81a67b024347c05c9c35d357501b59d849b32ae40d1ee412c53363b2b98b26da

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/03/2023, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Crocodile_Clips_v3.5.exe
Size

1.3MB
MD5

1738bb884694d2c595d0bd1264796aa6
SHA1

0ae356644b83fc927dc0a822da166996c9cda704
SHA256

81a67b024347c05c9c35d357501b59d849b32ae40d1ee412c53363b2b98b26da
SHA512

c64025a9c17b9964aaa18ef869ce4767c2ece92b42dd394206f2d7ff23c71920a5211094dfe77e0bff1252f145b94e2a5ab62ed57392248cd808915121e11f13
SSDEEP

24576:/AB74/AQpHosQSBUG4uV3szIHNAljLwW+vT37vkfXCz5zxkB:/AajzBUg3tAljqT3rk6tuB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1000	CROCCLIP.EXE

Loads dropped DLL 3 IoCs

pid	Process
920	Crocodile_Clips_v3.5.exe
920	Crocodile_Clips_v3.5.exe
1000	CROCCLIP.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main	Crocodile_Clips_v3.5.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol\StdFileEditing	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\Verb	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\shell\open\ddeexec	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\shell\open\ddeexec\ = "[open(\"%1\")]"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ckt	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\Insertable\	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol\StdFileEditing\server	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol\StdFileEditing\server\ = "C:\\ARCHIV~1\\CROCOD~1.5\\CROCCLIP.EXE"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\ProgID	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\ = "Crocodile Clips Design"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\MiscStatus	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\DefaultIcon\ = "C:\\ARCHIV~1\\CROCOD~1.5\\CROCCLIP.EXE,1"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\shell	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\shell\open\command\ = "C:\\ARCHIV~1\\CROCOD~1.5\\CROCCLIP.EXE \"%1\""	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\Insertable	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\InprocHandler32	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\InprocHandler32\ = "ole32.dll"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol\StdFileEditing\verb	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol\StdFileEditing\verb\0\ = "&Edit"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\AuxUserType\3	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\CLSID	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\shell\open	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\ProgID\ = "CrocodileClipsCircuit"	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\LocalServer32\ = "C:\\ARCHIV~1\\CROCOD~1.5\\CROCCLIP.EXE"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\DefaultIcon	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\Verb\0\ = "&Edit,0,2"	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\MiscStatus\ = "32"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\LocalServer32	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\Insertable	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\Insertable\	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\ = "Crocodile Clips Design"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\shell\open\command	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\protocol\StdFileEditing\verb\0	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\Verb\0	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\AuxUserType\3\ = "Crocodile Clips"	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CrocodileClipsCircuit\CLSID\ = "{80DE9660-5254-101C-8B9B-365ECD4EAB19}"	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ckt\ = "CrocodileClipsCircuit"	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\AuxUserType\2	CROCCLIP.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\AuxUserType	CROCCLIP.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80DE9660-5254-101C-8B9B-365ECD4EAB19}\AuxUserType\2\ = "Design"	CROCCLIP.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	920	Crocodile_Clips_v3.5.exe
Token: SeBackupPrivilege	920	Crocodile_Clips_v3.5.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
920	Crocodile_Clips_v3.5.exe
920	Crocodile_Clips_v3.5.exe
1000	CROCCLIP.EXE
1000	CROCCLIP.EXE
1000	CROCCLIP.EXE

C:\Users\Admin\AppData\Local\Temp\Crocodile_Clips_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Crocodile_Clips_v3.5.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920

C:\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE
"C:\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x564
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ARCHIV~1\CROCOD~1.5\CROCCLIP.EXE

Filesize
2.4MB

MD5
9234901336735ec327aff7e04a1bf9ab

SHA1
329c26e810fd2a78c41ca4babf5231a4d09e1f91

SHA256
020b7ab16dff9fb744ba3ffea93e724c1e2dc3855c29323aaa924d4cbc81c4d2

SHA512
5c9ea797ffb3bef3a79c1461b364983178d101bf8522a62552d92c8f6ae208fcccad8f2dce045d193454da72fce36e5035bc8f617eb948d056c7af98c44f33a0

Download Submit
C:\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE

Filesize
2.4MB

MD5
9234901336735ec327aff7e04a1bf9ab

SHA1
329c26e810fd2a78c41ca4babf5231a4d09e1f91

SHA256
020b7ab16dff9fb744ba3ffea93e724c1e2dc3855c29323aaa924d4cbc81c4d2

SHA512
5c9ea797ffb3bef3a79c1461b364983178d101bf8522a62552d92c8f6ae208fcccad8f2dce045d193454da72fce36e5035bc8f617eb948d056c7af98c44f33a0

Download Submit
C:\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE

Filesize
2.4MB

MD5
9234901336735ec327aff7e04a1bf9ab

SHA1
329c26e810fd2a78c41ca4babf5231a4d09e1f91

SHA256
020b7ab16dff9fb744ba3ffea93e724c1e2dc3855c29323aaa924d4cbc81c4d2

SHA512
5c9ea797ffb3bef3a79c1461b364983178d101bf8522a62552d92c8f6ae208fcccad8f2dce045d193454da72fce36e5035bc8f617eb948d056c7af98c44f33a0

Download Submit
\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE

Filesize
2.4MB

MD5
9234901336735ec327aff7e04a1bf9ab

SHA1
329c26e810fd2a78c41ca4babf5231a4d09e1f91

SHA256
020b7ab16dff9fb744ba3ffea93e724c1e2dc3855c29323aaa924d4cbc81c4d2

SHA512
5c9ea797ffb3bef3a79c1461b364983178d101bf8522a62552d92c8f6ae208fcccad8f2dce045d193454da72fce36e5035bc8f617eb948d056c7af98c44f33a0

Download Submit
\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE

Filesize
2.4MB

MD5
9234901336735ec327aff7e04a1bf9ab

SHA1
329c26e810fd2a78c41ca4babf5231a4d09e1f91

SHA256
020b7ab16dff9fb744ba3ffea93e724c1e2dc3855c29323aaa924d4cbc81c4d2

SHA512
5c9ea797ffb3bef3a79c1461b364983178d101bf8522a62552d92c8f6ae208fcccad8f2dce045d193454da72fce36e5035bc8f617eb948d056c7af98c44f33a0

Download Submit
\Archivos de programa\Crocodile Clips v3.5\CROCCLIP.EXE

Filesize
2.4MB

MD5
9234901336735ec327aff7e04a1bf9ab

SHA1
329c26e810fd2a78c41ca4babf5231a4d09e1f91

SHA256
020b7ab16dff9fb744ba3ffea93e724c1e2dc3855c29323aaa924d4cbc81c4d2

SHA512
5c9ea797ffb3bef3a79c1461b364983178d101bf8522a62552d92c8f6ae208fcccad8f2dce045d193454da72fce36e5035bc8f617eb948d056c7af98c44f33a0

Download Submit
memory/920-425-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download