Analysis
-
max time kernel
127s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
22-07-2023 07:26
Static task
static1
Behavioral task
behavioral1
Sample
DriverSuiteforwin.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
DriverSuiteforwin.exe
Resource
win10v2004-20230703-en
General
-
Target
DriverSuiteforwin.exe
-
Size
248KB
-
MD5
5204e5160631e610268e2f9c37e0e0fd
-
SHA1
62894f9984688dfa89c107d87468299880a8423e
-
SHA256
977576b2524a137c9477d4ecbe5530a63c3b40e143dbf499f58cd1c5dfd5a2b2
-
SHA512
895111cdb7014ec3c985f3f4b901d42d68a85a674d4bf08df568f6df7ad34e1bd18024cf0b3652b35ee6f7072999ed043625b3ec36a427e90e5370835770cd92
-
SSDEEP
6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KM:H3lCO0Jbbujn
Malware Config
Extracted
laplas
http://45.159.188.125
-
api_key
31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2640 svcservice.exe -
Loads dropped DLL 1 IoCs
pid Process 2436 DriverSuiteforwin.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" DriverSuiteforwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2640 2436 DriverSuiteforwin.exe 28 PID 2436 wrote to memory of 2640 2436 DriverSuiteforwin.exe 28 PID 2436 wrote to memory of 2640 2436 DriverSuiteforwin.exe 28 PID 2436 wrote to memory of 2640 2436 DriverSuiteforwin.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\DriverSuiteforwin.exe"C:\Users\Admin\AppData\Local\Temp\DriverSuiteforwin.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
PID:2640
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700.2MB
MD597b1bb0ecde3685d1b8840b46749f190
SHA12c6d7c8a374fe5fd2fc3430046189895081efd7e
SHA25609d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57
SHA5122c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0
-
Filesize
700.2MB
MD597b1bb0ecde3685d1b8840b46749f190
SHA12c6d7c8a374fe5fd2fc3430046189895081efd7e
SHA25609d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57
SHA5122c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0