Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
22-07-2023 07:26
Static task
static1
Behavioral task
behavioral1
Sample
DriverSuiteforwin.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
DriverSuiteforwin.exe
Resource
win10v2004-20230703-en
General
-
Target
DriverSuiteforwin.exe
-
Size
248KB
-
MD5
5204e5160631e610268e2f9c37e0e0fd
-
SHA1
62894f9984688dfa89c107d87468299880a8423e
-
SHA256
977576b2524a137c9477d4ecbe5530a63c3b40e143dbf499f58cd1c5dfd5a2b2
-
SHA512
895111cdb7014ec3c985f3f4b901d42d68a85a674d4bf08df568f6df7ad34e1bd18024cf0b3652b35ee6f7072999ed043625b3ec36a427e90e5370835770cd92
-
SSDEEP
6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KM:H3lCO0Jbbujn
Malware Config
Extracted
laplas
http://45.159.188.125
-
api_key
31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation DriverSuiteforwin.exe -
Executes dropped EXE 1 IoCs
pid Process 5080 svcservice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" DriverSuiteforwin.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1676 wrote to memory of 5080 1676 DriverSuiteforwin.exe 88 PID 1676 wrote to memory of 5080 1676 DriverSuiteforwin.exe 88 PID 1676 wrote to memory of 5080 1676 DriverSuiteforwin.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\DriverSuiteforwin.exe"C:\Users\Admin\AppData\Local\Temp\DriverSuiteforwin.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
PID:5080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
700.2MB
MD597b1bb0ecde3685d1b8840b46749f190
SHA12c6d7c8a374fe5fd2fc3430046189895081efd7e
SHA25609d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57
SHA5122c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0
-
Filesize
700.2MB
MD597b1bb0ecde3685d1b8840b46749f190
SHA12c6d7c8a374fe5fd2fc3430046189895081efd7e
SHA25609d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57
SHA5122c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0
-
Filesize
700.2MB
MD597b1bb0ecde3685d1b8840b46749f190
SHA12c6d7c8a374fe5fd2fc3430046189895081efd7e
SHA25609d3a422af8c29981cf96c707b3a9042c3672616b05f6e446a33be9840089f57
SHA5122c380aad8027fa8a2a173e0e4c4951f52ee1b15f7c77199547f1ab6000a7dcc613e810c52070231de6cba1beb23b8797444aabc46c5455faa8a066108ad7ddd0