e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

General

Target

Moist.exe
Size

814KB
MD5

f855dffcbd21d4e4a59eed5a7a392af9
SHA1

178dc356191ebca6bf294525183212ac2e5a0bd8
SHA256

e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b
SHA512

0a08d1242a13c85f0f88ef54b77400da1a5c20570163635274ab9f63514e4b8b46a912dab28e3cc8a25963e39ade97b6310437587475893ff4935b4819c8ffbc

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Clipper.exeClipper.exe

pid process

1908 Clipper.exe
840 Clipper.exe

pid	process
1908	Clipper.exe
840	Clipper.exe

Drops startup file 2 IoCs

Processes:

Clipper.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Chrome updater.exe	Clipper.exe

Loads dropped DLL 1 IoCs

Processes:

Moist.exe

pid process

1100 Moist.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org

pid	process
1100	Moist.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

Moist.exeClipper.exe

description	pid	process	target process
PID 1100 set thread context of 1904	1100	Moist.exe	Moist.exe
PID 1908 set thread context of 840	1908	Clipper.exe	Clipper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

572 1904 WerFault.exe Moist.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

Moist.exeWerFault.exeClipper.exe

pid process

1100 Moist.exe
1100 Moist.exe
572 WerFault.exe
572 WerFault.exe
572 WerFault.exe
572 WerFault.exe
572 WerFault.exe
1908 Clipper.exe
1908 Clipper.exe

pid	pid_target	process	target process
572	1904	WerFault.exe	Moist.exe

pid	process
1100	Moist.exe
1100	Moist.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
572	WerFault.exe
1908	Clipper.exe
1908	Clipper.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Moist.exeMoist.exeWerFault.exeClipper.exe

description	pid	process
Token: SeDebugPrivilege	1100	Moist.exe
Token: SeDebugPrivilege	1904	Moist.exe
Token: SeDebugPrivilege	572	WerFault.exe
Token: SeDebugPrivilege	1908	Clipper.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Moist.exeMoist.exeClipper.exe

description	pid	process	target process
PID 1100 wrote to memory of 1908	1100	Moist.exe	Clipper.exe
PID 1100 wrote to memory of 1908	1100	Moist.exe	Clipper.exe
PID 1100 wrote to memory of 1908	1100	Moist.exe	Clipper.exe
PID 1100 wrote to memory of 1908	1100	Moist.exe	Clipper.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1100 wrote to memory of 1904	1100	Moist.exe	Moist.exe
PID 1904 wrote to memory of 572	1904	Moist.exe	WerFault.exe
PID 1904 wrote to memory of 572	1904	Moist.exe	WerFault.exe
PID 1904 wrote to memory of 572	1904	Moist.exe	WerFault.exe
PID 1904 wrote to memory of 572	1904	Moist.exe	WerFault.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe
PID 1908 wrote to memory of 840	1908	Clipper.exe	Clipper.exe

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
"C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe"
3⤵
- Executes dropped EXE
- Drops startup file
PID:840

C:\Users\Admin\AppData\Local\Temp\Moist.exe
"C:\Users\Admin\AppData\Local\Temp\Moist.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1716
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:572

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
C:\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
\Users\Admin\AppData\Roaming\mvabvz\Clipper.exe
MD5
b181bf79686c66a7261326addf3140a8

SHA1
db33d031709b32d9fe431b1784783782e325f98c

SHA256
02e8237b402735edeb274f07c560d5ec45f4d3bb8f987fdced14d55cac63dd51

SHA512
d4513e8c64bd7e504009b45ada8b09fa16ff8492136e94fbd8c83f1a7b662c40bf6cd2bf34e2f409a223e630d0acde7f276d48d77468b14690f84e32eabb34c0

Download Submit
memory/572-23-0x0000000001DD0000-0x0000000001DE1000-memory.dmp

Filesize
68KB

Download
memory/572-41-0x0000000002820000-0x0000000002831000-memory.dmp

Filesize
68KB

Download
memory/572-22-0x0000000000000000-mapping.dmp

Download
memory/840-48-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/840-49-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/840-47-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/840-45-0x000000000040D54E-mapping.dmp

Download
memory/840-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1100-4-0x00000000005A0000-0x00000000005A5000-memory.dmp

Filesize
20KB

Download
memory/1100-3-0x0000000000540000-0x0000000000544000-memory.dmp

Filesize
16KB

Download
memory/1100-0-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1100-1-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/1904-37-0x00000000004A110E-mapping.dmp

Download
memory/1904-36-0x00000000004A110E-mapping.dmp

Download
memory/1904-10-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1904-26-0x00000000004A110E-mapping.dmp

Download
memory/1904-27-0x00000000004A110E-mapping.dmp

Download
memory/1904-28-0x00000000004A110E-mapping.dmp

Download
memory/1904-29-0x00000000004A110E-mapping.dmp

Download
memory/1904-30-0x00000000004A110E-mapping.dmp

Download
memory/1904-31-0x00000000004A110E-mapping.dmp

Download
memory/1904-32-0x00000000004A110E-mapping.dmp

Download
memory/1904-33-0x00000000004A110E-mapping.dmp

Download
memory/1904-34-0x00000000004A110E-mapping.dmp

Download
memory/1904-35-0x00000000004A110E-mapping.dmp

Download
memory/1904-21-0x0000000005160000-0x00000000051D0000-memory.dmp

Filesize
448KB

Download
memory/1904-17-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1904-38-0x00000000004A110E-mapping.dmp

Download
memory/1904-39-0x00000000004A110E-mapping.dmp

Download
memory/1904-40-0x00000000004A110E-mapping.dmp

Download
memory/1904-13-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1904-12-0x00000000004A110E-mapping.dmp

Download
memory/1904-15-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1908-14-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/1908-11-0x00000000744E0000-0x0000000074BCE000-memory.dmp

Filesize
6.9MB

Download
memory/1908-42-0x00000000005D0000-0x00000000005D5000-memory.dmp

Filesize
20KB

Download
memory/1908-20-0x0000000000570000-0x0000000000574000-memory.dmp

Filesize
16KB

Download
memory/1908-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads