Overview

overview

10

Static

static

10

7zS8A52FD1...f3.exe

windows7_x64

8

7zS8A52FD1...f3.exe

windows10-2004_x64

8

7zS8A52FD1...62.exe

windows7_x64

7

7zS8A52FD1...62.exe

windows10-2004_x64

7

7zS8A52FD1...9a.exe

windows7_x64

10

7zS8A52FD1...9a.exe

windows10-2004_x64

10

7zS8A52FD1...8a.exe

windows7_x64

10

7zS8A52FD1...8a.exe

windows10-2004_x64

10

7zS8A52FD1...f5.exe

windows7_x64

1

7zS8A52FD1...f5.exe

windows10-2004_x64

1

7zS8A52FD1...68.exe

windows7_x64

7

7zS8A52FD1...68.exe

windows10-2004_x64

7

7zS8A52FD1...41.exe

windows7_x64

7

7zS8A52FD1...41.exe

windows10-2004_x64

7

7zS8A52FD1...cd.exe

windows7_x64

8

7zS8A52FD1...cd.exe

windows10-2004_x64

8

7zS8A52FD1...71.exe

windows7_x64

5

7zS8A52FD1...71.exe

windows10-2004_x64

5

7zS8A52FD1...9c.exe

windows7_x64

10

7zS8A52FD1...9c.exe

windows10-2004_x64

10

7zS8A52FD1...0d.exe

windows7_x64

1

7zS8A52FD1...0d.exe

windows10-2004_x64

1

7zS8A52FD1...ff.exe

windows7_x64

10

7zS8A52FD1...ff.exe

windows10-2004_x64

10

7zS8A52FD1...68.exe

windows7_x64

10

7zS8A52FD1...68.exe

windows10-2004_x64

10

7zS8A52FD1...-1.dll

windows7_x64

3

7zS8A52FD1...-1.dll

windows10-2004_x64

3

7zS8A52FD1...-6.dll

windows7_x64

3

7zS8A52FD1...-6.dll

windows10-2004_x64

3

7zS8A52FD1...-1.dll

windows7_x64

1

7zS8A52FD1...-1.dll

windows10-2004_x64

1

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    09-06-2022 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7zS8A52FD1B/62a1ea23da745_6e68c9a.exe

  • Size

    312KB

  • MD5

    0cad21764fe956f3028096ff3ff37549

  • SHA1

    09ceb67ca8d995e8811e6f0d13f7b01377f7f8c5

  • SHA256

    f65a68dcc63bd141e3a6619ed81b9c0ff3a5492ebd73034f8c794681f1875e3e

  • SHA512

    4733ea55c8aa918cd7dc35bfb97f5b9f59653244bae98caa3b9d4c7c60f8d7d249e8c20b191345923aa0db60137a0a04b8b20f589bef164076e2f8ec89529542

Score
10/10
suricata

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata: ET MALWARE ClipBanker Variant Activity (POST)

    suricata
  • Loads dropped DLL 4 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 11 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:876
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1804
    • C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea23da745_6e68c9a.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea23da745_6e68c9a.exe"
      1⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea23da745_6e68c9a.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS8A52FD1B\62a1ea23da745_6e68c9a.exe" help
        2⤵
        • Modifies system certificate store
        • Suspicious use of SetWindowsHookEx
        PID:868
    • C:\Windows\system32\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1432

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Install Root Certificate

    1
    T1130

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\db.dat
      Filesize

      557KB

      MD5

      215e381e9a16deb017b550e8a2480760

      SHA1

      56f4a18a314b001d2d1408e5825ed6bdf89b9f45

      SHA256

      6131812d6cdf3460443e46b4b348cb57e14c295c14fd78d7b994f9b790bfc491

      SHA512

      d1e7299b26928e8ebb08cc9d050bde2577c3f3170cfacf842e9fdabbe23c941e20445451860dbdbdc468a348b068a08447f193f7b2865140bf48920ae461197b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      7ffef7319bb7963fa71d05c0b3026f02

      SHA1

      e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

      SHA256

      4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

      SHA512

      dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      7ffef7319bb7963fa71d05c0b3026f02

      SHA1

      e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

      SHA256

      4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

      SHA512

      dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      7ffef7319bb7963fa71d05c0b3026f02

      SHA1

      e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

      SHA256

      4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

      SHA512

      dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      7ffef7319bb7963fa71d05c0b3026f02

      SHA1

      e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

      SHA256

      4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

      SHA512

      dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

      Download Submit
    • \Users\Admin\AppData\Local\Temp\db.dll
      Filesize

      52KB

      MD5

      7ffef7319bb7963fa71d05c0b3026f02

      SHA1

      e1f2ef0b151923e4312d5e958ff438beb6ba1d5b

      SHA256

      4f17ad05d7ed000195571c44a080d188f2309b92773fab60ca4e569864fa6fa4

      SHA512

      dea9e5627032ed95d34baa6677e64b3b8ffd12e512aee7b2db9ee6509357ec74366eb005379a327cb600a6c597479d7e48102b4c60bc57ba54b612ece30d3ed2

      Download Submit
    • memory/868-55-0x0000000000000000-mapping.dmp
      Download
    • memory/876-71-0x0000000000810000-0x000000000085D000-memory.dmp
      Filesize

      308KB

      Download
    • memory/876-74-0x0000000000810000-0x000000000085D000-memory.dmp
      Filesize

      308KB

      Download
    • memory/876-72-0x0000000000BF0000-0x0000000000C62000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1432-69-0x00000000002A0000-0x00000000002FD000-memory.dmp
      Filesize

      372KB

      Download
    • memory/1432-68-0x0000000001F20000-0x0000000002021000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1432-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1804-67-0x00000000FFC6246C-mapping.dmp
      Download
    • memory/1804-70-0x0000000000060000-0x00000000000AD000-memory.dmp
      Filesize

      308KB

      Download
    • memory/1804-65-0x0000000000060000-0x00000000000AD000-memory.dmp
      Filesize

      308KB

      Download
    • memory/1804-73-0x0000000000520000-0x0000000000592000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1804-75-0x0000000000520000-0x0000000000592000-memory.dmp
      Filesize

      456KB

      Download
    • memory/1804-76-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1804-77-0x0000000000270000-0x000000000028B000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1804-78-0x0000000003290000-0x0000000003395000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1804-79-0x00000000004A0000-0x00000000004C0000-memory.dmp
      Filesize

      128KB

      Download
    • memory/1804-80-0x00000000004C0000-0x00000000004DB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/1804-81-0x0000000003290000-0x0000000003395000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1884-54-0x0000000075191000-0x0000000075193000-memory.dmp
      Filesize

      8KB

      Download