Analysis
-
max time kernel
154s -
max time network
166s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
16-02-2022 12:02
Static task
static1
Behavioral task
behavioral1
Sample
d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe
Resource
win7-en-20211208
General
-
Target
d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe
-
Size
120KB
-
MD5
e5d69699bde3b15ff93d21c5b673bd8a
-
SHA1
7407968eb3d942ebabee4b432df4c4a9ac96c3e3
-
SHA256
d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4
-
SHA512
46312be3e25e994e56e92869ea93a2452a149d0c04fb9067f13412f5d5f527597ec1c62a2c682d93a6d84f8b9065c21713177056f6853427853bdf9aa4038121
Malware Config
Extracted
allcome
http://dba692117be7b6d3480fe5220fdd58b38bf.xyz/exp.php?usr=Class1c228
D92TTxkBTyJfavHWmAJfHpZRLeUY9ReHvf
rEtKYAu1Pwa9ydAB9YfXrTgVTtwB7QAghY
0x4aab8F9FFFE07459b1365A10405a4Fe7Aa7F1f81
XeZnNrJyBV3NimCP61bnJK8EYEqe984rn8
t1Vrj6CU9hHRwiuoSWDhgwtRhmPxRu9MqXs
GBEARLBYJHWXMY7AFAGF7VGMRMRK2D5HSRADSABSPMRIW6XPDQBRQSMI
0x43B091611E359447bAC8b2aE1619424A8417De38
qqvqg5fjmjjkd6egvwxv5et63jpakdqvuq3ye335x0
bc1qrzlvgv39ynr32vzacpg8y4y4yklmr370sxwqj3
0x4aab8F9FFFE07459b1365A10405a4Fe7Aa7F1f81
ltc1qef2n5uu37e34nvtrfhnurdj9lc574h90grpa0e
380990138409
Signatures
-
suricata: ET MALWARE Win32/ClipBanker.OC CnC Activity M1
suricata: ET MALWARE Win32/ClipBanker.OC CnC Activity M1
-
Executes dropped EXE 3 IoCs
Processes:
subst.exesubst.exesubst.exepid process 632 subst.exe 1940 subst.exe 928 subst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
subst.exepid process 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe 928 subst.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exetaskeng.exedescription pid process target process PID 1500 wrote to memory of 1176 1500 d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe schtasks.exe PID 1500 wrote to memory of 1176 1500 d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe schtasks.exe PID 1500 wrote to memory of 1176 1500 d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe schtasks.exe PID 1500 wrote to memory of 1176 1500 d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe schtasks.exe PID 1072 wrote to memory of 632 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 632 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 632 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 632 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 1940 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 1940 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 1940 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 1940 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 928 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 928 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 928 1072 taskeng.exe subst.exe PID 1072 wrote to memory of 928 1072 taskeng.exe subst.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe"C:\Users\Admin\AppData\Local\Temp\d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /tn NvTmRep_CrashReport3_{B2FE1952-0186} /sc MINUTE /tr C:\Users\Admin\AppData\Local\CrashDumps\subst.exe2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {0AE5574B-234A-40A9-B10C-3942FE3E2578} S-1-5-21-2329389628-4064185017-3901522362-1000:QSKGHMYQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeC:\Users\Admin\AppData\Local\CrashDumps\subst.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeC:\Users\Admin\AppData\Local\CrashDumps\subst.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeC:\Users\Admin\AppData\Local\CrashDumps\subst.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeMD5
e5d69699bde3b15ff93d21c5b673bd8a
SHA17407968eb3d942ebabee4b432df4c4a9ac96c3e3
SHA256d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4
SHA51246312be3e25e994e56e92869ea93a2452a149d0c04fb9067f13412f5d5f527597ec1c62a2c682d93a6d84f8b9065c21713177056f6853427853bdf9aa4038121
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeMD5
e5d69699bde3b15ff93d21c5b673bd8a
SHA17407968eb3d942ebabee4b432df4c4a9ac96c3e3
SHA256d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4
SHA51246312be3e25e994e56e92869ea93a2452a149d0c04fb9067f13412f5d5f527597ec1c62a2c682d93a6d84f8b9065c21713177056f6853427853bdf9aa4038121
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeMD5
e5d69699bde3b15ff93d21c5b673bd8a
SHA17407968eb3d942ebabee4b432df4c4a9ac96c3e3
SHA256d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4
SHA51246312be3e25e994e56e92869ea93a2452a149d0c04fb9067f13412f5d5f527597ec1c62a2c682d93a6d84f8b9065c21713177056f6853427853bdf9aa4038121
-
C:\Users\Admin\AppData\Local\CrashDumps\subst.exeMD5
e5d69699bde3b15ff93d21c5b673bd8a
SHA17407968eb3d942ebabee4b432df4c4a9ac96c3e3
SHA256d62c1f65b0ad9427fa41e32951526435e372d2f09bb81e6079dabdad915f84b4
SHA51246312be3e25e994e56e92869ea93a2452a149d0c04fb9067f13412f5d5f527597ec1c62a2c682d93a6d84f8b9065c21713177056f6853427853bdf9aa4038121
-
memory/1500-55-0x0000000075831000-0x0000000075833000-memory.dmpFilesize
8KB