Overview

overview

10

Static

static

1

svcservice.exe

windows7-x64

10

svcservice.exe

windows10-2004-x64

10

Resubmissions

18-04-2023 13:04

230418-qba6zadc7w 10

18-04-2023 12:53

230418-p4xp1abd95 10

Analysis

  • max time kernel
    45s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-04-2023 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svcservice.exe

  • Size

    1023.8MB

  • MD5

    9112d21551cffc1149f0e11d44afbec0

  • SHA1

    cd1751ed7525adafdbcf44e6cc1dd0dad1b760c8

  • SHA256

    723710eaf3beac67ea9191491824d50bd3398951341cea790aabef634a412871

  • SHA512

    2983e1a653a81b711d2bfe68897934efdd07ca1d02adfe18a903d7cde18af522a03b17f2db273938ef6cc6872bd40950f498d6e60dfef2f522b01d6195d431d6

  • SSDEEP

    3145728:m33333333333333333333333333333333333333333333333333333333333333y:P

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://nerf-0150-unknown.guru

Attributes
  • api_key

    afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 14 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcservice.exe
    "C:\Users\Admin\AppData\Local\Temp\svcservice.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:4304
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4640

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    614.3MB

    MD5

    1e9d8af2de65ff767adbdfd10efaa3ad

    SHA1

    d7f5956e8ff6644ad1f6d088fe3a93007604c9e7

    SHA256

    bc45adba6146414fdc01f7fe941ab26f843f70634fa6e8792113c5056462b4e8

    SHA512

    bc68107c64924a6bdb934e8f838d08e5c1e1a978ecd3831799c5c09361a89cd8953309eaeb6a5a7bce826af3610c10a4a04e1e120b8411632a51d01e5372c86a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    607.2MB

    MD5

    447a6cdde2d6bcf762f6c31b6fa004c6

    SHA1

    0d95ac1daa43cefac3fdbd78bcde5cccc5918538

    SHA256

    e679db2282ef966919c8391953e79df74d0251a996e8fc4731ed5e82d212edd0

    SHA512

    d4ee3fe75e655c53f790f29525b7de5017ed7d7fdd8b38c34ea2c62d181189633b991cd772975fbe3e088e4f57555911492e4fd95419196ccf0f92b92d537ce0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    592.2MB

    MD5

    f792746e4d2acbedddfdad3144c4a268

    SHA1

    087994b7da363c810b7ede7440d67d28586c22b5

    SHA256

    46697b28850da335c84d7af86fa37076cee4dea50ba1f556c0b434bd37feeac3

    SHA512

    01be351db0e3339fe3ed96d483b2276909cc4707faa2a67b901229ba11cf62b410b1580407dff1cfdfe08e2f0fe927287d917052bcfb76fb41fef7ba991b84c2

    Download Submit

  • memory/896-133-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/896-136-0x00000000022D0000-0x0000000002311000-memory.dmp

    Filesize

    260KB

    Download

  • memory/896-141-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/896-153-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4304-155-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4304-178-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4304-171-0x00000000006E0000-0x0000000000721000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4640-159-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-164-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-165-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-163-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-166-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-167-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-168-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-169-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-158-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4640-157-0x00000267A2C00000-0x00000267A2C01000-memory.dmp

    Filesize

    4KB

    Download