Overview

overview

5

Static

static

clipe.exe

windows7_x64

5

clipe.exe

windows10_x64

5

clipe.exe

windows10-2004_x64

1

clipe.exe

windows11_x64

Analysis

  • max time kernel
    353s
  • max time network
    1567s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-01-2022 22:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    clipe.exe

  • Size

    612KB

  • MD5

    2c55be40df541743683b7be0cdcd31bc

  • SHA1

    bcecc9ef412126cbda6798e9dcf95cd107b47c53

  • SHA256

    a4e9f83090da94f3e24bc1792c953c62c4cc9f6ee0ba68a5b820349738d005a4

  • SHA512

    5038292a69b4ef206df0227684b704b044a8add66dbdb3d8eebd0997ec63a4f654fca08abed5bcacaad96b98bcb695d294872d661da6a64a5b8cbde1e2154ef6

Score
5/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\clipe.exe
    "C:\Users\Admin\AppData\Local\Temp\clipe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\clipe.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1236
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GLefxgzw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7CC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1212
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:3564
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:2696

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1236-146-0x0000000009740000-0x0000000009773000-memory.dmp

          Filesize

          204KB

          Download

        • memory/1236-147-0x0000000009700000-0x000000000971E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/1236-131-0x00000000074D0000-0x00000000074F2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/1236-353-0x0000000008900000-0x0000000008908000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1236-132-0x0000000007CE0000-0x0000000007D46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1236-348-0x0000000008910000-0x000000000892A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/1236-155-0x0000000004C73000-0x0000000004C74000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-154-0x0000000009A30000-0x0000000009AC4000-memory.dmp

          Filesize

          592KB

          Download

        • memory/1236-125-0x0000000004B60000-0x0000000004B96000-memory.dmp

          Filesize

          216KB

          Download

        • memory/1236-153-0x000000007EBA0000-0x000000007EBA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-127-0x00000000076B0000-0x0000000007CD8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/1236-133-0x0000000007D50000-0x0000000007DB6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1236-129-0x0000000004C72000-0x0000000004C73000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-152-0x0000000009870000-0x0000000009915000-memory.dmp

          Filesize

          660KB

          Download

        • memory/1236-137-0x00000000086B0000-0x0000000008726000-memory.dmp

          Filesize

          472KB

          Download

        • memory/1236-136-0x0000000008370000-0x00000000083BB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/1236-128-0x0000000004C70000-0x0000000004C71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1236-134-0x0000000007FA0000-0x00000000082F0000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/1236-135-0x0000000007E80000-0x0000000007E9C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/2696-130-0x0000000005690000-0x0000000005691000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2696-126-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2776-119-0x00000000051D0000-0x00000000051DA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2776-117-0x0000000005220000-0x00000000052B2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2776-115-0x0000000000900000-0x00000000009A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/2776-116-0x0000000005720000-0x0000000005C1E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/2776-122-0x0000000008BC0000-0x0000000008C0A000-memory.dmp

          Filesize

          296KB

          Download

        • memory/2776-121-0x0000000008AA0000-0x0000000008B3C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2776-120-0x0000000008760000-0x0000000008778000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2776-118-0x0000000005220000-0x000000000571E000-memory.dmp

          Filesize

          5.0MB

          Download