Overview

overview

9

Static

static

1

Clip1.exe

windows7-x64

9

Clip1.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-03-2023 13:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Clip1.exe

  • Size

    3.4MB

  • MD5

    7c3ba41716690f6d5bca3520700e894c

  • SHA1

    d8112039a130dd3d406c8b2386cce5ef8a745ce0

  • SHA256

    4e45051d214af572935596233db47eee57ceb6600841815dc51171dee15840f5

  • SHA512

    a3f6251d657d7abd982d68252c5085fe0393384c3edb37c19a750afbe95adeb926d5586f54be4f3ea1b314b533bd0676de35f7bd22460f1c0cefc464c8cbf23b

  • SSDEEP

    49152:rr1c7Kvf8e9HTgXHXayMSTQ5c1ztH9rDDQvOJRg05T0Oa/rm2ho8IucxzrurVlo9:gKvfd94XayMT5sH9M0aS8o9uWyUhHyk

Score
9/10
discoveryevasiontrojanupx

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Clip1.exe
    "C:\Users\Admin\AppData\Local\Temp\Clip1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3588
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:728
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesOracle-type0.0.0.0" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:4676
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesOracle-type0.0.0.0" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2632
      • C:\Windows\SysWOW64\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\TemplatesOracle-type0.0.0.0" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:2536
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0" /TR "C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:4828
      • C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe
        "C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        PID:2212
  • C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe
    C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe
    1⤵
      PID:4852

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe
      Filesize

      512.2MB

      MD5

      ecd270160df0fb019d45742bfc3490ed

      SHA1

      bedadd3158d244f05981711797c7eea42163ff20

      SHA256

      729a98ebcbb1c00bb662fe1329e5e66172c3666d8f82a4c5d358d9eb129a1dfa

      SHA512

      0c0b6c8af002b2faa57926250c88d6bfc97bf7c4b70023ab5c0d850f8197e90e74ead84435eb3465ce3a1a9aba818077581f59a36930e3efe2285ae5dd7ea059

      Download Submit

    • C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe
      Filesize

      557.4MB

      MD5

      4109a7f0dd84c4e68f11aa1ad90b359d

      SHA1

      d3c178fa3061a41c3c279238f3d3ea1480671596

      SHA256

      be339a6c3706d4520110736be8c57c19e83c0b0ee097e3ea9b4255c6c6579b26

      SHA512

      465ea8b1849b8cd6abcd2524f9d54472fc62e3f0ef775d17f4e330624bc7f1347cd7c9c7534df7aab8f342681954b57998f7ffc4e0a1c65c56588d7b81b4e782

      Download Submit

    • C:\ProgramData\TemplatesOracle-type0.0.0.0\TemplatesOracle-type0.0.0.0.exe
      Filesize

      537.1MB

      MD5

      8764e6596322457d4611b289e5f36554

      SHA1

      259e6c357ebf44dd776bc05a59e91e2622b3cd1f

      SHA256

      b7b747cd4b9900666086e5dae8460a49a7c8a317676d3e3bec285cf7f5322bf3

      SHA512

      a78826f9a3f3b399d89939622dabd13b34f1e6eaa297565b04f98cfdcc14c793de74535c38a42d012c7a7114acb6d7fab932e5a6eb760a24d511d677ddbcff2b

      Download Submit

    • memory/728-141-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/728-138-0x00000000055A0000-0x0000000005B44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/728-142-0x0000000001100000-0x0000000001110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/728-143-0x0000000001100000-0x0000000001110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/728-144-0x0000000001100000-0x0000000001110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/728-140-0x0000000001100000-0x0000000001110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/728-139-0x0000000004F40000-0x0000000004FD2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/728-133-0x00000000009F0000-0x0000000000D4C000-memory.dmp

      Filesize

      3.4MB

      Download

    • memory/2212-154-0x00007FF795010000-0x00007FF79552F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2212-155-0x00007FF795010000-0x00007FF79552F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2212-156-0x00007FF795010000-0x00007FF79552F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2212-157-0x00007FF795010000-0x00007FF79552F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2212-158-0x00007FF795010000-0x00007FF79552F000-memory.dmp

      Filesize

      5.1MB

      Download

    • memory/2212-159-0x00007FF795010000-0x00007FF79552F000-memory.dmp

      Filesize

      5.1MB

      Download