Overview

overview

10

Static

static

1

svcservice.exe

windows10-1703-x64

10

svcservice.exe

windows7-x64

10

svcservice.exe

windows10-2004-x64

10

Resubmissions

18-04-2023 13:04

230418-qba6zadc7w 10

18-04-2023 12:53

230418-p4xp1abd95 10

Analysis

  • max time kernel
    881s
  • max time network
    867s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    18-04-2023 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svcservice.exe

  • Size

    1023.8MB

  • MD5

    9112d21551cffc1149f0e11d44afbec0

  • SHA1

    cd1751ed7525adafdbcf44e6cc1dd0dad1b760c8

  • SHA256

    723710eaf3beac67ea9191491824d50bd3398951341cea790aabef634a412871

  • SHA512

    2983e1a653a81b711d2bfe68897934efdd07ca1d02adfe18a903d7cde18af522a03b17f2db273938ef6cc6872bd40950f498d6e60dfef2f522b01d6195d431d6

  • SSDEEP

    3145728:m33333333333333333333333333333333333333333333333333333333333333y:P

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://nerf-0150-unknown.guru

Attributes
  • api_key

    afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 38 IoCs
  • Suspicious use of SendNotifyMessage 38 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcservice.exe
    "C:\Users\Admin\AppData\Local\Temp\svcservice.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:2740
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1456

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMT3HFX2\online[2].txt
    Filesize

    2B

    MD5

    444bcb3a3fcf8389296c49467f27e1d6

    SHA1

    7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

    SHA256

    2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

    SHA512

    9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IV9H23MJ\regex[2].txt
    Filesize

    633B

    MD5

    c5298d2c78be8fdfc264eb6fe3e275f8

    SHA1

    f09de5f443da081efaff0155f422ca0375edd164

    SHA256

    de32b3c0549fde0dc5ac435a89f16a87832a0632b6602e75f552d07074081577

    SHA512

    5aeb5013b00e13cd8a172639bc7c675bd06cc0473ae9844c9c324e5c322987ddeff986bd4a8e620ce0ca9d1098a3ee8bbb4802789d1e89b0ec0cecf2f55a4853

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    1750.8MB

    MD5

    7d28d50b888df2961e0757e910496929

    SHA1

    50020902374fbd5788158b82745bb2712c86c9c9

    SHA256

    b8d547dee8318e4bef346f80062eaf43dc18a6b6b1829327f9a4446a8eb061ab

    SHA512

    b2a199d600fe1908fd32ee05590f4e3632ea7213aa0dff93e009fc7b489e4afff5ac654108f7419a950e2bba2a4b53c296e044fa3c9ca1fb98b459fe1b1e8af5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    1750.8MB

    MD5

    7d28d50b888df2961e0757e910496929

    SHA1

    50020902374fbd5788158b82745bb2712c86c9c9

    SHA256

    b8d547dee8318e4bef346f80062eaf43dc18a6b6b1829327f9a4446a8eb061ab

    SHA512

    b2a199d600fe1908fd32ee05590f4e3632ea7213aa0dff93e009fc7b489e4afff5ac654108f7419a950e2bba2a4b53c296e044fa3c9ca1fb98b459fe1b1e8af5

    Download Submit

  • memory/2272-121-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2272-124-0x00000000006D0000-0x0000000000711000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2272-129-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2272-135-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2740-137-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2740-140-0x00000000021A0000-0x00000000021E1000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2740-152-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download