Overview

overview

10

Static

static

1

WinDivert.dll

windows10-2004-x64

WinDivert64.exe

windows10-2004-x64

clumsy.exe

windows10-2004-x64

6

config.txt

windows10-2004-x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    clumsy-0.2-win64.zip

  • Size

    329KB

  • Sample

    230403-re4hcsfb88

  • MD5

    c5117edad320930d14d18c1cac2a4ccd

  • SHA1

    f24fdb3a44958483040387625ff1356b5721118b

  • SHA256

    19042ae5e28412a8eb2dc67f4bc3b606ef04cb6f46ef72563f25e41b2bc67609

  • SHA512

    62d63f5227acad5164178b281c808248a1f42675d64960ff5b68c5068e9135b7cec90df6860fea03dd3362355571960cd8a4e9ec9dbde1e3f96ce25610c92f74

  • SSDEEP

    6144:u3x4Pm2PrSSfX1RwVluGaTEDTK0i8Lsjoxc9uvCYL565ZO7mTA1cX7H6TghaIoD:AKmcQ4GaTEDFjLsjoxyYdq2KaTPIy

Score
10/10
discoveryevasionexploitpersistencetrojan

Malware Config

Targets

    • Target

      WinDivert.dll

    • Size

      15KB

    • MD5

      1b1284100327d972e017f565dbecf80e

    • SHA1

      5b4f0c122a80478973eb6f9cb3bbcaf186295aea

    • SHA256

      9444a6e6b66f13f666f9c60d1935824f61c7256e35a8cf0440e29baa7fbe42c7

    • SHA512

      4ccb9e233a3573f6eded0efa8fa54ed929818394cdf2153623d902c749d37751da6f489354aa50968e53d42d5ce339f6368dedb7858a4ff43a1927b4338954a4

    • SSDEEP

      384:EHGiP0PYf9pHuGvATXlQRNq/EbUKxcneWuDlE:E9MQf90GvQXlQvAEcehD

    Score
    10/10
    discoveryevasionexploitpersistencetrojan

    • Modifies WinLogon for persistence

      persistence

    • UAC bypass

      evasiontrojan

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Downloads MZ/PE file

    • Possible privilege escalation attempt

      exploit

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Modifies file permissions

      discovery

    • Modifies system executable filetype association

      persistence

    • Registers COM server for autorun

      persistence

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1

    • Target

      WinDivert64.sys

    • Size

      37KB

    • MD5

      3bd5ac2e9d96e680f5dbdd183a58c47d

    • SHA1

      83b08cb5e61c7b37bd710ea01196a26fc8f38610

    • SHA256

      208c092fe77f161c5a313b916d73fa7f6d10dd289bab8bb5dfb3d59aacb27f25

    • SHA512

      6cccd7971f423f72f5dbd01a83a2d27bb2bde63c4d1f5e127d77cfa0df85c289a2c3cd95c110ce38b58b9ea9a49aad18ae50f352ac6b21740d0294f771fbcb78

    • SSDEEP

      768:R5VorUqgJs3/KtdrbYiZdNSRUYjbMUYOUaCdHUZ9fdCrYc:vVorUn9cRUuILLd07fdCU

    Score
    1/10
    behavioral2

    • Target

      clumsy.exe

    • Size

      1.2MB

    • MD5

      ab358e35e579eda05f2dc3d0fff00f6e

    • SHA1

      58bc12198d359d41dd085b716f71421ef6f5258e

    • SHA256

      07eac49eeb0a6d8353d9ea0900850b3fa1f9d20bf70cd422a0832dae500c3bf3

    • SHA512

      2802ac635d41daa5b14522ccb2157017260baf85c494084db1ded6c316fe9cd53c7d1f58affbb1249d259d2b30b7c31823a533281d3d13c45f5355b2866f1436

    • SSDEEP

      12288:5IvPeeTHzsAsdNhuoSUEvIDTCbcwCymt2AbtZLemh01UW2:CvmKHzgNUoSFgDTCWymt2AbLemh01UW2

    Score
    6/10
    persistence
    behavioral3

    • Target

      config.txt

    • Size

      1KB

    • MD5

      7479bd50ac7f2d4da31dc9a6fe4f873d

    • SHA1

      a89661fa7dd3a66f2c1d5e6eb37866c312329b09

    • SHA256

      3946d477154a86781dc9adfc10e18d1c0f3a3bfd214c663cde60fa7b0e00d221

    • SHA512

      3d1f4fb63ca443dacf1383f1cc489efb00e016d6ab1a7e577107be5291e7de5a8445ab9b023ef3677dbb99f22b2687199d430994d3725ed553b6f1baa0adc050

    Score
    6/10
    persistence
    behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

4
T1060

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Modify Registry

8
T1112

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

File Permissions Modification

1
T1222

Credential Access

Discovery

Query Registry

5
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks