Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows10_x64

10

043d28836f...9f.exe

windows7_x64

10

043d28836f...9f.exe

windows10_x64

10

096fc162ed...c8.exe

windows7_x64

10

096fc162ed...c8.exe

windows10_x64

10

1ad787b5aa...62.exe

windows7_x64

10

1ad787b5aa...62.exe

windows10_x64

10

258cbb13ac...bd.exe

windows7_x64

10

258cbb13ac...bd.exe

windows10_x64

10

25d79c1a50...7f.exe

windows7_x64

10

25d79c1a50...7f.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

500e7e5c00...44.exe

windows7_x64

10

500e7e5c00...44.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

7dc7ca2414...84.exe

windows7_x64

10

7dc7ca2414...84.exe

windows10_x64

10

96c9fde298...34.exe

windows7_x64

10

96c9fde298...34.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

ca14b87b56...83.exe

windows7_x64

10

ca14b87b56...83.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

8

cbf31d825a...d2.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    08-11-2021 10:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe

  • Size

    89KB

  • MD5

    03137e005bdf813088f651d5b2b53e5d

  • SHA1

    0aa1fb7e5fc80bed261c805e15ee4e3709564258

  • SHA256

    258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd

  • SHA512

    23bbb89fe88264538461c0eae1437344e9823e245d00f0527424b95d4ca54054c8b411db3c066664617e0df69d1468ff10385841a5f1869a0e480a92abffdddd

Score
10/10
suricata

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:872
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1284
    • C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
      "C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe
        "C:\Users\Admin\AppData\Local\Temp\258cbb13ac4c202d338512321ecf7dc3f75ecde54077d2fde9ca1635d6d4c7bd.exe" -u
        2⤵
          PID:1680
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1244
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
          2⤵
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1504

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
        MD5

        f11135e034c7f658c2eb26cb0dee5751

        SHA1

        5501048d16e8d5830b0f38d857d2de0f21449b39

        SHA256

        0d5f602551f88a1dee285bf30f8ae9718e5c72df538437c8be180e54d0b32ae9

        SHA512

        42eab3508b52b0476eb7c09f9b90731f2372432ca249e4505d0f210881c9f58e2aae63f15d5e91d0f87d9730b8f5324b3651cbd37ae292f9aa5f420243a42099

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • \Users\Admin\AppData\Local\Temp\sqlite.dll
        MD5

        d2c3e38d64273ea56d503bb3fb2a8b5d

        SHA1

        177da7d99381bbc83ede6b50357f53944240d862

        SHA256

        25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

        SHA512

        2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

        Download Submit
      • memory/872-71-0x0000000000AC0000-0x0000000000B32000-memory.dmp
        Filesize

        456KB

        Download
      • memory/872-70-0x00000000008B0000-0x00000000008FD000-memory.dmp
        Filesize

        308KB

        Download
      • memory/1200-55-0x0000000075851000-0x0000000075853000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1284-72-0x00000000004A0000-0x0000000000512000-memory.dmp
        Filesize

        456KB

        Download
      • memory/1284-67-0x00000000FF46246C-mapping.dmp
        Download
      • memory/1284-66-0x0000000000110000-0x000000000015D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/1284-73-0x00000000001F0000-0x000000000020B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1284-74-0x00000000031F0000-0x00000000032F5000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1284-75-0x000007FEFB7D1000-0x000007FEFB7D3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1504-59-0x0000000000000000-mapping.dmp
        Download
      • memory/1504-69-0x0000000000840000-0x000000000089D000-memory.dmp
        Filesize

        372KB

        Download
      • memory/1504-68-0x00000000008D0000-0x00000000009D1000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1680-56-0x0000000000000000-mapping.dmp
        Download