83713d3fe3357cfbdc0e6746913fa986c4dfa07fcadf277681b2463371145a95

Analysis

max time kernel
130s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Clip1.exe
Size

10.2MB
MD5

f46576d61cf2bf484657ce44311b8e78
SHA1

0c5f38f05b8f872b45d52b820758b2505783effb
SHA256

83713d3fe3357cfbdc0e6746913fa986c4dfa07fcadf277681b2463371145a95
SHA512

31b7d9b51b626fc2f6439d82aea1807f90358fa07fd3e730d0904245d29cb0ba9cb7dff6ce8e8945799948437a65a194d8bd95f2134e5e4751f5b9368876a39b
SSDEEP

196608:fn8VwPdQQ7q5KwF2ZN0Rw5BBP2NHiGLFshH+hOA2dymUEY54JGmtOFGQFoA:OwK7xqa2BPwHiGL+hH+8AUymUHmJNfCH

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	MicrosoftDesktop-version2.2.1.7.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	Clip1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftDesktop-version2.2.1.7 = "C:\\ProgramData\\MicrosoftDesktop-version2.2.1.7\\MicrosoftDesktop-version2.2.1.7.exe"	Clip1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
408	Clip1.exe
408	Clip1.exe
3064	MicrosoftDesktop-version2.2.1.7.exe
3064	MicrosoftDesktop-version2.2.1.7.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 3064	408	Clip1.exe	91
PID 408 wrote to memory of 3064	408	Clip1.exe	91
PID 408 wrote to memory of 3064	408	Clip1.exe	91

C:\Users\Admin\AppData\Local\Temp\Clip1.exe
"C:\Users\Admin\AppData\Local\Temp\Clip1.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:408
- C:\ProgramData\MicrosoftDesktop-version2.2.1.7\MicrosoftDesktop-version2.2.1.7.exe
  C:\ProgramData\MicrosoftDesktop-version2.2.1.7\MicrosoftDesktop-version2.2.1.7.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\MicrosoftDesktop-version2.2.1.7\MicrosoftDesktop-version2.2.1.7.exe

Filesize
968.9MB

MD5
7faaf7c014ede47edc6ea403971a7eaa

SHA1
3e809fc832ebd7a7a03b8c6cb79045ea41c1ee5d

SHA256
6aaf6faa3f01d6d27572efc8757f434a58ece250f68f65cbb7eb6a484abfec66

SHA512
58945deecd74648ef8813ad06c6303856e8830486dcf82c63bd10f0a495bf71ef505440edfe3f88fa5cd99d53a2f39aabc8adb96f28f4a3168d92cc73dd82b16

Download Submit
C:\ProgramData\MicrosoftDesktop-version2.2.1.7\MicrosoftDesktop-version2.2.1.7.exe

Filesize
972.0MB

MD5
e600553f0119a6690d4f7584273f3d1d

SHA1
b87ecce472050174afae4f3535c17135fe13594c

SHA256
738dc9d75f7af0d7270b4d2b4fce8888861914a72352174364950e3d204286c6

SHA512
14d17dbac87a23838dabd151bb87dec49b0a2a639f31d894c0f9847aaff6aa5f9eaedd3883e9abb1b8d981067b40a81ca3be087a4fa43c2922ff1e9aba355adb

Download Submit
memory/408-137-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/408-134-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/408-133-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/408-138-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/408-139-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/408-140-0x00000000005E0000-0x00000000017C1000-memory.dmp

Filesize
17.9MB

Download
memory/408-135-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/408-136-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/3064-148-0x00000000015A0000-0x00000000015A1000-memory.dmp

Filesize
4KB

Download
memory/3064-149-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/3064-150-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/3064-151-0x00000000019D0000-0x00000000019D1000-memory.dmp

Filesize
4KB

Download
memory/3064-152-0x00000000019E0000-0x00000000019E1000-memory.dmp

Filesize
4KB

Download
memory/3064-153-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/3064-154-0x0000000001A00000-0x0000000001A01000-memory.dmp

Filesize
4KB

Download
memory/3064-155-0x00000000002F0000-0x00000000014D1000-memory.dmp

Filesize
17.9MB

Download