Analysis
-
max time kernel
130s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 14:54
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230220-en
General
-
Target
file.exe
-
Size
231KB
-
MD5
ebb91f36dddcc249a0a99fe6c91b3327
-
SHA1
46823571b6adc8278ae0031ee8843a67cb8eda47
-
SHA256
42a55a367750fc5e5c7583b413d02166bd5fccfc48c124e35d650b1878f25bd9
-
SHA512
ee575500efc7cab52802b5936dc92eb5effb157987b24fe3190957c69a544fd2c37016fa3a6e8c3f5cf79e90454290b71872f9453eeb4d1521302175fbe57460
-
SSDEEP
3072:wXUhQztlGtv5H3IboGhDuqaoBHZ9AWoKIJaBnS0sztA4lmS/r+KWVOAg0FujDFkF:MzM54bisZ9ACIQBgz/ldnAOtsv
Malware Config
Extracted
laplas
http://45.159.189.105
-
api_key
282dad126e565baaaf231822cab8d693912f9b76b528a6f568b2bac069b49e61
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
svcservice.exepid process 892 svcservice.exe -
Loads dropped DLL 1 IoCs
Processes:
file.exepid process 1704 file.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
file.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
file.exedescription pid process target process PID 1704 wrote to memory of 892 1704 file.exe svcservice.exe PID 1704 wrote to memory of 892 1704 file.exe svcservice.exe PID 1704 wrote to memory of 892 1704 file.exe svcservice.exe PID 1704 wrote to memory of 892 1704 file.exe svcservice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
805.2MB
MD594b8a318360f750565ddd61b5f23e95c
SHA1a63b2b029c06f0d4b210ed6245993b94594e8c27
SHA25695b0a24c48f910802810e7da0b666c640de60fc8389df450278185a563e577a7
SHA51236e8e71153e4f8aca132d23b68468759dcb5c0a5f1a59f508e9c188e93b23b398c3bedf8682f49801e414f49c1aefef86b130b0ad938ac4fb653a3df85c5484b
-
\Users\Admin\AppData\Roaming\telemetry\svcservice.exeFilesize
805.2MB
MD594b8a318360f750565ddd61b5f23e95c
SHA1a63b2b029c06f0d4b210ed6245993b94594e8c27
SHA25695b0a24c48f910802810e7da0b666c640de60fc8389df450278185a563e577a7
SHA51236e8e71153e4f8aca132d23b68468759dcb5c0a5f1a59f508e9c188e93b23b398c3bedf8682f49801e414f49c1aefef86b130b0ad938ac4fb653a3df85c5484b