e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

General

Target

Moist.exe
Size

814KB
MD5

f855dffcbd21d4e4a59eed5a7a392af9
SHA1

178dc356191ebca6bf294525183212ac2e5a0bd8
SHA256

e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b
SHA512

0a08d1242a13c85f0f88ef54b77400da1a5c20570163635274ab9f63514e4b8b46a912dab28e3cc8a25963e39ade97b6310437587475893ff4935b4819c8ffbc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Clipper.exeClipper.exe

pid process

1592 Clipper.exe
832 Clipper.exe

pid	process
1592	Clipper.exe
832	Clipper.exe

Drops startup file 2 IoCs

Processes:

Clipper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe

Loads dropped DLL 1 IoCs

Processes:

Moist.exe

pid process

900 Moist.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org

flow	ioc
5	api.ipify.org
6	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

Clipper.exeMoist.exe

description	pid	process	target process
PID 1592 set thread context of 832	1592	Clipper.exe	Clipper.exe
PID 900 set thread context of 1304	900	Moist.exe	regasm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1264 1304 WerFault.exe regasm.exe

pid	pid_target	process	target process
1264	1304	WerFault.exe	regasm.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Moist.exeClipper.exeWerFault.exe

pid	process
900	Moist.exe
900	Moist.exe
1592	Clipper.exe
1592	Clipper.exe
900	Moist.exe
900	Moist.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe
1264	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Moist.exeClipper.exeregasm.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	900	Moist.exe
Token: SeDebugPrivilege	1592	Clipper.exe
Token: SeDebugPrivilege	1304	regasm.exe
Token: SeDebugPrivilege	1264	WerFault.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

Moist.exeClipper.exeregasm.exe

description	pid	process	target process
PID 900 wrote to memory of 1532	900	Moist.exe	Moist.exe
PID 900 wrote to memory of 1532	900	Moist.exe	Moist.exe
PID 900 wrote to memory of 1532	900	Moist.exe	Moist.exe
PID 900 wrote to memory of 1532	900	Moist.exe	Moist.exe
PID 900 wrote to memory of 1592	900	Moist.exe	Clipper.exe
PID 900 wrote to memory of 1592	900	Moist.exe	Clipper.exe
PID 900 wrote to memory of 1592	900	Moist.exe	Clipper.exe
PID 900 wrote to memory of 1592	900	Moist.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 1592 wrote to memory of 832	1592	Clipper.exe	Clipper.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 900 wrote to memory of 1304	900	Moist.exe	regasm.exe
PID 1304 wrote to memory of 1264	1304	regasm.exe	WerFault.exe
PID 1304 wrote to memory of 1264	1304	regasm.exe	WerFault.exe
PID 1304 wrote to memory of 1264	1304	regasm.exe	WerFault.exe
PID 1304 wrote to memory of 1264	1304	regasm.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
2⤵
PID:1532

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1836
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
memory/832-16-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/832-21-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/832-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/832-17-0x000000000040D54E-mapping.dmp

Download
memory/832-19-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/900-4-0x0000000000890000-0x0000000000895000-memory.dmp

Filesize
20KB

Download
memory/900-3-0x0000000000870000-0x0000000000874000-memory.dmp

Filesize
16KB

Download
memory/900-0-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/900-1-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/1264-47-0x0000000002950000-0x0000000002961000-memory.dmp

Filesize
68KB

Download
memory/1264-33-0x0000000002150000-0x0000000002161000-memory.dmp

Filesize
68KB

Download
memory/1264-32-0x0000000000000000-mapping.dmp

Download
memory/1304-38-0x00000000004A110E-mapping.dmp

Download
memory/1304-35-0x00000000004A110E-mapping.dmp

Download
memory/1304-24-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1304-25-0x00000000004A110E-mapping.dmp

Download
memory/1304-26-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1304-27-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1304-28-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1304-31-0x00000000053F0000-0x0000000005460000-memory.dmp

Filesize
448KB

Download
memory/1304-46-0x00000000004A110E-mapping.dmp

Download
memory/1304-44-0x00000000004A110E-mapping.dmp

Download
memory/1304-34-0x00000000004A110E-mapping.dmp

Download
memory/1304-45-0x00000000004A110E-mapping.dmp

Download
memory/1304-36-0x00000000004A110E-mapping.dmp

Download
memory/1304-37-0x00000000004A110E-mapping.dmp

Download
memory/1304-43-0x00000000004A110E-mapping.dmp

Download
memory/1304-39-0x00000000004A110E-mapping.dmp

Download
memory/1304-40-0x00000000004A110E-mapping.dmp

Download
memory/1304-42-0x00000000004A110E-mapping.dmp

Download
memory/1304-41-0x00000000004A110E-mapping.dmp

Download
memory/1592-10-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1592-14-0x0000000000610000-0x0000000000615000-memory.dmp

Filesize
20KB

Download
memory/1592-11-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download
memory/1592-13-0x0000000000440000-0x0000000000444000-memory.dmp

Filesize
16KB

Download
memory/1592-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads