Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows11_x64

10

022e3c30a1...66.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows11_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows11_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows11_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows11_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows11_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

10

cbf31d825a...d2.exe

windows11_x64

10

cbf31d825a...d2.exe

windows10_x64

10

db76a117db...12.exe

windows7_x64

10

db76a117db...12.exe

windows11_x64

10

db76a117db...12.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows11_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

10

f2196668f4...cb.exe

windows7_x64

10

f2196668f4...cb.exe

windows11_x64

10

f2196668f4...cb.exe

windows10_x64

10

Resubmissions

10/11/2021, 14:50

211110-r7nbvaeddr 10

08/11/2021, 16:12

211108-tnmmbahgaj 10

08/11/2021, 15:26

211108-svdsbaccf6 10

08/11/2021, 14:48

211108-r6lfvshdfn 10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    10/11/2021, 14:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

  • Size

    834KB

  • MD5

    2c25a0926e5228d2205b3b8c8ef4d7f4

  • SHA1

    5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

  • SHA256

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

  • SHA512

    cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

Score
10/10
suricata

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 16 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:884
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:608
    • C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
      "C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:376
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\System32\rundll32.exe" sqlite.dll,global
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1164

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/376-55-0x0000000075321000-0x0000000075323000-memory.dmp

      Filesize

      8KB

      Download

    • memory/608-64-0x00000000000E0000-0x000000000012D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/608-70-0x0000000000470000-0x00000000004E2000-memory.dmp

      Filesize

      456KB

      Download

    • memory/608-71-0x0000000001C10000-0x0000000001C2B000-memory.dmp

      Filesize

      108KB

      Download

    • memory/608-72-0x00000000028A0000-0x00000000029A5000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/608-73-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmp

      Filesize

      8KB

      Download

    • memory/884-68-0x0000000000B60000-0x0000000000BAD000-memory.dmp

      Filesize

      308KB

      Download

    • memory/884-69-0x0000000001BC0000-0x0000000001C32000-memory.dmp

      Filesize

      456KB

      Download

    • memory/1164-66-0x00000000008F0000-0x00000000009F1000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1164-67-0x0000000000880000-0x00000000008DD000-memory.dmp

      Filesize

      372KB

      Download