36dcd2ee12fc585d12a83d2687546a3087b4b891bf7ad6deaee184b9eb2d5eb7

General

Target

clipx-1.0.3.8-installer_CYph-n1.exe
Size

1.7MB
MD5

5e490e1188b03b411e941b88be7388e0
SHA1

9767343dcc68a8d2c591a648f452593c2cc1bd0f
SHA256

c484600d6a850d0e45cc5b17bb5cd9ed9b95245aa707f2c0001d107411e248de
SHA512

e29e0aefc31ee1e706301d5ba21772358644888b51643dc69457696beff0ae0da71905610a3a8aebdf1289fc98ecb74fc0d71baa06948a62216e2b434c4af12e
SSDEEP

24576:27FUDowAyrTVE3U5FmzVRKuPaJPfrT90eKc4cgFLNPfs8duMpmsDq:2BuZrEUgRKuwPH9RHgFLRdp/O

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1692	clipx-1.0.3.8-installer_CYph-n1.tmp

Loads dropped DLL 1 IoCs

pid	Process
848	clipx-1.0.3.8-installer_CYph-n1.exe

Modifies system certificate store 2 TTPs 4 IoCs

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	clipx-1.0.3.8-installer_CYph-n1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipx-1.0.3.8-installer_CYph-n1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipx-1.0.3.8-installer_CYph-n1.tmp
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	clipx-1.0.3.8-installer_CYph-n1.tmp

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1692	clipx-1.0.3.8-installer_CYph-n1.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28
PID 848 wrote to memory of 1692	848	clipx-1.0.3.8-installer_CYph-n1.exe	28

C:\Users\Admin\AppData\Local\Temp\clipx-1.0.3.8-installer_CYph-n1.exe
"C:\Users\Admin\AppData\Local\Temp\clipx-1.0.3.8-installer_CYph-n1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\is-SSTEH.tmp\clipx-1.0.3.8-installer_CYph-n1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-SSTEH.tmp\clipx-1.0.3.8-installer_CYph-n1.tmp" /SL5="$70122,875199,832512,C:\Users\Admin\AppData\Local\Temp\clipx-1.0.3.8-installer_CYph-n1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
027679d5ac65d28b5eebac83ff947f37

SHA1
bec05f9653cca84ab42a90ffa5465c39f734d2bf

SHA256
6f7c61348f0285d885be39019ce0f301e2c2090bb7adce806365320d4fea5e2d

SHA512
e131f0ea2b155154b0fc42c2327b95265465e46571070dc90ff98e3d078f9b086785fa10d9a1fcd748bfb404459477b31e7f50735618dadd87a1fec8b0742b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar327E.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSTEH.tmp\clipx-1.0.3.8-installer_CYph-n1.tmp

Filesize
3.0MB

MD5
e6c28eb71e3839115f44acbe4ab73729

SHA1
31a66495aa276692f5391a282122d60cd1cbeca0

SHA256
fe883c092e139f2a83c19ad272096b5f16b3794da9d7b1e9401216aebf079399

SHA512
aca216c42ee01d38e2df45df49fe9e0e8ba9e3366b3d3111a064db145277e4fded5ffe9ad12a45be5734fa0cf5c7272f6e4955b70f05cd5b2227ecd875ce2663

Download Submit
\Users\Admin\AppData\Local\Temp\is-SSTEH.tmp\clipx-1.0.3.8-installer_CYph-n1.tmp

Filesize
3.0MB

MD5
e6c28eb71e3839115f44acbe4ab73729

SHA1
31a66495aa276692f5391a282122d60cd1cbeca0

SHA256
fe883c092e139f2a83c19ad272096b5f16b3794da9d7b1e9401216aebf079399

SHA512
aca216c42ee01d38e2df45df49fe9e0e8ba9e3366b3d3111a064db145277e4fded5ffe9ad12a45be5734fa0cf5c7272f6e4955b70f05cd5b2227ecd875ce2663

Download Submit
memory/848-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/848-186-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1692-61-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1692-187-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/1692-188-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1692-190-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing