Overview

overview

10

Static

static

10

svcupdater.exe

windows7-x64

10

svcupdater.exe

windows10-2004-x64

10

Resubmissions

24-11-2022 16:38

221124-t5ggmaah3y 10

18-11-2022 10:14

221118-l9yygada6s 10

05-11-2022 01:50

221105-b88feacgc8 8

Analysis

  • max time kernel
    181s
  • max time network
    201s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2022 16:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svcupdater.exe

  • Size

    4.8MB

  • MD5

    cd4ac234ee1c9fca552d11ff31b9c5cc

  • SHA1

    e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

  • SHA256

    fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

  • SHA512

    d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

  • SSDEEP

    49152:tAM3CiGxBRJHy51FmJgBaShRgd5MYh43VvATtg0IEqYjla27VdS5g+A:aMLGxBk1FmJgX2l4lv3EdZv+A

Score
10/10
laplasstealer

Malware Config

Extracted

Family

laplas

C2

clipper.guru

Attributes
  • api_key

    79af1e5a26dc8ad71542cfa94bd6c11764fd9f9531b1e509278be5b87528ae46

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with two variants written in Golang and C#.

    stealerlaplas
  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcupdater.exe
    "C:\Users\Admin\AppData\Local\Temp\svcupdater.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\system32\cmd.exe
      cmd.exe "/C schtasks /create /tn \ipNnOYSRDI /tr \"C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\system32\schtasks.exe
        schtasks /create /tn \ipNnOYSRDI /tr \"C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe\" /st 00:00 /du 9999:59 /sc once /ri 1 /f"
        3⤵
        • Creates scheduled task(s)
        PID:1976
  • C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
    C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
    1⤵
    • Executes dropped EXE
    PID:3632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
    Filesize

    4.8MB

    MD5

    cd4ac234ee1c9fca552d11ff31b9c5cc

    SHA1

    e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

    SHA256

    fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

    SHA512

    d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ipNnOYSRDI\svcupdater.exe
    Filesize

    4.8MB

    MD5

    cd4ac234ee1c9fca552d11ff31b9c5cc

    SHA1

    e3448c185bdf0e0a0859f2b28d1b5f28c38a0064

    SHA256

    fc8db07536652808292ddca99645f2e64431baf7f72ba1a8d358229e16fafbd8

    SHA512

    d07048d1359350c9913d2727cb40969383eaca0593b7395d2c51435e0defaa91f4c95f038bb1877847d520efa0150359860036f6e6e1c3e2ece24bc4ff8c6b9f

    Download Submit
  • memory/1884-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1976-133-0x0000000000000000-mapping.dmp
    Download