laplas | ee4289c431dfe5315b3a2decc90aa583aba7bd9fb8049bfe13c0f6aa0d166d06

Resubmissions

18-04-2023 13:04

230418-qba6zadc7w 10

18-04-2023 12:53

230418-p4xp1abd95 10

Analysis

max time kernel
156s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2023 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svcservice.exe
Size

1023.8MB
MD5

9112d21551cffc1149f0e11d44afbec0
SHA1

cd1751ed7525adafdbcf44e6cc1dd0dad1b760c8
SHA256

723710eaf3beac67ea9191491824d50bd3398951341cea790aabef634a412871
SHA512

2983e1a653a81b711d2bfe68897934efdd07ca1d02adfe18a903d7cde18af522a03b17f2db273938ef6cc6872bd40950f498d6e60dfef2f522b01d6195d431d6
SSDEEP

3145728:m33333333333333333333333333333333333333333333333333333333333333y:P

Score

10^/10

laplas clipper persistence stealer

Malware Config

Extracted

Family

laplas

http://nerf-0150-unknown.guru

Attributes

api_key
afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34

Signatures

Laplas Clipper
Laplas is a crypto wallet stealer with three variants written in Golang, C#, and C++.
stealer clipper laplas

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	svcservice.exe

Executes dropped EXE 1 IoCs

pid	Process
3384	svcservice.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe"	svcservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 3384	1484	svcservice.exe	88
PID 1484 wrote to memory of 3384	1484	svcservice.exe	88
PID 1484 wrote to memory of 3384	1484	svcservice.exe	88

C:\Users\Admin\AppData\Local\Temp\svcservice.exe
"C:\Users\Admin\AppData\Local\Temp\svcservice.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe
  "C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"
  2⤵
  - Executes dropped EXE
  PID:3384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
301.4MB

MD5
a7bbf826a4cebda56f0435b829cc7b85

SHA1
ee35fa82e59a62c8bed736caf8708ad1406d87ad

SHA256
39066d5a5dff700f5af4ab45a2aeb76fc029ca24d3d99d295f7f0c527b82d6f0

SHA512
0f8ed0311d6b6692efa451b2af63c11b4718b205ccf446099dd50f0b85d4cae090281affacfcc9e90a5b759c13e727b2d749f1902a2bca277093263ef6213a07

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
301.2MB

MD5
6b634d89ab34f7875ea542501d2a3436

SHA1
091f29b133b6445cb58e4d8c3675ddcb5365334d

SHA256
aafdd0ec4ef4b8def59414576f122bdf738bdc8b65605ba59aaa7d38e6271821

SHA512
45363249b76cb0ee3f9656e7afb0bcffc0f633549eca73d5e5e98227ee7200af530859f390a2246ae732cb6c541b3ba9eba381a64a213b146c1273f70f20b018

Download Submit
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe

Filesize
301.1MB

MD5
96469fc050f381780315c58b47b25dfa

SHA1
407df91cdf5226e95d9f806bfe965b794190d574

SHA256
4b01c7fc28242f762ac1731c4859bb0143daa111cfe76bed0d4e75d9c4e54113

SHA512
815beeac18bbbb85e536c9c947abc3f9dbdf5e1ad0a7d05d004f57e81dc441d60045b652a482ff839a80198c34678609fef0f9780365460d7231c04645beed8d

Download Submit
memory/1484-133-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1484-135-0x0000000000740000-0x0000000000781000-memory.dmp

Filesize
260KB

Download
memory/1484-140-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/1484-153-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-154-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/3384-157-0x00000000008E0000-0x0000000000921000-memory.dmp

Filesize
260KB

Download
memory/3384-164-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download