Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    177s
  • max time network
    191s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    08-11-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe

  • Size

    89KB

  • MD5

    03137e005bdf813088f651d5b2b53e5d

  • SHA1

    0aa1fb7e5fc80bed261c805e15ee4e3709564258

  • SHA256

    258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

  • SHA512

    23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Score
10/10
suricata

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
    1⤵
      PID:1124
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2876
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:680
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s WpnService
      1⤵
      • Modifies registry class
      PID:2604
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
          PID:852
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2532
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2364
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2344
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1912
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1388
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1332
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1216
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:312
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:1020
                        • C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
                          "C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:424
                          • C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
                            "C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe" -u
                            2⤵
                              PID:1008
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            • Suspicious use of WriteProcessMemory
                            PID:3852
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:1772

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/312-196-0x000001A989B40000-0x000001A989BB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/312-184-0x000001A989220000-0x000001A989222000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/312-164-0x000001A989A60000-0x000001A989AD2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/312-141-0x000001A989220000-0x000001A989222000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/312-140-0x000001A989220000-0x000001A989222000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/680-173-0x0000025C89000000-0x0000025C89105000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/680-132-0x0000025C86670000-0x0000025C86672000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/680-172-0x0000025C866B0000-0x0000025C866CB000-memory.dmp

                            Filesize

                            108KB

                            Download

                          • memory/680-130-0x0000025C86670000-0x0000025C86672000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/680-154-0x0000025C86940000-0x0000025C869B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/680-170-0x0000025C86670000-0x0000025C86672000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/680-171-0x0000025C86670000-0x0000025C86672000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1020-153-0x0000022C8B2A0000-0x0000022C8B312000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1020-133-0x0000022C8AA90000-0x0000022C8AA92000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1020-192-0x0000022C8B380000-0x0000022C8B3F2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1020-180-0x0000022C8AA90000-0x0000022C8AA92000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1020-131-0x0000022C8AA90000-0x0000022C8AA92000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1124-195-0x0000017C2EF40000-0x0000017C2EFB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1124-139-0x0000017C2E620000-0x0000017C2E622000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1124-138-0x0000017C2E620000-0x0000017C2E622000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1124-162-0x0000017C2EE00000-0x0000017C2EE72000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1124-183-0x0000017C2E620000-0x0000017C2E622000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1216-149-0x000002B800F10000-0x000002B800F12000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1216-187-0x000002B800F10000-0x000002B800F12000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1216-152-0x000002B801710000-0x000002B801782000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1216-151-0x000002B800F10000-0x000002B800F12000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1216-199-0x000002B801790000-0x000002B801802000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1332-156-0x000001D2EFBD0000-0x000001D2EFBD2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1332-159-0x000001D2F0500000-0x000001D2F0572000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1332-200-0x000001D2F0930000-0x000001D2F09A2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1332-155-0x000001D2EFBD0000-0x000001D2EFBD2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1332-188-0x000001D2EFBD0000-0x000001D2EFBD2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1388-143-0x000001E3345D0000-0x000001E3345D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1388-185-0x000001E3345D0000-0x000001E3345D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1388-142-0x000001E3345D0000-0x000001E3345D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1388-197-0x000001E334F70000-0x000001E334FE2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1388-166-0x000001E334D20000-0x000001E334D92000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1772-123-0x0000000002FA9000-0x00000000030AA000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/1772-124-0x00000000048C0000-0x000000000491D000-memory.dmp

                            Filesize

                            372KB

                            Download

                          • memory/1912-186-0x0000022718FF0000-0x0000022718FF2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1912-147-0x00000227194B0000-0x0000022719522000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1912-145-0x0000022718FF0000-0x0000022718FF2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1912-144-0x0000022718FF0000-0x0000022718FF2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1912-198-0x00000227195A0000-0x0000022719612000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2344-182-0x000001373D3E0000-0x000001373D3E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2344-194-0x000001373E140000-0x000001373E1B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2344-136-0x000001373D3E0000-0x000001373D3E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2344-137-0x000001373D3E0000-0x000001373D3E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2344-158-0x000001373DC50000-0x000001373DCC2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2364-181-0x0000029DB6DD0000-0x0000029DB6DD2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2364-134-0x0000029DB6DD0000-0x0000029DB6DD2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2364-135-0x0000029DB6DD0000-0x0000029DB6DD2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2364-193-0x0000029DB74B0000-0x0000029DB7522000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2364-157-0x0000029DB6DF0000-0x0000029DB6E62000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2532-179-0x0000015750320000-0x0000015750322000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2532-150-0x0000015750B40000-0x0000015750BB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2532-128-0x0000015750320000-0x0000015750322000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2532-129-0x0000015750320000-0x0000015750322000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2532-191-0x0000015751140000-0x00000157511B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2592-163-0x000001BF48100000-0x000001BF48172000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2592-160-0x000001BF478C0000-0x000001BF478C2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2592-201-0x000001BF48E30000-0x000001BF48EA2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2592-161-0x000001BF478C0000-0x000001BF478C2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2592-189-0x000001BF478C0000-0x000001BF478C2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2604-165-0x0000015E056A0000-0x0000015E056A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2604-190-0x0000015E056A0000-0x0000015E056A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2604-202-0x0000015E05FE0000-0x0000015E06052000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2604-167-0x0000015E056A0000-0x0000015E056A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2604-168-0x0000015E05F60000-0x0000015E05FD2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2876-175-0x000001F9564E0000-0x000001F9564E1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2876-146-0x000001F958620000-0x000001F95866D000-memory.dmp

                            Filesize

                            308KB

                            Download

                          • memory/2876-176-0x000001F9564E0000-0x000001F9564E4000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/2876-148-0x000001F9589C0000-0x000001F958A32000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2876-178-0x000001F956450000-0x000001F956454000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/2876-126-0x000001F9564D0000-0x000001F9564D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2876-125-0x000001F9564D0000-0x000001F9564D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2876-174-0x000001F9564F0000-0x000001F9564F4000-memory.dmp

                            Filesize

                            16KB

                            Download