Overview

overview

10

Static

static

1

svcservice.exe

windows7-x64

10

svcservice.exe

windows10-2004-x64

10

Resubmissions

18-04-2023 13:04

230418-qba6zadc7w 10

18-04-2023 12:53

230418-p4xp1abd95 10

Analysis

  • max time kernel
    155s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2023 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svcservice.exe

  • Size

    1023.8MB

  • MD5

    9112d21551cffc1149f0e11d44afbec0

  • SHA1

    cd1751ed7525adafdbcf44e6cc1dd0dad1b760c8

  • SHA256

    723710eaf3beac67ea9191491824d50bd3398951341cea790aabef634a412871

  • SHA512

    2983e1a653a81b711d2bfe68897934efdd07ca1d02adfe18a903d7cde18af522a03b17f2db273938ef6cc6872bd40950f498d6e60dfef2f522b01d6195d431d6

  • SSDEEP

    3145728:m33333333333333333333333333333333333333333333333333333333333333y:P

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://nerf-0150-unknown.guru

Attributes
  • api_key

    afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcservice.exe
    "C:\Users\Admin\AppData\Local\Temp\svcservice.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:668
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:1020
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:684

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    506.9MB

    MD5

    cdd42a5f92d7026cb1aeb36dbfe84c11

    SHA1

    e55c588d721ce594a332aceb59f9f0dd01328b67

    SHA256

    e538e65524ea4dbbbb1023d9badfaaf09c3439afd63d733dfad9694965e34b62

    SHA512

    b8f774ea59c4bc96085c35c9562d0b8032d4d0e8836bbe4a8dd56e856ff5758588d1b20f570289eec2a094fba81628aea60855c03736adfe65aaa8309cb8020d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    478.7MB

    MD5

    28f785e55e10a1c3f5906876a16ea59b

    SHA1

    7cb1299bbb00652b30cca07a10987b553fa5d669

    SHA256

    90e1c89e2a8f181a4df6a349c50387eb1b4eb0b097761a5e34b351a4554f109d

    SHA512

    9da839564580dea4c34c422914c5eed090a21366eb1f7c93971dafac1a801756f039dee03ea1b1fa63374e0869a6b4b355be7b6bf8395d5164f50aa8e845ed3f

    Download Submit

  • \Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    498.2MB

    MD5

    5753973b050d7dd3424c868309d69516

    SHA1

    237f0324a5a043d9ce41f11ef53c7b00a02e16c2

    SHA256

    4dc92e51157bbc5633f4698f607c369056b6f5165eeca6f404082f8447d9b919

    SHA512

    6f011b703dad9351eb2a90dcc77e4b6758dd1d03f160ffb596670b9594400a34e224a246d737220ecc1de4a1991eaedc752b954356347200ec8cce1285cb795f

    Download Submit

  • memory/668-58-0x0000000000240000-0x0000000000281000-memory.dmp

    Filesize

    260KB

    Download

  • memory/668-63-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/668-54-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/668-75-0x0000000002450000-0x00000000025A9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/668-74-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/684-65-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/684-56-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/684-55-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/1020-76-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1020-77-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1020-87-0x0000000000230000-0x0000000000271000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1020-92-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download