Analysis

  • max time kernel
    183s
  • max time network
    183s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    08-11-2021 10:07

General

  • Target

    25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe

  • Size

    89KB

  • MD5

    ff3fffe53dee30a1c24bf86d419bd4ac

  • SHA1

    303348ffa41a6a54784ff9ba7af6c03c7cad4efd

  • SHA256

    25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f

  • SHA512

    1c11b106f4e65d31f07e54649b5ee6c2b4e29de24b51749249ff5cfdbf641f3c38946d8204ea02998a6412403cc47a68ef2e8161ec54caec853b7d8d3ced22aa

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 26 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
    1⤵
      PID:1904
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
        PID:2700
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3436
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4060
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
        1⤵
          PID:2708
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Browser
          1⤵
            PID:2604
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2388
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
              1⤵
                PID:2356
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1428
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1332
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1244
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                      • Modifies registry class
                      PID:1116
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                      1⤵
                        PID:1060
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                        1⤵
                          PID:372
                        • C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
                          "C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe"
                          1⤵
                          • Suspicious use of WriteProcessMemory
                          PID:516
                          • C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe
                            "C:\Users\Admin\AppData\Local\Temp\25d79c1a508700c16bfa42039870d590bb3281c271ed02db20899c87259c657f.exe" -u
                            2⤵
                              PID:2240
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            • Suspicious use of WriteProcessMemory
                            PID:1984
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:404

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/372-129-0x0000021E166C0000-0x0000021E166C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/372-153-0x0000021E17000000-0x0000021E17072000-memory.dmp

                            Filesize

                            456KB

                          • memory/372-180-0x0000021E166C0000-0x0000021E166C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/372-130-0x0000021E166C0000-0x0000021E166C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/372-191-0x0000021E17170000-0x0000021E171E2000-memory.dmp

                            Filesize

                            456KB

                          • memory/404-140-0x0000000005010000-0x000000000506D000-memory.dmp

                            Filesize

                            372KB

                          • memory/404-138-0x0000000004E95000-0x0000000004F96000-memory.dmp

                            Filesize

                            1.0MB

                          • memory/1060-145-0x0000027329410000-0x0000027329482000-memory.dmp

                            Filesize

                            456KB

                          • memory/1060-195-0x0000027329560000-0x00000273295D2000-memory.dmp

                            Filesize

                            456KB

                          • memory/1060-143-0x0000027328C60000-0x0000027328C62000-memory.dmp

                            Filesize

                            8KB

                          • memory/1060-184-0x0000027328C60000-0x0000027328C62000-memory.dmp

                            Filesize

                            8KB

                          • memory/1060-141-0x0000027328C60000-0x0000027328C62000-memory.dmp

                            Filesize

                            8KB

                          • memory/1116-194-0x00000204068E0000-0x0000020406952000-memory.dmp

                            Filesize

                            456KB

                          • memory/1116-137-0x00000204057E0000-0x00000204057E2000-memory.dmp

                            Filesize

                            8KB

                          • memory/1116-136-0x00000204057E0000-0x00000204057E2000-memory.dmp

                            Filesize

                            8KB

                          • memory/1116-139-0x0000020406200000-0x0000020406272000-memory.dmp

                            Filesize

                            456KB

                          • memory/1116-183-0x00000204057E0000-0x00000204057E2000-memory.dmp

                            Filesize

                            8KB

                          • memory/1244-198-0x000001E41AAC0000-0x000001E41AB32000-memory.dmp

                            Filesize

                            456KB

                          • memory/1244-158-0x000001E41A150000-0x000001E41A152000-memory.dmp

                            Filesize

                            8KB

                          • memory/1244-187-0x000001E41A150000-0x000001E41A152000-memory.dmp

                            Filesize

                            8KB

                          • memory/1244-165-0x000001E41A9D0000-0x000001E41AA42000-memory.dmp

                            Filesize

                            456KB

                          • memory/1244-156-0x000001E41A150000-0x000001E41A152000-memory.dmp

                            Filesize

                            8KB

                          • memory/1332-188-0x000001AC4F170000-0x000001AC4F172000-memory.dmp

                            Filesize

                            8KB

                          • memory/1332-199-0x000001AC4FAA0000-0x000001AC4FB12000-memory.dmp

                            Filesize

                            456KB

                          • memory/1332-166-0x000001AC4F490000-0x000001AC4F502000-memory.dmp

                            Filesize

                            456KB

                          • memory/1332-159-0x000001AC4F170000-0x000001AC4F172000-memory.dmp

                            Filesize

                            8KB

                          • memory/1332-160-0x000001AC4F170000-0x000001AC4F172000-memory.dmp

                            Filesize

                            8KB

                          • memory/1428-196-0x00000298CF700000-0x00000298CF772000-memory.dmp

                            Filesize

                            456KB

                          • memory/1428-148-0x00000298CEF90000-0x00000298CF002000-memory.dmp

                            Filesize

                            456KB

                          • memory/1428-147-0x00000298CECF0000-0x00000298CECF2000-memory.dmp

                            Filesize

                            8KB

                          • memory/1428-146-0x00000298CECF0000-0x00000298CECF2000-memory.dmp

                            Filesize

                            8KB

                          • memory/1428-185-0x00000298CECF0000-0x00000298CECF2000-memory.dmp

                            Filesize

                            8KB

                          • memory/1904-152-0x000001579BB80000-0x000001579BB82000-memory.dmp

                            Filesize

                            8KB

                          • memory/1904-155-0x000001579BB00000-0x000001579BB72000-memory.dmp

                            Filesize

                            456KB

                          • memory/1904-150-0x000001579BB80000-0x000001579BB82000-memory.dmp

                            Filesize

                            8KB

                          • memory/1904-197-0x000001579BC40000-0x000001579BCB2000-memory.dmp

                            Filesize

                            456KB

                          • memory/1904-186-0x000001579BB80000-0x000001579BB82000-memory.dmp

                            Filesize

                            8KB

                          • memory/2356-154-0x0000017B041A0000-0x0000017B04212000-memory.dmp

                            Filesize

                            456KB

                          • memory/2356-181-0x0000017B039C0000-0x0000017B039C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2356-133-0x0000017B039C0000-0x0000017B039C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2356-132-0x0000017B039C0000-0x0000017B039C2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2356-192-0x0000017B04220000-0x0000017B04292000-memory.dmp

                            Filesize

                            456KB

                          • memory/2388-134-0x000001DF56280000-0x000001DF56282000-memory.dmp

                            Filesize

                            8KB

                          • memory/2388-193-0x000001DF56FB0000-0x000001DF57022000-memory.dmp

                            Filesize

                            456KB

                          • memory/2388-135-0x000001DF56280000-0x000001DF56282000-memory.dmp

                            Filesize

                            8KB

                          • memory/2388-182-0x000001DF56280000-0x000001DF56282000-memory.dmp

                            Filesize

                            8KB

                          • memory/2388-157-0x000001DF56A40000-0x000001DF56AB2000-memory.dmp

                            Filesize

                            456KB

                          • memory/2604-149-0x0000028CD2500000-0x0000028CD2572000-memory.dmp

                            Filesize

                            456KB

                          • memory/2604-127-0x0000028CD1CC0000-0x0000028CD1CC2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2604-126-0x0000028CD1CC0000-0x0000028CD1CC2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2604-178-0x0000028CD1CC0000-0x0000028CD1CC2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2604-179-0x0000028CD28C0000-0x0000028CD2932000-memory.dmp

                            Filesize

                            456KB

                          • memory/2700-189-0x0000022153030000-0x0000022153032000-memory.dmp

                            Filesize

                            8KB

                          • memory/2700-167-0x0000022153300000-0x0000022153372000-memory.dmp

                            Filesize

                            456KB

                          • memory/2700-200-0x0000022154030000-0x00000221540A2000-memory.dmp

                            Filesize

                            456KB

                          • memory/2700-161-0x0000022153030000-0x0000022153032000-memory.dmp

                            Filesize

                            8KB

                          • memory/2700-162-0x0000022153030000-0x0000022153032000-memory.dmp

                            Filesize

                            8KB

                          • memory/2708-201-0x000001B671A40000-0x000001B671AB2000-memory.dmp

                            Filesize

                            456KB

                          • memory/2708-163-0x000001B670DA0000-0x000001B670DA2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2708-164-0x000001B670DA0000-0x000001B670DA2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2708-190-0x000001B670DA0000-0x000001B670DA2000-memory.dmp

                            Filesize

                            8KB

                          • memory/2708-168-0x000001B671540000-0x000001B6715B2000-memory.dmp

                            Filesize

                            456KB

                          • memory/3436-144-0x000001764D9B0000-0x000001764DA22000-memory.dmp

                            Filesize

                            456KB

                          • memory/3436-173-0x000001764D690000-0x000001764D694000-memory.dmp

                            Filesize

                            16KB

                          • memory/3436-175-0x000001764D680000-0x000001764D684000-memory.dmp

                            Filesize

                            16KB

                          • memory/3436-177-0x000001764D5B0000-0x000001764D5B4000-memory.dmp

                            Filesize

                            16KB

                          • memory/3436-174-0x000001764D680000-0x000001764D681000-memory.dmp

                            Filesize

                            4KB

                          • memory/3436-124-0x000001764D670000-0x000001764D672000-memory.dmp

                            Filesize

                            8KB

                          • memory/3436-123-0x000001764D670000-0x000001764D672000-memory.dmp

                            Filesize

                            8KB

                          • memory/3436-142-0x000001764D620000-0x000001764D66D000-memory.dmp

                            Filesize

                            308KB

                          • memory/4060-170-0x000001B691E50000-0x000001B691E52000-memory.dmp

                            Filesize

                            8KB

                          • memory/4060-171-0x000001B691E80000-0x000001B691E9B000-memory.dmp

                            Filesize

                            108KB

                          • memory/4060-151-0x000001B691DA0000-0x000001B691E12000-memory.dmp

                            Filesize

                            456KB

                          • memory/4060-131-0x000001B691E50000-0x000001B691E52000-memory.dmp

                            Filesize

                            8KB

                          • memory/4060-172-0x000001B694800000-0x000001B694905000-memory.dmp

                            Filesize

                            1.0MB

                          • memory/4060-169-0x000001B691E50000-0x000001B691E52000-memory.dmp

                            Filesize

                            8KB

                          • memory/4060-128-0x000001B691E50000-0x000001B691E52000-memory.dmp

                            Filesize

                            8KB