clop | e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639

Analysis

max time kernel
55s
max time network
12s
platform
windows7_x64
resource
win7v200722
submitted
14/10/2020, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
Size

100KB
MD5

9b11640faf4a071f0b814d6e3df13aa9
SHA1

c3f52ea599e0b3e92743981cdb0a0211384e388f
SHA256

e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639
SHA512

74ba6e451a8197652cfe5d65951334b421b8351b9433eb94631bfb9d77c92d226c653bf11877a2a75bea24d1d52d1a14735a8faac58a991e7d915ada85d399c5

Score

10^/10

ransomware clop

Malware Config

Extracted

Path

C:\ClopReadMe.txt

Family

clop

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN – files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Attention!!! Your warranty - decrypted samples. Do not rename encrypted files. Do not try to decrypt your data using third party software. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Contact emails: [email protected] or [email protected] The final price depends on how fast you write to us. Clop

Emails

[email protected]

Signatures

Clop
Ransomware discovered in early 2019 which has been actively developed since release.
ransomware clop

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\EnableConfirm.tiff	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File created	C:\Users\Admin\Pictures\EnableConfirm.tiff.Clop	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File created	C:\Users\Admin\Pictures\ReadExpand.raw.Clop	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File created	C:\Users\Admin\Pictures\SkipRevoke.raw.Clop	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Pictures\StopDismount.tiff	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File created	C:\Users\Admin\Pictures\StopDismount.tiff.Clop	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe

Drops desktop.ini file(s) 25 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2090973689-680783404-4292415065-1000\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\N:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\P:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\W:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\S:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\U:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\Y:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\F:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\H:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\L:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\O:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\Q:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\X:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\E:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\I:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\M:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\R:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\T:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\Z:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\A:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\G:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\J:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\K:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened (read-only)	\??\V:	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ClopReadMe.txt	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
File opened for modification	C:\Program Files (x86)\ClopReadMe.txt	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ClopReadMe.txt	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
336	e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe

C:\Users\Admin\AppData\Local\Temp\e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe
"C:\Users\Admin\AppData\Local\Temp\e7f17df3e41c7ac23d3b979a4dd8e92bdf12e08e8dd064bd8614a415322dc639.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads