Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    175s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    08-11-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe

  • Size

    96KB

  • MD5

    c202f1103c957930ec4cc01b43dfd472

  • SHA1

    ffed9fc2e035d31f1b2e098471e8ec70334ff9fc

  • SHA256

    7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084

  • SHA512

    569aa632a2677cb9d1b0186f19676161853ceea55cb6ee94cfcc6ad4b558c57a2694ab0d2dc541484e4099530b2aab742b95d08c093150efa6585d98ce6356e4

Score
10/10
suricata

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
    1⤵
      PID:356
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Schedule
      1⤵
        PID:1044
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
        1⤵
          PID:1148
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s Themes
          1⤵
            PID:1184
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s SENS
            1⤵
              PID:1444
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1916
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                1⤵
                  PID:1432
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
                  1⤵
                    PID:2344
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
                    1⤵
                      PID:2360
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s Browser
                      1⤵
                        PID:2580
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s WpnService
                        1⤵
                        • Modifies registry class
                        PID:2676
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of WriteProcessMemory
                        PID:2692
                        • C:\Windows\system32\wbem\WMIADAP.EXE
                          wmiadap.exe /F /T /R
                          2⤵
                            PID:2292
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s BITS
                          1⤵
                          • Suspicious use of SetThreadContext
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:3844
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k SystemNetworkService
                            2⤵
                            • Drops file in System32 directory
                            • Checks processor information in registry
                            • Modifies data under HKEY_USERS
                            • Modifies registry class
                            • Suspicious use of WriteProcessMemory
                            PID:3760
                        • C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe
                          "C:\Users\Admin\AppData\Local\Temp\7dc7ca24149bd2f34bc1bf8942cb3ed8730482e4e90a16b5333092ddb80bd084.exe"
                          1⤵
                            PID:2200
                          • C:\Windows\system32\rundll32.exe
                            rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                            1⤵
                            • Process spawned unexpected child process
                            • Suspicious use of WriteProcessMemory
                            PID:3620
                            • C:\Windows\SysWOW64\rundll32.exe
                              rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:4028

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                            MD5

                            5de5a43c91fdada5f04eddb6d22fb67d

                            SHA1

                            e23e97e72605cf14a13272a85886a0feffaab93a

                            SHA256

                            035d368cf70cee43220fb3b4987c019a9b28052f140d7a52a57be3238981ec62

                            SHA512

                            203ebb534553d0f9dae4a88cf0946f6a1b3dcfa7be4b1cddafd9fb55f345833fea311dda8c1fb73602c73547c323c4210d8c18785475935b4e74c9f50e8a52ec

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                            Download Submit

                          • \Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                            Download Submit

                          • memory/356-191-0x000001DC7B070000-0x000001DC7B0E2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/356-132-0x000001DC7A8A0000-0x000001DC7A8A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/356-157-0x000001DC7A980000-0x000001DC7A9F2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/356-179-0x000001DC7A8A0000-0x000001DC7A8A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/356-130-0x000001DC7A8A0000-0x000001DC7A8A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1044-139-0x0000019B744F0000-0x0000019B744F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1044-161-0x0000019B74C40000-0x0000019B74CB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1044-140-0x0000019B744F0000-0x0000019B744F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1044-195-0x0000019B74E70000-0x0000019B74EE2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1044-183-0x0000019B744F0000-0x0000019B744F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1148-160-0x0000018D99F40000-0x0000018D99FB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1148-194-0x0000018D9A440000-0x0000018D9A4B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1148-182-0x0000018D994D0000-0x0000018D994D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1148-137-0x0000018D994D0000-0x0000018D994D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1148-138-0x0000018D994D0000-0x0000018D994D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1184-186-0x000001F5B6580000-0x000001F5B6582000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1184-145-0x000001F5B6580000-0x000001F5B6582000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1184-146-0x000001F5B6580000-0x000001F5B6582000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1184-198-0x000001F5B7240000-0x000001F5B72B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1184-164-0x000001F5B6D30000-0x000001F5B6DA2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1432-187-0x000001753F7F0000-0x000001753F7F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1432-199-0x0000017540540000-0x00000175405B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1432-165-0x000001753FA70000-0x000001753FAE2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1432-148-0x000001753F7F0000-0x000001753F7F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1432-147-0x000001753F7F0000-0x000001753F7F2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1444-162-0x000002BD0F340000-0x000002BD0F3B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1444-141-0x000002BD0F0E0000-0x000002BD0F0E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1444-196-0x000002BD0FA00000-0x000002BD0FA72000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1444-142-0x000002BD0F0E0000-0x000002BD0F0E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1444-184-0x000002BD0F0E0000-0x000002BD0F0E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1916-197-0x000001B127C40000-0x000001B127CB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/1916-185-0x000001B126EA0000-0x000001B126EA2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1916-143-0x000001B126EA0000-0x000001B126EA2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1916-144-0x000001B126EA0000-0x000001B126EA2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1916-163-0x000001B127740000-0x000001B1277B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2292-172-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2344-181-0x0000013C898D0000-0x0000013C898D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2344-193-0x0000013C8A740000-0x0000013C8A7B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2344-159-0x0000013C8A160000-0x0000013C8A1D2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2344-135-0x0000013C898D0000-0x0000013C898D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2344-136-0x0000013C898D0000-0x0000013C898D2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2360-180-0x0000024159E90000-0x0000024159E92000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2360-134-0x0000024159E90000-0x0000024159E92000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2360-133-0x0000024159E90000-0x0000024159E92000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2360-158-0x000002415A650000-0x000002415A6C2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2360-192-0x000002415AD40000-0x000002415ADB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2580-155-0x00000158C6B30000-0x00000158C6BA2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2580-128-0x00000158C6110000-0x00000158C6112000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2580-178-0x00000158C6110000-0x00000158C6112000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2580-127-0x00000158C6110000-0x00000158C6112000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2580-190-0x00000158C7040000-0x00000158C70B2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2676-201-0x000001DD86430000-0x000001DD864A2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2676-189-0x000001DD856C0000-0x000001DD856C2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2676-167-0x000001DD86000000-0x000001DD86072000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2676-151-0x000001DD856C0000-0x000001DD856C2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2676-152-0x000001DD856C0000-0x000001DD856C2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2692-150-0x00000184A79A0000-0x00000184A79A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2692-166-0x00000184A8310000-0x00000184A8382000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2692-149-0x00000184A79A0000-0x00000184A79A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2692-200-0x00000184A8B40000-0x00000184A8BB2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/2692-188-0x00000184A79A0000-0x00000184A79A2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3760-171-0x00000158C2900000-0x00000158C2A05000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/3760-156-0x00000158C0200000-0x00000158C0272000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/3760-169-0x00000158C00E0000-0x00000158C00E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3760-168-0x00000158C00E0000-0x00000158C00E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3760-129-0x00000158C00E0000-0x00000158C00E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3760-126-0x00007FF628A64060-mapping.dmp

                            Download

                          • memory/3760-170-0x00000158C1A30000-0x00000158C1A4B000-memory.dmp

                            Filesize

                            108KB

                            Download

                          • memory/3760-131-0x00000158C00E0000-0x00000158C00E2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3844-174-0x00000218081E0000-0x00000218081E1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/3844-154-0x0000021808580000-0x00000218085F2000-memory.dmp

                            Filesize

                            456KB

                            Download

                          • memory/3844-173-0x00000218081F0000-0x00000218081F4000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/3844-153-0x00000218084C0000-0x000002180850D000-memory.dmp

                            Filesize

                            308KB

                            Download

                          • memory/3844-175-0x00000218081E0000-0x00000218081E4000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/3844-125-0x0000021808190000-0x0000021808192000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3844-124-0x0000021808190000-0x0000021808192000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3844-177-0x0000021808120000-0x0000021808124000-memory.dmp

                            Filesize

                            16KB

                            Download

                          • memory/4028-123-0x00000000042C0000-0x000000000431D000-memory.dmp

                            Filesize

                            372KB

                            Download

                          • memory/4028-122-0x0000000000802000-0x0000000000903000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/4028-119-0x0000000000000000-mapping.dmp

                            Download