1c55410c9e640a5e0f2f876677a2d1b4f37ce2001036242182869a0f67a39286

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ClearsightAntivirus_5.2.3.exe
Size

23.8MB
MD5

20a3bced47e9621133cac0b2ff4af986
SHA1

9fbd47411a2cbba486975345b5209faa07404227
SHA256

1c55410c9e640a5e0f2f876677a2d1b4f37ce2001036242182869a0f67a39286
SHA512

536088e88e8b9ade96db01a872fb18fc2978ae9a0a330c894a79dfb7429e71585606d57cdf860cf93401eab21bb1e5263dc38eeb4605348bb727018615473191
SSDEEP

393216:/BoNRwcyPsHkeTRwGnprlSIKR3HOjVNzmvGyYl2voYv02l1FgAh1oxQ5xAU+mPQK:+RUkH9TRw+lSIaKVNCvAYMUGWAxmjUYH

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

Processes:

msiexec.exeMsiExec.exe

flow pid process

19 2420 msiexec.exe
21 2420 msiexec.exe
23 2420 msiexec.exe
25 2420 msiexec.exe
33 4296 MsiExec.exe
Loads dropped DLL 4 IoCs

Processes:

ClearsightAntivirus_5.2.3.exeMsiExec.exe

pid process

520 ClearsightAntivirus_5.2.3.exe
4296 MsiExec.exe
4296 MsiExec.exe
4296 MsiExec.exe

flow	pid	process
19	2420	msiexec.exe
21	2420	msiexec.exe
23	2420	msiexec.exe
25	2420	msiexec.exe
33	4296	MsiExec.exe

pid	process
520	ClearsightAntivirus_5.2.3.exe
4296	MsiExec.exe
4296	MsiExec.exe
4296	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	4348	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe
Token: SeRemoteShutdownPrivilege	2420	msiexec.exe
Token: SeUndockPrivilege	2420	msiexec.exe
Token: SeSyncAgentPrivilege	2420	msiexec.exe
Token: SeEnableDelegationPrivilege	2420	msiexec.exe
Token: SeManageVolumePrivilege	2420	msiexec.exe
Token: SeImpersonatePrivilege	2420	msiexec.exe
Token: SeCreateGlobalPrivilege	2420	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2420	msiexec.exe
Token: SeMachineAccountPrivilege	2420	msiexec.exe
Token: SeTcbPrivilege	2420	msiexec.exe
Token: SeSecurityPrivilege	2420	msiexec.exe
Token: SeTakeOwnershipPrivilege	2420	msiexec.exe
Token: SeLoadDriverPrivilege	2420	msiexec.exe
Token: SeSystemProfilePrivilege	2420	msiexec.exe
Token: SeSystemtimePrivilege	2420	msiexec.exe
Token: SeProfSingleProcessPrivilege	2420	msiexec.exe
Token: SeIncBasePriorityPrivilege	2420	msiexec.exe
Token: SeCreatePagefilePrivilege	2420	msiexec.exe
Token: SeCreatePermanentPrivilege	2420	msiexec.exe
Token: SeBackupPrivilege	2420	msiexec.exe
Token: SeRestorePrivilege	2420	msiexec.exe
Token: SeShutdownPrivilege	2420	msiexec.exe
Token: SeDebugPrivilege	2420	msiexec.exe
Token: SeAuditPrivilege	2420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2420	msiexec.exe
Token: SeChangeNotifyPrivilege	2420	msiexec.exe
Token: SeRemoteShutdownPrivilege	2420	msiexec.exe
Token: SeUndockPrivilege	2420	msiexec.exe
Token: SeSyncAgentPrivilege	2420	msiexec.exe
Token: SeEnableDelegationPrivilege	2420	msiexec.exe
Token: SeManageVolumePrivilege	2420	msiexec.exe
Token: SeImpersonatePrivilege	2420	msiexec.exe
Token: SeCreateGlobalPrivilege	2420	msiexec.exe
Token: SeCreateTokenPrivilege	2420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2420	msiexec.exe
Token: SeLockMemoryPrivilege	2420	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

ClearsightAntivirus_5.2.3.exemsiexec.exe

pid process

520 ClearsightAntivirus_5.2.3.exe
2420 msiexec.exe

pid	process
520	ClearsightAntivirus_5.2.3.exe
2420	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

ClearsightAntivirus_5.2.3.exemsiexec.exe

description	pid	process	target process
PID 520 wrote to memory of 2420	520	ClearsightAntivirus_5.2.3.exe	msiexec.exe
PID 520 wrote to memory of 2420	520	ClearsightAntivirus_5.2.3.exe	msiexec.exe
PID 4348 wrote to memory of 4296	4348	msiexec.exe	MsiExec.exe
PID 4348 wrote to memory of 4296	4348	msiexec.exe	MsiExec.exe
PID 4348 wrote to memory of 4296	4348	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\ClearsightAntivirus_5.2.3.exe
"C:\Users\Admin\AppData\Local\Temp\ClearsightAntivirus_5.2.3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\msiexec.exe
/i "C:\Users\Admin\AppData\Roaming\Clearsight Technologies Ltd\Clearsight Antivirus\install\3396973\ClearsightAntivirus.msi" /L*V C:\Users\Admin\AppData\Local\Temp\csavp_install.log AI_SETUPEXEPATH="C:\Users\Admin\AppData\Local\Temp\ClearsightAntivirus_5.2.3.exe" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp\"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9332B4DFA4117C8396CE61EF8BED12B6 C
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSIA388.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA388.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB4BF.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB4BF.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB77F.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB77F.tmp

Filesize
43KB

MD5
b759a21d153a42060a53a89a26b9931c

SHA1
6260cecd55db44d75121b1f88506a4a9978c1b0f

SHA256
6adcc31d2e3746c81f47041e9c6cc576cfe303fc1ed6dadd002c54f98c20cbcd

SHA512
78bf70af5b91bd4dd3ed75e0f25957f8f7cb540872e7c2ead0c429ec1d493058a603a37c64236270b31602e226ac928983f6143d4df52b4058eed9c9be2259f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\csavp_install.log

Filesize
66KB

MD5
5d698b8f7aa985293cce1fa9f6ef1d4a

SHA1
9978f05edb250ebed9c3293e10e5aceb21c8172b

SHA256
79d50900f681f57967bb2710048d6a1a595b42f9f8eb7d5d726b8e81a5971a47

SHA512
aed896c9eae14d00d2f995999a833b741e9bce3ae18ee663f45383a037e878467b024d8a96ebb46d86aee77dbc957262ca398f466724376cabd4ccf9eef53d44

Download Submit
C:\Users\Admin\AppData\Roaming\Clearsight Technologies Ltd\Clearsight Antivirus\install\3396973\ClearsightAntivirus.msi

Filesize
692KB

MD5
9e6f4a6af2798224f9531383d9cd2ff6

SHA1
4c3fcc333ea4756eb51cc1b102d354111cf61519

SHA256
89ff9180f4bd1746b3d5962303eb39c881c20cc372651680403214a00737d720

SHA512
353f440167436d2b099ead30d52f904ef804145c141af97ba13c921825ea61a508a74497539196a39dea7ad6f43908663791b3a92f8bc9d7db17bd4a38902d2b

Download Submit
C:\Users\Admin\AppData\Roaming\Clearsight Technologies Ltd\Clearsight Antivirus\install\decoder.dll

Filesize
105KB

MD5
143da6747fff236a473bdf6007629490

SHA1
aed2e6ecbd53ce1e281cee958b3c867f14c8262d

SHA256
75f59cfba8c75d7646a697609a9baefb3388b1b6e66db37c50924e3fcba68893

SHA512
d52393c33b647ad82adfa1c66f7adb3f8d148d71675fca7df62c974ef9c1d0b25092164fe9603184370f8ecdb5d00d1dd61dd626ec7655b94e03509aaf9fddd1

Download Submit
memory/2420-133-0x0000000000000000-mapping.dmp

Download
memory/4296-135-0x0000000000000000-mapping.dmp

Download