Analysis

  • max time kernel
    165s
  • max time network
    177s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    08-11-2021 10:07

General

  • Target

    ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83.exe

  • Size

    89KB

  • MD5

    a56c80f6cef4b2466024b6af88123183

  • SHA1

    7d8d3a50f5b1239736423dbb0b1226d59bd1988a

  • SHA256

    ca14b87b565c6b1c90eb3365bed694bd9e8a8b3d0ab6e3ca0c680baec6422f83

  • SHA512

    11c26244e282d37c7587a5838624bd2f310a0842add9fde6abb8150138e5d190438cc54e4e2df1d1985fc453600207d9f35effa290748ef05418534131128cd3

Score
10/10

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 16 IoCs