filesize

    4KB

    Download