Overview

overview

10

Static

static

c7e52cc6f1...ed.exe

windows7_x64

10

c7e52cc6f1...ed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    01-02-2022 16:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7e52cc6f1f659ec5d30473e89b7136216de5fbe53ec77a62f1a486d8ffe78ed.exe

  • Size

    100KB

  • MD5

    bb0a17a7e856d61bd43c62a822d96b07

  • SHA1

    aca43b3ca96ca6c80219d9e4ed8d498001313c5e

  • SHA256

    c7e52cc6f1f659ec5d30473e89b7136216de5fbe53ec77a62f1a486d8ffe78ed

  • SHA512

    8ee7b45476d3efdfdf3161c474c347b39a954ae04042f8f9b5a0a2db7291982a253c924d0668d942c253fd7c25fda7a3270cfaacd00de2a960d8065bb5c01f77

Score
10/10
clopransomware

Malware Config

Extracted

Path

C:\ClopReadMe.txt

Family

clop

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN – files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. Photorec, RannohDecryptor etc. repair tools are useless and can destroy your files irreversibly. If you want to restore your files write to emails (contacts are at the bottom of the sheet) and attach 2-3 encrypted files (Less than 5 Mb each, non-archived and your files should not contain valuable information (Databases, backups, large excel sheets, etc.)). You will receive decrypted samples and our conditions how to get the decoder. Attention!!! Your warranty - decrypted samples. Do not rename encrypted files. Do not try to decrypt your data using third party software. We don`t need your files and your information. But after 2 weeks all your files and keys will be deleted automatically. Contact emails: [email protected] or [email protected] The final price depends on how fast you write to us. Clop

Signatures

  • Clop

    Ransomware discovered in early 2019 which has been actively developed since release.

    ransomwareclop
  • Modifies extensions of user files 2 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops desktop.ini file(s) 25 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7e52cc6f1f659ec5d30473e89b7136216de5fbe53ec77a62f1a486d8ffe78ed.exe
    "C:\Users\Admin\AppData\Local\Temp\c7e52cc6f1f659ec5d30473e89b7136216de5fbe53ec77a62f1a486d8ffe78ed.exe"
    1⤵
    • Modifies extensions of user files
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1092

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1092-54-0x0000000076121000-0x0000000076123000-memory.dmp

    Filesize

    8KB

    Download