Overview

overview

10

Static

static

022e3c30a1...66.exe

windows7_x64

10

022e3c30a1...66.exe

windows11_x64

10

022e3c30a1...66.exe

windows10_x64

10

4d27dca0a1...ef.exe

windows7_x64

10

4d27dca0a1...ef.exe

windows11_x64

10

4d27dca0a1...ef.exe

windows10_x64

10

578a3a7a2b...b3.exe

windows7_x64

10

578a3a7a2b...b3.exe

windows11_x64

10

578a3a7a2b...b3.exe

windows10_x64

10

9c4880a98c...82.exe

windows7_x64

10

9c4880a98c...82.exe

windows11_x64

10

9c4880a98c...82.exe

windows10_x64

10

a1dad4a83d...c4.exe

windows7_x64

10

a1dad4a83d...c4.exe

windows11_x64

10

a1dad4a83d...c4.exe

windows10_x64

10

acf1b7d80f...e0.exe

windows7_x64

10

acf1b7d80f...e0.exe

windows11_x64

10

acf1b7d80f...e0.exe

windows10_x64

10

cbf31d825a...d2.exe

windows7_x64

10

cbf31d825a...d2.exe

windows11_x64

10

cbf31d825a...d2.exe

windows10_x64

10

db76a117db...12.exe

windows7_x64

10

db76a117db...12.exe

windows11_x64

10

db76a117db...12.exe

windows10_x64

10

e2ffb8aeeb...f6.exe

windows7_x64

10

e2ffb8aeeb...f6.exe

windows11_x64

10

e2ffb8aeeb...f6.exe

windows10_x64

10

f2196668f4...cb.exe

windows7_x64

10

f2196668f4...cb.exe

windows11_x64

10

f2196668f4...cb.exe

windows10_x64

10

Resubmissions

10-11-2021 14:50

211110-r7nbvaeddr 10

08-11-2021 16:12

211108-tnmmbahgaj 10

08-11-2021 15:26

211108-svdsbaccf6 10

08-11-2021 14:48

211108-r6lfvshdfn 10

Analysis

  • max time kernel
    155s
  • max time network
    175s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    10-11-2021 14:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe

  • Size

    834KB

  • MD5

    2c25a0926e5228d2205b3b8c8ef4d7f4

  • SHA1

    5f8a9d364dc3d03a5b11fd5be0629d0fb5a8c409

  • SHA256

    e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6

  • SHA512

    cafe8fae74d414015118b838b5e4b30183733d5e833c5db84a56bd2d5cf728cad08d2bbefbeadc86b15b7dbf6dc25fcabdffa8ff4fb346dc0f66376087a28468

Score
10/10
suricata

Malware Config

Signatures

  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s BITS
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3928
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2796
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s WpnService
    1⤵
      PID:2688
    • c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Windows\system32\wbem\WMIADAP.EXE
        wmiadap.exe /F /T /R
        2⤵
          PID:3716
      • c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s Browser
        1⤵
          PID:2560
        • c:\windows\system32\svchost.exe
          c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
          1⤵
            PID:2388
          • c:\windows\system32\svchost.exe
            c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
            1⤵
              PID:2356
            • c:\windows\system32\svchost.exe
              c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
              1⤵
                PID:1820
              • c:\windows\system32\svchost.exe
                c:\windows\system32\svchost.exe -k netsvcs -s SENS
                1⤵
                  PID:1448
                • c:\windows\system32\svchost.exe
                  c:\windows\system32\svchost.exe -k netsvcs -s UserManager
                  1⤵
                    PID:1400
                  • c:\windows\system32\svchost.exe
                    c:\windows\system32\svchost.exe -k netsvcs -s Themes
                    1⤵
                      PID:1224
                    • c:\windows\system32\svchost.exe
                      c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
                      1⤵
                        PID:1116
                      • c:\windows\system32\svchost.exe
                        c:\windows\system32\svchost.exe -k netsvcs -s Schedule
                        1⤵
                          PID:1044
                        • c:\windows\system32\svchost.exe
                          c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
                          1⤵
                            PID:380
                          • C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe
                            "C:\Users\Admin\AppData\Local\Temp\e2ffb8aeeb869fbb3de97b95b0c5c9cf2234d85612ba111115a938c89e4d94f6.exe"
                            1⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1488
                            • C:\Windows\SysWOW64\rundll32.exe
                              "C:\Windows\System32\rundll32.exe" sqlite.dll,global
                              2⤵
                              • Loads dropped DLL
                              • Modifies registry class
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              PID:3808

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Privilege Escalation

                          Defense Evasion

                          Credential Access

                          Discovery

                          System Information Discovery

                          2
                          T1082

                          Query Registry

                          1
                          T1012

                          Lateral Movement

                          Collection

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dat
                            MD5

                            bbd4ce7a3b397979f6725781367e2671

                            SHA1

                            1627f36916b4a3e2384a3aa2b0af35ba9e785093

                            SHA256

                            c13e0dd5f82062a4659f6fa989b00a2d109644156675aa63e7670288723a9fe4

                            SHA512

                            b0a5708673f3077eaad552ea664f16b569b653be55865221506b537b41c77ec9b5610d3f67b996e7f2da0bd08da274dc01c9e7db2ce1ed706c18812093d76b65

                            Download Submit
                          • C:\Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\sqlite.dll
                            MD5

                            d2c3e38d64273ea56d503bb3fb2a8b5d

                            SHA1

                            177da7d99381bbc83ede6b50357f53944240d862

                            SHA256

                            25ceb44c2ba4fc9e0153a2f605a70a58b0a42dfaa795667adc11c70bb8909b52

                            SHA512

                            2c21ecf8cbad2efe94c7cb55092e5b9e5e8c0392ee15ad04d1571f787761bf26f2f52f3d75a83a321952aeff362a237024779bbdc9c6fd4972c9d76c6038b117

                            Download Submit
                          • memory/380-133-0x00000277294C0000-0x00000277294C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/380-131-0x00000277294C0000-0x00000277294C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/380-193-0x0000027729E10000-0x0000027729E82000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/380-155-0x0000027729CA0000-0x0000027729D12000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/380-181-0x00000277294C0000-0x00000277294C2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1044-141-0x000002BE68FF0000-0x000002BE68FF2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1044-140-0x000002BE68FF0000-0x000002BE68FF2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1044-198-0x000002BE69A80000-0x000002BE69AF2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1044-185-0x000002BE68FF0000-0x000002BE68FF2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1044-163-0x000002BE69A00000-0x000002BE69A72000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1116-184-0x000001E78ECD0000-0x000001E78ECD2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1116-161-0x000001E78F670000-0x000001E78F6E2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1116-197-0x000001E78FC40000-0x000001E78FCB2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1116-139-0x000001E78ECD0000-0x000001E78ECD2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1116-138-0x000001E78ECD0000-0x000001E78ECD2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1224-188-0x00000253DB290000-0x00000253DB292000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1224-153-0x00000253DB290000-0x00000253DB292000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1224-156-0x00000253DB610000-0x00000253DB682000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1224-154-0x00000253DB290000-0x00000253DB292000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1224-201-0x00000253DB700000-0x00000253DB772000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1400-159-0x000001E3A0310000-0x000001E3A0312000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1400-202-0x000001E3A1030000-0x000001E3A10A2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1400-162-0x000001E3A0C00000-0x000001E3A0C72000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1400-158-0x000001E3A0310000-0x000001E3A0312000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1400-189-0x000001E3A0310000-0x000001E3A0312000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1448-186-0x00000210C3190000-0x00000210C3192000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1448-199-0x00000210C3B70000-0x00000210C3BE2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1448-146-0x00000210C3970000-0x00000210C39E2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1448-143-0x00000210C3190000-0x00000210C3192000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1448-142-0x00000210C3190000-0x00000210C3192000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1488-119-0x0000000000400000-0x0000000000401000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/1488-118-0x0000000000400000-0x0000000000401000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/1820-148-0x000002194E380000-0x000002194E382000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1820-187-0x000002194E380000-0x000002194E382000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/1820-151-0x000002194EAD0000-0x000002194EB42000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1820-200-0x000002194F040000-0x000002194F0B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/1820-147-0x000002194E380000-0x000002194E382000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2356-136-0x000002208DE70000-0x000002208DE72000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2356-137-0x000002208DE70000-0x000002208DE72000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2356-160-0x000002208E620000-0x000002208E692000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2356-196-0x000002208EBB0000-0x000002208EC22000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2356-183-0x000002208DE70000-0x000002208DE72000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2388-157-0x0000020123F80000-0x0000020123FF2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2388-195-0x0000020124200000-0x0000020124272000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2388-135-0x0000020123BC0000-0x0000020123BC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2388-182-0x0000020123BC0000-0x0000020123BC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2388-134-0x0000020123BC0000-0x0000020123BC2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2560-191-0x0000023804730000-0x00000238047A2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2560-150-0x0000023804300000-0x0000023804372000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2560-129-0x0000023803860000-0x0000023803862000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2560-128-0x0000023803860000-0x0000023803862000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2560-180-0x0000023803860000-0x0000023803862000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2664-190-0x00000216C03A0000-0x00000216C03A2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2664-168-0x00000216C0E00000-0x00000216C0E72000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2664-165-0x00000216C03A0000-0x00000216C03A2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2664-164-0x00000216C03A0000-0x00000216C03A2000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2664-203-0x00000216C1540000-0x00000216C15B2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2688-166-0x0000015D57370000-0x0000015D57372000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2688-192-0x0000015D57370000-0x0000015D57372000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2688-194-0x0000015D581B0000-0x0000015D58222000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2688-167-0x0000015D57370000-0x0000015D57372000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2688-169-0x0000015D57C40000-0x0000015D57CB2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2796-173-0x000001226D300000-0x000001226D405000-memory.dmp
                            Filesize

                            1.0MB

                            Download
                          • memory/2796-130-0x000001226AA80000-0x000001226AA82000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2796-152-0x000001226A9D0000-0x000001226AA42000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/2796-170-0x000001226AA80000-0x000001226AA82000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2796-132-0x000001226AA80000-0x000001226AA82000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2796-171-0x000001226AA80000-0x000001226AA82000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/2796-127-0x00007FF680254060-mapping.dmp
                            Download
                          • memory/2796-172-0x000001226AAB0000-0x000001226AACB000-memory.dmp
                            Filesize

                            108KB

                            Download
                          • memory/3716-174-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3808-124-0x0000000000E5F000-0x0000000000F60000-memory.dmp
                            Filesize

                            1.0MB

                            Download
                          • memory/3808-120-0x0000000000000000-mapping.dmp
                            Download
                          • memory/3808-144-0x0000000000DB0000-0x0000000000E0D000-memory.dmp
                            Filesize

                            372KB

                            Download
                          • memory/3928-175-0x000001B1571B0000-0x000001B1571B4000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/3928-125-0x000001B157140000-0x000001B157142000-memory.dmp
                            Filesize

                            8KB

                            Download
                          • memory/3928-176-0x000001B1571A0000-0x000001B1571A1000-memory.dmp
                            Filesize

                            4KB

                            Download
                          • memory/3928-177-0x000001B1571A0000-0x000001B1571A4000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/3928-179-0x000001B154B80000-0x000001B154B84000-memory.dmp
                            Filesize

                            16KB

                            Download
                          • memory/3928-149-0x000001B157650000-0x000001B1576C2000-memory.dmp
                            Filesize

                            456KB

                            Download
                          • memory/3928-145-0x000001B157380000-0x000001B1573CD000-memory.dmp
                            Filesize

                            308KB

                            Download
                          • memory/3928-126-0x000001B157140000-0x000001B157142000-memory.dmp
                            Filesize

                            8KB

                            Download