Overview
overview
10Static
static
3DriverSuit...in.exe
windows7-x64
10DriverSuit...in.exe
windows10-2004-x64
10SIack_Desk_v3-271.exe
windows7-x64
7SIack_Desk_v3-271.exe
windows10-2004-x64
7rev_3286/A...me.xml
windows7-x64
1rev_3286/A...me.xml
windows10-2004-x64
3rev_3286/A...gs.xml
windows7-x64
1rev_3286/A...gs.xml
windows10-2004-x64
3rev_3286/E...ng.xml
windows7-x64
1rev_3286/E...ng.xml
windows10-2004-x64
3rev_3286/E...ot.xml
windows7-x64
1rev_3286/E...ot.xml
windows10-2004-x64
3rev_3286/FileSys.xml
windows7-x64
1rev_3286/FileSys.xml
windows10-2004-x64
3rev_3286/SkyDrive.xml
windows7-x64
1rev_3286/SkyDrive.xml
windows10-2004-x64
3rev_3286/WinCal.xml
windows7-x64
1rev_3286/WinCal.xml
windows10-2004-x64
3rev_3286/W...in.xml
windows7-x64
1rev_3286/W...in.xml
windows10-2004-x64
3rev_3286/inetres.xml
windows7-x64
1rev_3286/inetres.xml
windows10-2004-x64
3rev_3286/msched.xml
windows7-x64
1rev_3286/msched.xml
windows10-2004-x64
3rev_3286/s...ce.xml
windows7-x64
1rev_3286/s...ce.xml
windows10-2004-x64
3rev_3286/s...ms.xml
windows7-x64
1rev_3286/s...ms.xml
windows10-2004-x64
3rev_3286/s...at.xml
windows7-x64
1rev_3286/s...at.xml
windows10-2004-x64
3rev_3286/s...me.xml
windows7-x64
1rev_3286/s...me.xml
windows10-2004-x64
3Analysis
-
max time kernel
167s -
max time network
212s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2023 01:18
Static task
static1
Behavioral task
behavioral1
Sample
DriverSuite_for_win.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
DriverSuite_for_win.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral3
Sample
SIack_Desk_v3-271.exe
Resource
win7-20230712-en
Behavioral task
behavioral4
Sample
SIack_Desk_v3-271.exe
Resource
win10v2004-20230703-en
Behavioral task
behavioral5
Sample
rev_3286/AppXRuntime.xml
Resource
win7-20230712-en
Behavioral task
behavioral6
Sample
rev_3286/AppXRuntime.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral7
Sample
rev_3286/AuditSettings.xml
Resource
win7-20230712-en
Behavioral task
behavioral8
Sample
rev_3286/AuditSettings.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral9
Sample
rev_3286/EventForwarding.xml
Resource
win7-20230712-en
Behavioral task
behavioral10
Sample
rev_3286/EventForwarding.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral11
Sample
rev_3286/ExternalBoot.xml
Resource
win7-20230712-en
Behavioral task
behavioral12
Sample
rev_3286/ExternalBoot.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral13
Sample
rev_3286/FileSys.xml
Resource
win7-20230712-en
Behavioral task
behavioral14
Sample
rev_3286/FileSys.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral15
Sample
rev_3286/SkyDrive.xml
Resource
win7-20230712-en
Behavioral task
behavioral16
Sample
rev_3286/SkyDrive.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral17
Sample
rev_3286/WinCal.xml
Resource
win7-20230712-en
Behavioral task
behavioral18
Sample
rev_3286/WinCal.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral19
Sample
rev_3286/WorkplaceJoin.xml
Resource
win7-20230712-en
Behavioral task
behavioral20
Sample
rev_3286/WorkplaceJoin.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral21
Sample
rev_3286/inetres.xml
Resource
win7-20230712-en
Behavioral task
behavioral22
Sample
rev_3286/inetres.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral23
Sample
rev_3286/msched.xml
Resource
win7-20230712-en
Behavioral task
behavioral24
Sample
rev_3286/msched.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral25
Sample
rev_3286/syscond-en-US/ActiveXInstallService.xml
Resource
win7-20230712-en
Behavioral task
behavioral26
Sample
rev_3286/syscond-en-US/ActiveXInstallService.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral27
Sample
rev_3286/syscond-en-US/AddRemovePrograms.xml
Resource
win7-20230712-en
Behavioral task
behavioral28
Sample
rev_3286/syscond-en-US/AddRemovePrograms.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral29
Sample
rev_3286/syscond-en-US/AppCompat.xml
Resource
win7-20230712-en
Behavioral task
behavioral30
Sample
rev_3286/syscond-en-US/AppCompat.xml
Resource
win10v2004-20230703-en
Behavioral task
behavioral31
Sample
rev_3286/syscond-en-US/AppXRuntime.xml
Resource
win7-20230712-en
Behavioral task
behavioral32
Sample
rev_3286/syscond-en-US/AppXRuntime.xml
Resource
win10v2004-20230703-en
General
-
Target
DriverSuite_for_win.exe
-
Size
691.4MB
-
MD5
0921de5d31e038e028c90c0896e3795b
-
SHA1
4d387009c73e2109d39c8973f41539e695fd5af3
-
SHA256
53a2b56b6038b74e6b7a14a99bbe2c519beea909ff054a2aa8581f15691a40a3
-
SHA512
735fe3254771d223ba57d69054f33b4deb8657ee6ffd80935ed9e83b20c64d2241c647b9b6cc1de34118fc2d7846627200a91e4cab114ae84c358566343dfed6
-
SSDEEP
6144:H3ZKOCO0aqqfzF3OPxX/HbAOtuP794/KMC:H3lCO0Jbbujnb
Malware Config
Extracted
laplas
http://45.159.188.125
-
api_key
31cf151bf2fece27ec94ee6dd4ee6cab42d97a97af3e2973a8494cedd21b8ff1
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\Control Panel\International\Geo\Nation DriverSuite_for_win.exe -
Executes dropped EXE 1 IoCs
pid Process 2752 svcservice.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telemetry = "C:\\Users\\Admin\\AppData\\Roaming\\telemetry\\svcservice.exe" DriverSuite_for_win.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1280 wrote to memory of 2752 1280 DriverSuite_for_win.exe 95 PID 1280 wrote to memory of 2752 1280 DriverSuite_for_win.exe 95 PID 1280 wrote to memory of 2752 1280 DriverSuite_for_win.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"C:\Users\Admin\AppData\Local\Temp\DriverSuite_for_win.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"C:\Users\Admin\AppData\Roaming\telemetry\svcservice.exe"2⤵
- Executes dropped EXE
PID:2752
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
686.3MB
MD5274c9b58e75f204260daf4de19fbe047
SHA1b86e5ab66d994bae4ef8fdfd2eba9b8e61a8559a
SHA256fdb608cf46238d74d38cb7a83b65e0ec62f3af6c2d5510d806248a65227e5250
SHA512cb131e5e56097ce8a9462720299cc767f0e4a120817fad70077b2d506e7c2bfb4658696e29f8c2bec3b1a923e864bbf0dd023bb32755bc42b55d5ce25e7099e6
-
Filesize
464.1MB
MD53461ad14976fe2376fa41928044b8b5d
SHA113208966ced85025d7b82dafbd5763d966bca12e
SHA2561cc7e3e13435f902d25537d166e3088c47237e5ec0792f2b4d7948148679f02e
SHA512733fa7c9f12db7b90d39e4d33319230ba09e9ad2ae5775d752d29a15981f66960b2bc11b6061466ab8c5221df2183238d2bb7dff87f5179eb28f8af38a39d0fa
-
Filesize
401.6MB
MD56f8c0d667dfde50dcc2bbd7d29b62dd8
SHA1adf8d915a1582208f73d5c44c5c9a5387103a35f
SHA256c148ba8c4a139801f0cf16aea8c02f722ae7d8b4a711c6c52b31de1d2c488951
SHA512b394ea570f28c32353bb365aa66e52245ca565dd24b6f97798be2bfb5bcb3b22eb478649e769af3d86c2337846e99549de3f23bb9e3ef947ebaa1b43e0115b12