Overview

overview

10

Static

static

1

svcservice.exe

windows10-1703-x64

10

svcservice.exe

windows7-x64

10

svcservice.exe

windows10-2004-x64

10

Resubmissions

18-04-2023 13:04

230418-qba6zadc7w 10

18-04-2023 12:53

230418-p4xp1abd95 10

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18-04-2023 13:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    svcservice.exe

  • Size

    1023.8MB

  • MD5

    9112d21551cffc1149f0e11d44afbec0

  • SHA1

    cd1751ed7525adafdbcf44e6cc1dd0dad1b760c8

  • SHA256

    723710eaf3beac67ea9191491824d50bd3398951341cea790aabef634a412871

  • SHA512

    2983e1a653a81b711d2bfe68897934efdd07ca1d02adfe18a903d7cde18af522a03b17f2db273938ef6cc6872bd40950f498d6e60dfef2f522b01d6195d431d6

  • SSDEEP

    3145728:m33333333333333333333333333333333333333333333333333333333333333y:P

Score
10/10
laplasclipperpersistencestealer

Malware Config

Extracted

Family

laplas

C2

http://nerf-0150-unknown.guru

Attributes
  • api_key

    afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

  • Laplas Clipper

    Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.

    stealerclipperlaplas
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\svcservice.exe
    "C:\Users\Admin\AppData\Local\Temp\svcservice.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
      "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
      2⤵
      • Executes dropped EXE
      PID:1068

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    632.6MB

    MD5

    a24a7d7a77e981a96194e38df5732342

    SHA1

    4f4b14c6ee56e6ced026602bdfad31be1b3bbd23

    SHA256

    e0bcf822a92be6b488617875ef77917e4cfda5d61e3b0b4654ac41822fa07534

    SHA512

    60060b5993d2df355d36679cf5f533da50c43abc01c6edeec6a5d431bd93bc6ba41a45c60647fc7fa3a999ba611a375104dd335748d1523a72eff18cabe5ef7e

    Download Submit

  • \Users\Admin\AppData\Roaming\telemetry\svcservice.exe
    Filesize

    632.9MB

    MD5

    264423e46e47151dec518b066e5d67d0

    SHA1

    4b02c4de85edd91654cb140ba2e669cdfc28a088

    SHA256

    d1ddf8ce00fa92f9f2ef277d8c5019295d981244ee7d37e91446ff7c0f06c024

    SHA512

    f2e5adc800aa2fd8b52f154abf365592727017d8ff0b0d39b50a518ed6ff7cfaf8cf3657de88a8d6ea1d9c9f9f0f9c7bf7551e351a846219bd1dcdf8784b4e6b

    Download Submit

  • memory/904-54-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/904-56-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/904-57-0x0000000000240000-0x0000000000281000-memory.dmp

    Filesize

    260KB

    Download

  • memory/904-71-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1068-72-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1068-75-0x00000000002D0000-0x0000000000311000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1068-80-0x0000000000400000-0x0000000000559000-memory.dmp

    Filesize

    1.3MB

    Download