Overview

overview

8

Static

static

Clearsight....3.exe

windows7-x64

8

Clearsight....3.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    151s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 07:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ClearsightAntivirus_5.2.3.exe

  • Size

    23.8MB

  • MD5

    20a3bced47e9621133cac0b2ff4af986

  • SHA1

    9fbd47411a2cbba486975345b5209faa07404227

  • SHA256

    1c55410c9e640a5e0f2f876677a2d1b4f37ce2001036242182869a0f67a39286

  • SHA512

    536088e88e8b9ade96db01a872fb18fc2978ae9a0a330c894a79dfb7429e71585606d57cdf860cf93401eab21bb1e5263dc38eeb4605348bb727018615473191

  • SSDEEP

    393216:/BoNRwcyPsHkeTRwGnprlSIKR3HOjVNzmvGyYl2voYv02l1FgAh1oxQ5xAU+mPQK:+RUkH9TRw+lSIaKVNCvAYMUGWAxmjUYH

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 12 IoCs
  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ClearsightAntivirus_5.2.3.exe
    "C:\Users\Admin\AppData\Local\Temp\ClearsightAntivirus_5.2.3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\system32\msiexec.exe
      /i "C:\Users\Admin\AppData\Roaming\Clearsight Technologies Ltd\Clearsight Antivirus\install\3396973\ClearsightAntivirus.msi" /L*V C:\Users\Admin\AppData\Local\Temp\csavp_install.log AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ClearsightAntivirus_5.2.3.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:288
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5FA7518676DC57A471C13CF1C5326349 C
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:752
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:1688
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000005C" "00000000000005A0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1540

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSI8A7F.tmp
      Filesize

      43KB

      MD5

      b759a21d153a42060a53a89a26b9931c

      SHA1

      6260cecd55db44d75121b1f88506a4a9978c1b0f

      SHA256

      6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

      SHA512

      78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI8CC1.tmp
      Filesize

      43KB

      MD5

      b759a21d153a42060a53a89a26b9931c

      SHA1

      6260cecd55db44d75121b1f88506a4a9978c1b0f

      SHA256

      6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

      SHA512

      78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSI8E87.tmp
      Filesize

      43KB

      MD5

      b759a21d153a42060a53a89a26b9931c

      SHA1

      6260cecd55db44d75121b1f88506a4a9978c1b0f

      SHA256

      6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

      SHA512

      78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\csavp_install.log
      Filesize

      65KB

      MD5

      4783adc66061f056ed5829dd07dc9de3

      SHA1

      dcd659a0052e94f8c60f61fb12031bd832c3025e

      SHA256

      ec6e5a175f3c8af491c3608dab40626b0132bce1e0ceaf3e35a2ea97d8064150

      SHA512

      fa4458860bc144b0b270cb53df2b65273a1830a503b4d399d88a419822fea348e819057dc0dcf0a8539a7e95dcced6699acc748e61493ae3e1a9259c6dea44ff

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Clearsight Technologies Ltd\Clearsight Antivirus\install\3396973\ClearsightAntivirus.msi
      Filesize

      692KB

      MD5

      9e6f4a6af2798224f9531383d9cd2ff6

      SHA1

      4c3fcc333ea4756eb51cc1b102d354111cf61519

      SHA256

      89ff9180f4bd1746b3d5962303eb39c881c20cc372651680403214a00737d720

      SHA512

      353f440167436d2b099ead30d52f904ef804145c141af97ba13c921825ea61a508a74497539196a39dea7ad6f43908663791b3a92f8bc9d7db17bd4a38902d2b

      Download Submit

    • \??\PIPE\samr
      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI8A7F.tmp
      Filesize

      43KB

      MD5

      b759a21d153a42060a53a89a26b9931c

      SHA1

      6260cecd55db44d75121b1f88506a4a9978c1b0f

      SHA256

      6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

      SHA512

      78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI8CC1.tmp
      Filesize

      43KB

      MD5

      b759a21d153a42060a53a89a26b9931c

      SHA1

      6260cecd55db44d75121b1f88506a4a9978c1b0f

      SHA256

      6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

      SHA512

      78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

      Download Submit

    • \Users\Admin\AppData\Local\Temp\MSI8E87.tmp
      Filesize

      43KB

      MD5

      b759a21d153a42060a53a89a26b9931c

      SHA1

      6260cecd55db44d75121b1f88506a4a9978c1b0f

      SHA256

      6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

      SHA512

      78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

      Download Submit

    • \Users\Admin\AppData\Roaming\Clearsight Technologies Ltd\Clearsight Antivirus\install\decoder.dll
      Filesize

      105KB

      MD5

      143da6747fff236a473bdf6007629490

      SHA1

      aed2e6ecbd53ce1e281cee958b3c867f14c8262d

      SHA256

      75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

      SHA512

      d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

      Download Submit

    • memory/288-57-0x0000000000000000-mapping.dmp

      Download

    • memory/288-58-0x000007FEFBAF1000-0x000007FEFBAF3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/752-61-0x0000000000000000-mapping.dmp

      Download

    • memory/1180-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1180-55-0x0000000074521000-0x0000000074523000-memory.dmp

      Filesize

      8KB

      Download