Analysis
-
max time kernel
45s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14-07-2022 10:15
Static task
static1
Behavioral task
behavioral1
Sample
3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe
Resource
win7-20220414-en
General
-
Target
3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe
-
Size
1.6MB
-
MD5
6a8e345d1d03a3f756161d6d8dfefbb3
-
SHA1
e363a41468963a0fe955faf70c3f77e5859020e5
-
SHA256
3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21
-
SHA512
d6e37360357e604d3f379f384861e1bad753f1abe4eeb07fb608a8dee4a7f06495886aab9fc5ff6f4666b78a3bc8fb767b6f6ef7860c55f5d432facc44d1df3f
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
clip.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ clip.exe -
Executes dropped EXE 1 IoCs
Processes:
clip.exepid process 952 clip.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
clip.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion clip.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion clip.exe -
Loads dropped DLL 9 IoCs
Processes:
3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exeWerFault.exepid process 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe 1920 WerFault.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida C:\Users\Admin\AppData\Local\Temp\clip.exe themida behavioral1/memory/952-62-0x0000000000130000-0x000000000058F000-memory.dmp themida behavioral1/memory/952-63-0x0000000000130000-0x000000000058F000-memory.dmp themida behavioral1/memory/952-64-0x0000000000130000-0x000000000058F000-memory.dmp themida behavioral1/memory/952-65-0x0000000000130000-0x000000000058F000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\clip.exe themida behavioral1/memory/952-74-0x0000000000130000-0x000000000058F000-memory.dmp themida \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida \Users\Admin\AppData\Local\Temp\clip.exe themida -
Processes:
clip.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA clip.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
clip.exepid process 952 clip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1920 952 WerFault.exe clip.exe -
Processes:
clip.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 clip.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde clip.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
clip.exepid process 952 clip.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.execlip.exedescription pid process target process PID 1992 wrote to memory of 952 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe clip.exe PID 1992 wrote to memory of 952 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe clip.exe PID 1992 wrote to memory of 952 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe clip.exe PID 1992 wrote to memory of 952 1992 3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe clip.exe PID 952 wrote to memory of 1920 952 clip.exe WerFault.exe PID 952 wrote to memory of 1920 952 clip.exe WerFault.exe PID 952 wrote to memory of 1920 952 clip.exe WerFault.exe PID 952 wrote to memory of 1920 952 clip.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe"C:\Users\Admin\AppData\Local\Temp\3cde734726f325ed80790f88eeef30971a2b92799c710680f034906f807c1b21.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\clip.exe"C:\Users\Admin\AppData\Local\Temp\clip.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 7923⤵
- Loads dropped DLL
- Program crash
PID:1920
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
C:\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
\Users\Admin\AppData\Local\Temp\clip.exeFilesize
1.5MB
MD5bb4c351464c3b5c3a1206a414f7e3464
SHA19da01f3c740740d735cff9d98bf994b29950714b
SHA256df95aed0e5012b89c906f5ce1643dd00819bcac40bb2e490ea97a00dad71b83d
SHA512f779e3aa1bcd3bde36d56a00ab46af8f6e0477efdacbc3a73f72fa06c3ec9f1e7f3d1dcd1cfbfdc7c181ae1aa71a2f3fc3e26be6cb7006fbac24cad457a27242
-
memory/952-65-0x0000000000130000-0x000000000058F000-memory.dmpFilesize
4.4MB
-
memory/952-72-0x0000000077A20000-0x0000000077BA0000-memory.dmpFilesize
1.5MB
-
memory/952-67-0x0000000000131000-0x0000000000197000-memory.dmpFilesize
408KB
-
memory/952-74-0x0000000000130000-0x000000000058F000-memory.dmpFilesize
4.4MB
-
memory/952-64-0x0000000000130000-0x000000000058F000-memory.dmpFilesize
4.4MB
-
memory/952-63-0x0000000000130000-0x000000000058F000-memory.dmpFilesize
4.4MB
-
memory/952-62-0x0000000000130000-0x000000000058F000-memory.dmpFilesize
4.4MB
-
memory/952-88-0x0000000077A20000-0x0000000077BA0000-memory.dmpFilesize
1.5MB
-
memory/952-59-0x0000000000000000-mapping.dmp
-
memory/1920-83-0x0000000000000000-mapping.dmp
-
memory/1992-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmpFilesize
8KB