Analysis
-
max time kernel
52s -
max time network
100s -
platform
windows7_x64 -
resource
win7 -
submitted
20-09-2020 13:36
Static task
static1
Behavioral task
behavioral1
Sample
Moist.exe
Resource
win7
General
-
Target
Moist.exe
-
Size
814KB
-
MD5
f855dffcbd21d4e4a59eed5a7a392af9
-
SHA1
178dc356191ebca6bf294525183212ac2e5a0bd8
-
SHA256
e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b
-
SHA512
0a08d1242a13c85f0f88ef54b77400da1a5c20570163635274ab9f63514e4b8b46a912dab28e3cc8a25963e39ade97b6310437587475893ff4935b4819c8ffbc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Clipper.exeClipper.exepid process 1592 Clipper.exe 832 Clipper.exe -
Drops startup file 2 IoCs
Processes:
Clipper.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe Clipper.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe Clipper.exe -
Loads dropped DLL 1 IoCs
Processes:
Moist.exepid process 900 Moist.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Clipper.exeMoist.exedescription pid process target process PID 1592 set thread context of 832 1592 Clipper.exe Clipper.exe PID 900 set thread context of 1304 900 Moist.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1264 1304 WerFault.exe regasm.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
Moist.exeClipper.exeWerFault.exepid process 900 Moist.exe 900 Moist.exe 1592 Clipper.exe 1592 Clipper.exe 900 Moist.exe 900 Moist.exe 1264 WerFault.exe 1264 WerFault.exe 1264 WerFault.exe 1264 WerFault.exe 1264 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Moist.exeClipper.exeregasm.exeWerFault.exedescription pid process Token: SeDebugPrivilege 900 Moist.exe Token: SeDebugPrivilege 1592 Clipper.exe Token: SeDebugPrivilege 1304 regasm.exe Token: SeDebugPrivilege 1264 WerFault.exe -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Moist.exeClipper.exeregasm.exedescription pid process target process PID 900 wrote to memory of 1532 900 Moist.exe Moist.exe PID 900 wrote to memory of 1532 900 Moist.exe Moist.exe PID 900 wrote to memory of 1532 900 Moist.exe Moist.exe PID 900 wrote to memory of 1532 900 Moist.exe Moist.exe PID 900 wrote to memory of 1592 900 Moist.exe Clipper.exe PID 900 wrote to memory of 1592 900 Moist.exe Clipper.exe PID 900 wrote to memory of 1592 900 Moist.exe Clipper.exe PID 900 wrote to memory of 1592 900 Moist.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 1592 wrote to memory of 832 1592 Clipper.exe Clipper.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 900 wrote to memory of 1304 900 Moist.exe regasm.exe PID 1304 wrote to memory of 1264 1304 regasm.exe WerFault.exe PID 1304 wrote to memory of 1264 1304 regasm.exe WerFault.exe PID 1304 wrote to memory of 1264 1304 regasm.exe WerFault.exe PID 1304 wrote to memory of 1264 1304 regasm.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Moist.exe"C:\Users\Admin\AppData\Local\Temp\Moist.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Moist.exe"C:\Users\Admin\AppData\Local\Temp\Moist.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"3⤵
- Executes dropped EXE
- Drops startup file
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 18363⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exeMD5
b181bf79686c66a7261326addf3140a8
SHA1db33d031709b32d9fe431b1784783782e325f98c
SHA25602e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51
SHA512d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0
-
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exeMD5
b181bf79686c66a7261326addf3140a8
SHA1db33d031709b32d9fe431b1784783782e325f98c
SHA25602e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51
SHA512d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0
-
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exeMD5
b181bf79686c66a7261326addf3140a8
SHA1db33d031709b32d9fe431b1784783782e325f98c
SHA25602e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51
SHA512d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0
-
\Users\Admin\AppData\Roaming\mvabvz\Clipper.exeMD5
b181bf79686c66a7261326addf3140a8
SHA1db33d031709b32d9fe431b1784783782e325f98c
SHA25602e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51
SHA512d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0
-
memory/832-16-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/832-21-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/832-20-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/832-17-0x000000000040D54E-mapping.dmp
-
memory/832-19-0x0000000000400000-0x0000000000414000-memory.dmpFilesize
80KB
-
memory/900-4-0x0000000000890000-0x0000000000895000-memory.dmpFilesize
20KB
-
memory/900-3-0x0000000000870000-0x0000000000874000-memory.dmpFilesize
16KB
-
memory/900-0-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/900-1-0x0000000000940000-0x0000000000941000-memory.dmpFilesize
4KB
-
memory/1264-47-0x0000000002950000-0x0000000002961000-memory.dmpFilesize
68KB
-
memory/1264-33-0x0000000002150000-0x0000000002161000-memory.dmpFilesize
68KB
-
memory/1264-32-0x0000000000000000-mapping.dmp
-
memory/1304-38-0x00000000004A110E-mapping.dmp
-
memory/1304-35-0x00000000004A110E-mapping.dmp
-
memory/1304-24-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/1304-25-0x00000000004A110E-mapping.dmp
-
memory/1304-26-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/1304-27-0x0000000000400000-0x00000000004AA000-memory.dmpFilesize
680KB
-
memory/1304-28-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/1304-31-0x00000000053F0000-0x0000000005460000-memory.dmpFilesize
448KB
-
memory/1304-46-0x00000000004A110E-mapping.dmp
-
memory/1304-44-0x00000000004A110E-mapping.dmp
-
memory/1304-34-0x00000000004A110E-mapping.dmp
-
memory/1304-45-0x00000000004A110E-mapping.dmp
-
memory/1304-36-0x00000000004A110E-mapping.dmp
-
memory/1304-37-0x00000000004A110E-mapping.dmp
-
memory/1304-43-0x00000000004A110E-mapping.dmp
-
memory/1304-39-0x00000000004A110E-mapping.dmp
-
memory/1304-40-0x00000000004A110E-mapping.dmp
-
memory/1304-42-0x00000000004A110E-mapping.dmp
-
memory/1304-41-0x00000000004A110E-mapping.dmp
-
memory/1592-10-0x0000000074300000-0x00000000749EE000-memory.dmpFilesize
6.9MB
-
memory/1592-14-0x0000000000610000-0x0000000000615000-memory.dmpFilesize
20KB
-
memory/1592-11-0x0000000001360000-0x0000000001361000-memory.dmpFilesize
4KB
-
memory/1592-13-0x0000000000440000-0x0000000000444000-memory.dmpFilesize
16KB
-
memory/1592-7-0x0000000000000000-mapping.dmp