27be7d68516c66d8e3554d116bfe0add4a6dac42c3fb2484da025fccbc963601

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/03/2023, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CLodop_Setup_for_Win32NT.exe
Size

4.6MB
MD5

9a942a2401351f3909fc3f0d94f749fc
SHA1

9ca251da1724008388ee672c232a03027b33dfff
SHA256

27be7d68516c66d8e3554d116bfe0add4a6dac42c3fb2484da025fccbc963601
SHA512

b8f07ffa81bcff1f9684ab1ebe9136517425162c4dd9d12fb7b958629355a49cd75b457972d6858fc23e30f130bf7bfcb515884db496e608dfb01a856d15ffe7
SSDEEP

98304:B1e0+EBg+69MH5UCumgFgyOy5V2N+R0G72Lcl+pYP4N/KpC:/eaUBCXDG6BpUHC

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1040	is-9R23R.tmp

Loads dropped DLL 2 IoCs

pid	Process
1040	is-9R23R.tmp
1040	is-9R23R.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1040	is-9R23R.tmp
1040	is-9R23R.tmp
1040	is-9R23R.tmp
1040	is-9R23R.tmp
1040	is-9R23R.tmp
1040	is-9R23R.tmp
1040	is-9R23R.tmp
1040	is-9R23R.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1040	1708	CLodop_Setup_for_Win32NT.exe	86
PID 1708 wrote to memory of 1040	1708	CLodop_Setup_for_Win32NT.exe	86
PID 1708 wrote to memory of 1040	1708	CLodop_Setup_for_Win32NT.exe	86

C:\Users\Admin\AppData\Local\Temp\CLodop_Setup_for_Win32NT.exe
"C:\Users\Admin\AppData\Local\Temp\CLodop_Setup_for_Win32NT.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\is-1CH9U.tmp\is-9R23R.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1CH9U.tmp\is-9R23R.tmp" /SL4 $80042 "C:\Users\Admin\AppData\Local\Temp\CLodop_Setup_for_Win32NT.exe" 4509903 51200
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1CH9U.tmp\is-9R23R.tmp

Filesize
646KB

MD5
79551e7f460ce4a92b6c9c0f0b714108

SHA1
51c8cd3741482a00ee6137822f826c0f55d521c4

SHA256
06ae7abcec424f92569cd67e55e27c7e91f84f6108f91876cd3f135262341bef

SHA512
4e1d7bc491d21064d89414aa335915d306ea3e811d7fe237c9e111b0588189d8d37b238b7ff39159b05125eaee6637956a7f0f8e2ae51a7a5196765af62665a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1CH9U.tmp\is-9R23R.tmp

Filesize
646KB

MD5
79551e7f460ce4a92b6c9c0f0b714108

SHA1
51c8cd3741482a00ee6137822f826c0f55d521c4

SHA256
06ae7abcec424f92569cd67e55e27c7e91f84f6108f91876cd3f135262341bef

SHA512
4e1d7bc491d21064d89414aa335915d306ea3e811d7fe237c9e111b0588189d8d37b238b7ff39159b05125eaee6637956a7f0f8e2ae51a7a5196765af62665a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R4BGI.tmp\TaskDll.dll

Filesize
130KB

MD5
3a57389802e43a5bc4f13e99742c218e

SHA1
a070a8d60e85850d85ad650b90ff3afb8ebf6803

SHA256
25cd485dd2a9e692637a6860ed3f75f810d8883781d169ee4954170fb800dca6

SHA512
c131caed5786cbb4d1c3c31761314676eea6eda2daf42337edb306ea36ed791fc8ae6dff4a7f47eb5182dd1db0c5f30c66a1ca5dadf98d5337c340e8137bff20

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-R4BGI.tmp\TaskDll.dll

Filesize
130KB

MD5
3a57389802e43a5bc4f13e99742c218e

SHA1
a070a8d60e85850d85ad650b90ff3afb8ebf6803

SHA256
25cd485dd2a9e692637a6860ed3f75f810d8883781d169ee4954170fb800dca6

SHA512
c131caed5786cbb4d1c3c31761314676eea6eda2daf42337edb306ea36ed791fc8ae6dff4a7f47eb5182dd1db0c5f30c66a1ca5dadf98d5337c340e8137bff20

Download Submit
memory/1040-148-0x0000000003A00000-0x0000000003A2C000-memory.dmp

Filesize
176KB

Download
memory/1040-151-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1040-153-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/1040-154-0x0000000003A00000-0x0000000003A2C000-memory.dmp

Filesize
176KB

Download
memory/1040-155-0x0000000000780000-0x0000000000781000-memory.dmp

Filesize
4KB

Download
memory/1708-133-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1708-152-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download