a4e9f83090da94f3e24bc1792c953c62c4cc9f6ee0ba68a5b820349738d005a4

Analysis

max time kernel
122s
max time network
305s
platform
windows10_x64
resource
win10-en-20211208
submitted
16-01-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clipe (1).exe
Size

612KB
MD5

2c55be40df541743683b7be0cdcd31bc
SHA1

bcecc9ef412126cbda6798e9dcf95cd107b47c53
SHA256

a4e9f83090da94f3e24bc1792c953c62c4cc9f6ee0ba68a5b820349738d005a4
SHA512

5038292a69b4ef206df0227684b704b044a8add66dbdb3d8eebd0997ec63a4f654fca08abed5bcacaad96b98bcb695d294872d661da6a64a5b8cbde1e2154ef6

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

clipe (1).exe

description	pid	Process	procid_target
PID 2480 set thread context of 488	2480	clipe (1).exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
1440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	3972	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

clipe (1).exe

description	pid	Process	procid_target
PID 2480 wrote to memory of 3972	2480	clipe (1).exe	69
PID 2480 wrote to memory of 3972	2480	clipe (1).exe	69
PID 2480 wrote to memory of 3972	2480	clipe (1).exe	69
PID 2480 wrote to memory of 1440	2480	clipe (1).exe	71
PID 2480 wrote to memory of 1440	2480	clipe (1).exe	71
PID 2480 wrote to memory of 1440	2480	clipe (1).exe	71
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73
PID 2480 wrote to memory of 488	2480	clipe (1).exe	73

C:\Users\Admin\AppData\Local\Temp\clipe (1).exe
"C:\Users\Admin\AppData\Local\Temp\clipe (1).exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\clipe (1).exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLefxgzw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA7B5.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/488-141-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/488-134-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/488-131-0x000000000040416E-mapping.dmp

Download
memory/488-136-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/488-133-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/488-129-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/488-135-0x0000000005D20000-0x000000000621E000-memory.dmp

Filesize
5.0MB

Download
memory/488-138-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/1440-127-0x0000000000000000-mapping.dmp

Download
memory/2480-119-0x00000000050E0000-0x00000000055DE000-memory.dmp

Filesize
5.0MB

Download
memory/2480-115-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/2480-123-0x0000000008AF0000-0x0000000008B3A000-memory.dmp

Filesize
296KB

Download
memory/2480-122-0x0000000008A20000-0x0000000008ABC000-memory.dmp

Filesize
624KB

Download
memory/2480-121-0x0000000005300000-0x0000000005318000-memory.dmp

Filesize
96KB

Download
memory/2480-120-0x00000000050E0000-0x00000000050EA000-memory.dmp

Filesize
40KB

Download
memory/2480-118-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/2480-117-0x00000000055E0000-0x0000000005ADE000-memory.dmp

Filesize
5.0MB

Download
memory/2480-116-0x0000000000810000-0x00000000008B0000-memory.dmp

Filesize
640KB

Download
memory/3972-139-0x0000000007820000-0x0000000007842000-memory.dmp

Filesize
136KB

Download
memory/3972-155-0x00000000079D0000-0x0000000007FF8000-memory.dmp

Filesize
6.2MB

Download
memory/3972-132-0x0000000004F22000-0x0000000004F23000-memory.dmp

Filesize
4KB

Download
memory/3972-128-0x0000000004ED0000-0x0000000004F06000-memory.dmp

Filesize
216KB

Download
memory/3972-137-0x00000000079D0000-0x0000000007FF8000-memory.dmp

Filesize
6.2MB

Download
memory/3972-125-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3972-126-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3972-140-0x0000000008000000-0x0000000008066000-memory.dmp

Filesize
408KB

Download
memory/3972-124-0x0000000000000000-mapping.dmp

Download
memory/3972-142-0x0000000008190000-0x00000000081F6000-memory.dmp

Filesize
408KB

Download
memory/3972-143-0x00000000083E0000-0x0000000008730000-memory.dmp

Filesize
3.3MB

Download
memory/3972-144-0x00000000080D0000-0x00000000080EC000-memory.dmp

Filesize
112KB

Download
memory/3972-145-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

Filesize
300KB

Download
memory/3972-146-0x0000000008990000-0x0000000008A06000-memory.dmp

Filesize
472KB

Download
memory/3972-147-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/3972-130-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/3972-156-0x000000007E920000-0x000000007E921000-memory.dmp

Filesize
4KB

Download
memory/3972-157-0x0000000009880000-0x00000000098B3000-memory.dmp

Filesize
204KB

Download
memory/3972-158-0x0000000009880000-0x00000000098B3000-memory.dmp

Filesize
204KB

Download
memory/3972-159-0x0000000007820000-0x0000000007842000-memory.dmp

Filesize
136KB

Download
memory/3972-160-0x0000000008000000-0x0000000008066000-memory.dmp

Filesize
408KB

Download
memory/3972-161-0x0000000008190000-0x00000000081F6000-memory.dmp

Filesize
408KB

Download
memory/3972-162-0x0000000008BD0000-0x0000000008C1B000-memory.dmp

Filesize
300KB

Download
memory/3972-163-0x0000000008990000-0x0000000008A06000-memory.dmp

Filesize
472KB

Download
memory/3972-164-0x0000000009860000-0x000000000987E000-memory.dmp

Filesize
120KB

Download
memory/3972-169-0x0000000009BD0000-0x0000000009C75000-memory.dmp

Filesize
660KB

Download
memory/3972-170-0x0000000004F23000-0x0000000004F24000-memory.dmp

Filesize
4KB

Download
memory/3972-171-0x0000000009DC0000-0x0000000009E54000-memory.dmp

Filesize
592KB

Download
memory/3972-364-0x0000000009D50000-0x0000000009D6A000-memory.dmp

Filesize
104KB

Download
memory/3972-369-0x0000000009D50000-0x0000000009D6A000-memory.dmp

Filesize
104KB

Download
memory/3972-370-0x0000000009D40000-0x0000000009D48000-memory.dmp

Filesize
32KB

Download
memory/3972-375-0x0000000009D40000-0x0000000009D48000-memory.dmp

Filesize
32KB

Download