Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    132s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    08-11-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe

  • Size

    89KB

  • MD5

    ff3fffe53dee30a1c24bf86d419bd4ac

  • SHA1

    303348ffa41a6a54784ff9ba7af6c03c7cad4efd

  • SHA256

    25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f

  • SHA512

    1c11b106f4e65d31f07e54649b5ee6c2b4e29de24b51749249ff5cfdbf641f3c38946d8204ea02998a6412403cc47a68ef2e8161ec54caec853b7d8d3ced22aa

Score
10/10
suricata

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:876
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1292
    • C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
      "C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
        "C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe" -u
        2⤵
          PID:832
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1496
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
          2⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:964

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
        MD5

        3f2e52bab572f3ba21f8e0f9a8fafbe4

        SHA1

        0e88867d28cfaccb0c08acd7ac278de4f535c6b9

        SHA256

        587da47d932c227750ce4ac216b3d876ac03faeb943a07da02bbdc541626668a

        SHA512

        e282393cf251a9d904e5ab0ee0f52c47cb61c5c821020791571faaf199b40b82ad743ba951bffac8ee3783b54fadc7968e92a8020c01dadb766d0d29ade3b351

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • memory/664-55-0x0000000075A61000-0x0000000075A63000-memory.dmp
        Filesize

        8KB

        Download
      • memory/832-56-0x0000000000000000-mapping.dmp
        Download
      • memory/876-71-0x0000000000B90000-0x0000000000C02000-memory.dmp
        Filesize

        456KB

        Download
      • memory/876-70-0x00000000009A0000-0x00000000009ED000-memory.dmp
        Filesize

        308KB

        Download
      • memory/964-69-0x0000000000270000-0x00000000002CD000-memory.dmp
        Filesize

        372KB

        Download
      • memory/964-68-0x0000000001D80000-0x0000000001E81000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/964-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1292-66-0x0000000000060000-0x00000000000AD000-memory.dmp
        Filesize

        308KB

        Download
      • memory/1292-67-0x00000000FFBE246C-mapping.dmp
        Download
      • memory/1292-72-0x0000000000240000-0x00000000002B2000-memory.dmp
        Filesize

        456KB

        Download
      • memory/1292-73-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1292-74-0x0000000000300000-0x000000000031B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1292-75-0x0000000002FF0000-0x00000000030F5000-memory.dmp
        Filesize

        1.0MB

        Download