Overview

overview

10

Static

static

10

7zS850A099...ed.exe

windows7_x64

10

7zS850A099...ed.exe

windows10-2004_x64

10

7zS850A099...1a.exe

windows7_x64

10

7zS850A099...1a.exe

windows10-2004_x64

1

7zS850A099...b7.exe

windows7_x64

10

7zS850A099...b7.exe

windows10-2004_x64

10

7zS850A099...5e.exe

windows7_x64

10

7zS850A099...5e.exe

windows10-2004_x64

10

7zS850A099...a0.exe

windows7_x64

10

7zS850A099...a0.exe

windows10-2004_x64

10

7zS850A099...95.exe

windows7_x64

7

7zS850A099...95.exe

windows10-2004_x64

7

7zS850A099...cb.exe

windows7_x64

10

7zS850A099...cb.exe

windows10-2004_x64

1

7zS850A099...58.exe

windows7_x64

7

7zS850A099...58.exe

windows10-2004_x64

1

7zS850A099...7f.exe

windows7_x64

7

7zS850A099...7f.exe

windows10-2004_x64

1

7zS850A099...32.exe

windows7_x64

7

7zS850A099...32.exe

windows10-2004_x64

7

7zS850A099...c3.exe

windows7_x64

8

7zS850A099...c3.exe

windows10-2004_x64

8

7zS850A099...e9.exe

windows7_x64

6

7zS850A099...e9.exe

windows10-2004_x64

6

7zS850A099...8c.exe

windows7_x64

8

7zS850A099...8c.exe

windows10-2004_x64

1

7zS850A099...8c.exe

windows7_x64

10

7zS850A099...8c.exe

windows10-2004_x64

10

7zS850A099...ll.exe

windows7_x64

10

7zS850A099...ll.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    148s
  • max time network
    166s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    19-01-2022 08:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7zS850A099E/61e74fd2175cb_Tue23956aa60ed.exe

  • Size

    312KB

  • MD5

    e5a07be6c167ccf605ba9e6a0608e141

  • SHA1

    d50547756f224ebaf38efc1b2e5134b6caa272ba

  • SHA256

    449fb91c32af2d722f418ab4ee0747d0b7457ba69496b2d8f894e6045d69e1e4

  • SHA512

    b66a844121bd42707aab3200f5e2a01765bd00ea3b958e09baeca9cd6856005a17474e72a9635184046d92205be3baf6677951fd8eb42ccebe687efb8b30f13b

Score
10/10
suricata

Malware Config

Signatures

  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Loads dropped DLL 8 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 19 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:460
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Windows\system32\wbem\WMIADAP.EXE
          wmiadap.exe /F /T /R
          3⤵
            PID:1584
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k SystemNetworkService
          2⤵
          • Drops file in System32 directory
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1352
      • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe"
        1⤵
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:688
        • C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS850A099E\61e74fd2175cb_Tue23956aa60ed.exe" -a
          2⤵
          • Suspicious use of SetWindowsHookEx
          PID:780
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1832
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
          2⤵
          • Blocklisted process makes network request
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1300
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
          2⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1144
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 228
            3⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            PID:780

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      2
      T1082

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        84914bb9acef9d5ff2149ca0801bd474

        SHA1

        e8becc33a49889e38e8e235f7a1d4f7943fbadde

        SHA256

        1decf443de313aa9eddc79cf49b159e49fabe228198340e85501cf430495e986

        SHA512

        f4acf152acee3ff5ebb23ddfa6431b5d6fd48777362fc84999dd70e0b1ae95986e8ca5d82076cfbcad08502a3da786d30a358201a2d3064b0bace78f2b4b0f49

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\db.dat
        MD5

        4d0511c6b3fced567deda83f81c485fc

        SHA1

        a76a47f933f27e65fa3b6568c37a15b0dbc01b24

        SHA256

        27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

        SHA512

        f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\db.dat
        MD5

        4d0511c6b3fced567deda83f81c485fc

        SHA1

        a76a47f933f27e65fa3b6568c37a15b0dbc01b24

        SHA256

        27f01767425e7e0c2b00e364197be6efce57a0a9d14915fed5b18c74b4ed4f4a

        SHA512

        f5c778c316a9df4c42866cacad962682cd7db99b97e003841865003c162570eabcf88d922e16d1e9fdad0d40702c34c87c3a7e940f297711823063126de1e28b

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • \Users\Admin\AppData\Local\Temp\db.dll
        MD5

        128d6b829a7c440c0f414266ecbf3010

        SHA1

        2bb5205fb52b9fa37efd036386c24386216209d1

        SHA256

        85e51fec549731fc82e66525c85a14088f82eb08505a6282ec2dc848fa3c56c7

        SHA512

        c1e0f0708d9428ce206eaf4abe9c3567d678d7c1da38397f93194bb144d3f7fa2ddfe502e73f9b03a9aaf8d95bab7ba7de4459f5d18a214a63f52cb63afce686

        Download Submit
      • memory/780-84-0x0000000000420000-0x0000000000421000-memory.dmp
        Filesize

        4KB

        Download
      • memory/884-68-0x0000000000A80000-0x0000000000AF2000-memory.dmp
        Filesize

        456KB

        Download
      • memory/884-66-0x00000000008E0000-0x000000000092D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/1144-83-0x0000000001DA0000-0x0000000001EA1000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1300-67-0x0000000000860000-0x00000000008BD000-memory.dmp
        Filesize

        372KB

        Download
      • memory/1300-65-0x0000000001D50000-0x0000000001E51000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1352-72-0x000007FEFC321000-0x000007FEFC323000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1352-73-0x0000000000270000-0x000000000028B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1352-74-0x0000000000290000-0x00000000002B9000-memory.dmp
        Filesize

        164KB

        Download
      • memory/1352-75-0x00000000030B0000-0x00000000031B5000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1352-71-0x00000000004C0000-0x0000000000532000-memory.dmp
        Filesize

        456KB

        Download
      • memory/1352-70-0x0000000000060000-0x00000000000AD000-memory.dmp
        Filesize

        308KB

        Download
      • memory/1776-54-0x0000000076C61000-0x0000000076C63000-memory.dmp
        Filesize

        8KB

        Download