Analysis
-
max time kernel
131s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
11-02-2023 04:41
Behavioral task
behavioral1
Sample
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe
Resource
win10v2004-20220901-en
General
-
Target
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe
-
Size
2.3MB
-
MD5
6cc7d9664c1a89c58549e57b5959bb38
-
SHA1
85b665c501b9ab38710050e9a5c1b6d2e96acccc
-
SHA256
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4
-
SHA512
294ee9c688a22df3d8311d040c56ffd66ae49982d7ad7de044b3b521533e380ced9058a43396fde49bb618db96bd6899c4db3926731df460cb66814f1a3965d9
-
SSDEEP
49152:kHEP1Ytp7MnOYoH7NzvsfZHXlIZELxmuY88jIvnPojMuHmsMtTQpw:GEPuBSONzvsfZ3eCxmQ8cWmsM
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe -
Executes dropped EXE 1 IoCs
Processes:
z1ZAp65N7zXocjraEFHXRKXP.exepid process 3168 z1ZAp65N7zXocjraEFHXRKXP.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
z1ZAp65N7zXocjraEFHXRKXP.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LOLPA4DESK = "\"C:\\Program Files (x86)\\ClipManagerP0\\ClipManager_Svc.exe\"" z1ZAp65N7zXocjraEFHXRKXP.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 ipinfo.io 6 ipinfo.io -
Drops file in System32 directory 4 IoCs
Processes:
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exedescription ioc process File opened for modification C:\Windows\System32\GroupPolicy 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe -
Drops file in Program Files directory 2 IoCs
Processes:
z1ZAp65N7zXocjraEFHXRKXP.exedescription ioc process File opened for modification C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe z1ZAp65N7zXocjraEFHXRKXP.exe File created C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe z1ZAp65N7zXocjraEFHXRKXP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3196 schtasks.exe 2472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exepid process 2824 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe 2824 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exez1ZAp65N7zXocjraEFHXRKXP.exedescription pid process target process PID 2824 wrote to memory of 3168 2824 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe z1ZAp65N7zXocjraEFHXRKXP.exe PID 2824 wrote to memory of 3168 2824 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe z1ZAp65N7zXocjraEFHXRKXP.exe PID 2824 wrote to memory of 3168 2824 27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe z1ZAp65N7zXocjraEFHXRKXP.exe PID 3168 wrote to memory of 3196 3168 z1ZAp65N7zXocjraEFHXRKXP.exe schtasks.exe PID 3168 wrote to memory of 3196 3168 z1ZAp65N7zXocjraEFHXRKXP.exe schtasks.exe PID 3168 wrote to memory of 3196 3168 z1ZAp65N7zXocjraEFHXRKXP.exe schtasks.exe PID 3168 wrote to memory of 2472 3168 z1ZAp65N7zXocjraEFHXRKXP.exe schtasks.exe PID 3168 wrote to memory of 2472 3168 z1ZAp65N7zXocjraEFHXRKXP.exe schtasks.exe PID 3168 wrote to memory of 2472 3168 z1ZAp65N7zXocjraEFHXRKXP.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe"C:\Users\Admin\AppData\Local\Temp\27c1ed01c767f504642801a7e7a7de8d87dbc87dee88fbc5f6adb99f069afde4.exe"1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Minor Policy\z1ZAp65N7zXocjraEFHXRKXP.exe"C:\Users\Admin\Pictures\Minor Policy\z1ZAp65N7zXocjraEFHXRKXP.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr ""C:\Program Files (x86)\ClipManagerP0\ClipManager_Svc.exe"" /tn "LOLPA4DESK LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Pictures\Minor Policy\z1ZAp65N7zXocjraEFHXRKXP.exeFilesize
161KB
MD5a19ba7f0bf808aefee30b29e8f84fc83
SHA1a339f81ccc84ab7c1f93a8f6add6e08fa64a46ef
SHA256041f891934add72852c8fda245c95da959d7f98cc580383d198e42f2de039634
SHA51273fa9a3d628ae63c8b52c1a16f7b5c6e0a958886b57c0b2c7ab523e4ce29f62f3655a576e04487550a05d559370dfc0882bbc4393b278ff1bffb66390d275c71
-
C:\Users\Admin\Pictures\Minor Policy\z1ZAp65N7zXocjraEFHXRKXP.exeFilesize
161KB
MD5a19ba7f0bf808aefee30b29e8f84fc83
SHA1a339f81ccc84ab7c1f93a8f6add6e08fa64a46ef
SHA256041f891934add72852c8fda245c95da959d7f98cc580383d198e42f2de039634
SHA51273fa9a3d628ae63c8b52c1a16f7b5c6e0a958886b57c0b2c7ab523e4ce29f62f3655a576e04487550a05d559370dfc0882bbc4393b278ff1bffb66390d275c71
-
memory/2472-136-0x0000000000000000-mapping.dmp
-
memory/3168-132-0x0000000000000000-mapping.dmp
-
memory/3196-135-0x0000000000000000-mapping.dmp