Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    08-11-2021 16:51

General

  • Target

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

  • Size

    834KB

  • MD5

    2c25a0926e5228d2205b3b8c8ef4d7f4

  • SHA1

    5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

  • SHA256

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

  • SHA512

    cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

Score
10/10

Malware Config

Signatures

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2756
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
          PID:1968
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s BITS
        1⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3916
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2860
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2668
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2480
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2436
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1928
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1480
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1320
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1236
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1124
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                          PID:1032
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                          1⤵
                            PID:1020
                          • C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
                            "C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1496
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" sqlite.dll,global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3788

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Discovery

                          System Information Discovery

                          2
                          T1082

                          Query Registry

                          1
                          T1012

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                            MD5

                            bbd4ce7a3b397979f6725781367e2671

                            SHA1

                            1627f36916b4a3e2384a3aa2b0af35ba9e785093

                            SHA256

                            c13e0dd5f82062a4659f6fa989b00a2d109644156675aa63e7670288723a9fe4

                            SHA512

                            b0a5708673f3077eaad552ea664f16b569b653be55865221506b537b41c77ec9b5610d3f67b996e7f2da0bd08da274dc01c9e7db2ce1ed706c18812093d76b65

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                          • \Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                          • memory/1020-188-0x0000027EA6A10000-0x0000027EA6A82000-memory.dmp
                            Filesize

                            456KB

                          • memory/1020-179-0x0000027EA63C0000-0x0000027EA63C2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1020-131-0x0000027EA63C0000-0x0000027EA63C2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1020-157-0x0000027EA6440000-0x0000027EA64B2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1020-132-0x0000027EA63C0000-0x0000027EA63C2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1032-140-0x000002E3E2ED0000-0x000002E3E2ED2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1032-195-0x000002E3E3850000-0x000002E3E38C2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1032-161-0x000002E3E3720000-0x000002E3E3792000-memory.dmp
                            Filesize

                            456KB

                          • memory/1032-183-0x000002E3E2ED0000-0x000002E3E2ED2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1032-139-0x000002E3E2ED0000-0x000002E3E2ED2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1124-138-0x0000023D9B0F0000-0x0000023D9B0F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1124-137-0x0000023D9B0F0000-0x0000023D9B0F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1124-193-0x0000023D9B960000-0x0000023D9B9D2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1124-160-0x0000023D9B860000-0x0000023D9B8D2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1124-182-0x0000023D9B0F0000-0x0000023D9B0F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1236-145-0x00000230B8800000-0x00000230B8802000-memory.dmp
                            Filesize

                            8KB

                          • memory/1236-201-0x00000230B9540000-0x00000230B95B2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1236-164-0x00000230B8F60000-0x00000230B8FD2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1236-186-0x00000230B8800000-0x00000230B8802000-memory.dmp
                            Filesize

                            8KB

                          • memory/1236-146-0x00000230B8800000-0x00000230B8802000-memory.dmp
                            Filesize

                            8KB

                          • memory/1320-191-0x000001F89AB50000-0x000001F89ABC2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1320-165-0x000001F89AA10000-0x000001F89AA82000-memory.dmp
                            Filesize

                            456KB

                          • memory/1320-189-0x000001F89AA90000-0x000001F89AA92000-memory.dmp
                            Filesize

                            8KB

                          • memory/1320-148-0x000001F89AA90000-0x000001F89AA92000-memory.dmp
                            Filesize

                            8KB

                          • memory/1320-147-0x000001F89AA90000-0x000001F89AA92000-memory.dmp
                            Filesize

                            8KB

                          • memory/1480-162-0x000001F20A570000-0x000001F20A5E2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1480-197-0x000001F20AC40000-0x000001F20ACB2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1480-142-0x000001F20A5F0000-0x000001F20A5F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1480-184-0x000001F20A5F0000-0x000001F20A5F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1480-141-0x000001F20A5F0000-0x000001F20A5F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1496-117-0x0000000002E00000-0x0000000002E01000-memory.dmp
                            Filesize

                            4KB

                          • memory/1496-116-0x0000000002E00000-0x0000000002E01000-memory.dmp
                            Filesize

                            4KB

                          • memory/1928-144-0x0000025F5D5B0000-0x0000025F5D5B2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1928-143-0x0000025F5D5B0000-0x0000025F5D5B2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1928-163-0x0000025F5E340000-0x0000025F5E3B2000-memory.dmp
                            Filesize

                            456KB

                          • memory/1928-185-0x0000025F5D5B0000-0x0000025F5D5B2000-memory.dmp
                            Filesize

                            8KB

                          • memory/1928-199-0x0000025F5E3C0000-0x0000025F5E432000-memory.dmp
                            Filesize

                            456KB

                          • memory/1968-172-0x0000000000000000-mapping.dmp
                          • memory/2436-159-0x00000230DD950000-0x00000230DD9C2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2436-136-0x00000230DD6F0000-0x00000230DD6F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/2436-192-0x00000230DE3B0000-0x00000230DE422000-memory.dmp
                            Filesize

                            456KB

                          • memory/2436-135-0x00000230DD6F0000-0x00000230DD6F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/2436-181-0x00000230DD6F0000-0x00000230DD6F2000-memory.dmp
                            Filesize

                            8KB

                          • memory/2480-190-0x0000026F5E2B0000-0x0000026F5E322000-memory.dmp
                            Filesize

                            456KB

                          • memory/2480-134-0x0000026F5D440000-0x0000026F5D442000-memory.dmp
                            Filesize

                            8KB

                          • memory/2480-158-0x0000026F5DC50000-0x0000026F5DCC2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2480-133-0x0000026F5D440000-0x0000026F5D442000-memory.dmp
                            Filesize

                            8KB

                          • memory/2480-180-0x0000026F5D440000-0x0000026F5D442000-memory.dmp
                            Filesize

                            8KB

                          • memory/2668-127-0x0000017D90420000-0x0000017D90422000-memory.dmp
                            Filesize

                            8KB

                          • memory/2668-128-0x0000017D90420000-0x0000017D90422000-memory.dmp
                            Filesize

                            8KB

                          • memory/2668-155-0x0000017D90D70000-0x0000017D90DE2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2668-187-0x0000017D91130000-0x0000017D911A2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2668-178-0x0000017D90420000-0x0000017D90422000-memory.dmp
                            Filesize

                            8KB

                          • memory/2728-149-0x000001A6EB480000-0x000001A6EB482000-memory.dmp
                            Filesize

                            8KB

                          • memory/2728-150-0x000001A6EB480000-0x000001A6EB482000-memory.dmp
                            Filesize

                            8KB

                          • memory/2728-166-0x000001A6EB540000-0x000001A6EB5B2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2728-196-0x000001A6EBD70000-0x000001A6EBDE2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2728-194-0x000001A6EB480000-0x000001A6EB482000-memory.dmp
                            Filesize

                            8KB

                          • memory/2756-200-0x000001CB48A30000-0x000001CB48AA2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2756-167-0x000001CB48940000-0x000001CB489B2000-memory.dmp
                            Filesize

                            456KB

                          • memory/2756-198-0x000001CB48100000-0x000001CB48102000-memory.dmp
                            Filesize

                            8KB

                          • memory/2756-152-0x000001CB48100000-0x000001CB48102000-memory.dmp
                            Filesize

                            8KB

                          • memory/2756-151-0x000001CB48100000-0x000001CB48102000-memory.dmp
                            Filesize

                            8KB

                          • memory/2860-169-0x000001D0F4560000-0x000001D0F4562000-memory.dmp
                            Filesize

                            8KB

                          • memory/2860-156-0x000001D0F4700000-0x000001D0F4772000-memory.dmp
                            Filesize

                            456KB

                          • memory/2860-126-0x00007FF6A87E4060-mapping.dmp
                          • memory/2860-130-0x000001D0F4560000-0x000001D0F4562000-memory.dmp
                            Filesize

                            8KB

                          • memory/2860-168-0x000001D0F4560000-0x000001D0F4562000-memory.dmp
                            Filesize

                            8KB

                          • memory/2860-129-0x000001D0F4560000-0x000001D0F4562000-memory.dmp
                            Filesize

                            8KB

                          • memory/2860-170-0x000001D0F45B0000-0x000001D0F45CB000-memory.dmp
                            Filesize

                            108KB

                          • memory/2860-171-0x000001D0F6F00000-0x000001D0F7005000-memory.dmp
                            Filesize

                            1.0MB

                          • memory/3788-122-0x0000000000CB0000-0x0000000000D5E000-memory.dmp
                            Filesize

                            696KB

                          • memory/3788-123-0x0000000000C00000-0x0000000000C5D000-memory.dmp
                            Filesize

                            372KB

                          • memory/3788-118-0x0000000000000000-mapping.dmp
                          • memory/3916-125-0x00000233F3690000-0x00000233F3692000-memory.dmp
                            Filesize

                            8KB

                          • memory/3916-173-0x00000233F36B0000-0x00000233F36B4000-memory.dmp
                            Filesize

                            16KB

                          • memory/3916-177-0x00000233F35C0000-0x00000233F35C4000-memory.dmp
                            Filesize

                            16KB

                          • memory/3916-124-0x00000233F3690000-0x00000233F3692000-memory.dmp
                            Filesize

                            8KB

                          • memory/3916-153-0x00000233F3640000-0x00000233F368D000-memory.dmp
                            Filesize

                            308KB

                          • memory/3916-154-0x00000233F39D0000-0x00000233F3A42000-memory.dmp
                            Filesize

                            456KB

                          • memory/3916-175-0x00000233F36A0000-0x00000233F36A4000-memory.dmp
                            Filesize

                            16KB

                          • memory/3916-174-0x00000233F36A0000-0x00000233F36A1000-memory.dmp
                            Filesize

                            4KB