Overview

overview

8

Static

static

Clip1.exe

windows7-x64

1

Clip1.exe

windows10-2004-x64

8

Resubmissions

18-12-2022 19:20

221218-x171kade37 8

Analysis

  • max time kernel
    289s
  • max time network
    292s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2022 19:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Clip1.exe

  • Size

    3.8MB

  • MD5

    b3bdc2917c3da808b4ad664c7a3f9e73

  • SHA1

    4939ad3241c08b1c1de578ee44465022ecfbe7b5

  • SHA256

    4b69a709a92dbb92ab156d5cc5b84a844ec16a10e04e6be4893f7af75be8e40f

  • SHA512

    53e7579532a920f01a2f8b2b6514a0fbd2ca87e86f71a34d9c5d6b6cc182827a5f686cc6bb81dc65240762def27616f5695a97507640f53d5ea874830a902107

  • SSDEEP

    49152:ARIb8Wraq2Djq78ew2J/4fIxjwbTfkNydrGOGv1hnJh0Jo3ahOYPW6odcnyGdhb8:ATS8ew2J/7B+q0ErklWds4W2

Score
8/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Clip1.exe
    "C:\Users\Admin\AppData\Local\Temp\Clip1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4948
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /CREATE /TN "Windows\IntelComputingTooIklt\IntelPaint7.8.9.3." /TR "C:\ProgramData\MslBooster\WindowsPaint-Ver7.8.9.3.exe" /SC MINUTE
      2⤵
      • Creates scheduled task(s)
      PID:5020
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MslBooster" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:2024
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MslBooster" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:4344
    • C:\Windows\System32\icacls.exe
      "C:\Windows\System32\icacls.exe" "C:\ProgramData\MslBooster" /inheritance:e /deny "admin:(R,REA,RA,RD)"
      2⤵
      • Modifies file permissions
      PID:1732
  • C:\ProgramData\MslBooster\WindowsPaint-Ver7.8.9.3.exe
    C:\ProgramData\MslBooster\WindowsPaint-Ver7.8.9.3.exe
    1⤵
    • Executes dropped EXE
    PID:5048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\MslBooster\WindowsPaint-Ver7.8.9.3.exe
    Filesize

    1051.0MB

    MD5

    0989bd545f05ee90867811d0b5998dcf

    SHA1

    281aafdf454ee8af493e88c6f6f93a4cb7b9d7f7

    SHA256

    c7e0fc69c420c182ab491385a93510a8f816d792b85bbcc2ef43fc320d14943c

    SHA512

    b84399449eaab96be22b1983293ad93de0f66138aa2c930b8dcf7ab9509058924ab25f15b3cd041982143105f5f7ed78edd10ac5bfc80264af63645e6bfe3b9d

    Download Submit
  • C:\ProgramData\MslBooster\WindowsPaint-Ver7.8.9.3.exe
    Filesize

    1051.0MB

    MD5

    0989bd545f05ee90867811d0b5998dcf

    SHA1

    281aafdf454ee8af493e88c6f6f93a4cb7b9d7f7

    SHA256

    c7e0fc69c420c182ab491385a93510a8f816d792b85bbcc2ef43fc320d14943c

    SHA512

    b84399449eaab96be22b1983293ad93de0f66138aa2c930b8dcf7ab9509058924ab25f15b3cd041982143105f5f7ed78edd10ac5bfc80264af63645e6bfe3b9d

    Download Submit
  • memory/1732-141-0x0000000000000000-mapping.dmp
    Download
  • memory/2024-138-0x0000000000000000-mapping.dmp
    Download
  • memory/4344-139-0x0000000000000000-mapping.dmp
    Download
  • memory/4948-133-0x00007FF6A3FE0000-0x00007FF6A45E2000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4948-136-0x00007FF6A3FE0000-0x00007FF6A45E2000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4948-142-0x00007FF6A3FE0000-0x00007FF6A45E2000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/4948-132-0x00007FF6A3FE0000-0x00007FF6A45E2000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5020-137-0x0000000000000000-mapping.dmp
    Download
  • memory/5048-144-0x00007FF645C10000-0x00007FF646212000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5048-145-0x00007FF645C10000-0x00007FF646212000-memory.dmp
    Filesize

    6.0MB

    Download
  • memory/5048-148-0x00007FF645C10000-0x00007FF646212000-memory.dmp
    Filesize

    6.0MB

    Download