1bceaf4f262ef3c132b824d2ac4727b33b113b974665015ccd265e347dba02e2

Analysis

max time kernel
70s
max time network
31s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-05-2023 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clp2.exe
Size

7.1MB
MD5

5e1dac9feac98acbe6fd54766f3d1d1e
SHA1

cec1b04e2440a2f90e6d77ad77518dda1e7be404
SHA256

1bceaf4f262ef3c132b824d2ac4727b33b113b974665015ccd265e347dba02e2
SHA512

89b5e7c3604291807a5883cfe85027cef12f92ca429af5f648c0a564cbcfbe03123be6882ab6937d1386431e5ae25123b9866592bc2733654e4500f55796c3f2
SSDEEP

98304:xIZc7bvM1hiOh6lj5PXm6hC59xph1avNQHbsNhILM5WdN3SzK9zu:xI6/Ohhh6lY6I5phIvNQCILM5WLC+9C

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2020	TemplatesMicrosoft-DPX43.5.8.4.exe

Loads dropped DLL 1 IoCs

pid	Process
1148	clp2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run	clp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Windows\CurrentVersion\Run\TemplatesMicrosoft-DPX43.5.8.4 = "C:\\ProgramData\\TemplatesMicrosoft-DPX43.5.8.4\\TemplatesMicrosoft-DPX43.5.8.4.exe"	clp2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2020	1148	clp2.exe	28
PID 1148 wrote to memory of 2020	1148	clp2.exe	28
PID 1148 wrote to memory of 2020	1148	clp2.exe	28

C:\Users\Admin\AppData\Local\Temp\clp2.exe
"C:\Users\Admin\AppData\Local\Temp\clp2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148
- C:\ProgramData\TemplatesMicrosoft-DPX43.5.8.4\TemplatesMicrosoft-DPX43.5.8.4.exe
  C:\ProgramData\TemplatesMicrosoft-DPX43.5.8.4\TemplatesMicrosoft-DPX43.5.8.4.exe
  2⤵
  - Executes dropped EXE
  PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesMicrosoft-DPX43.5.8.4\TemplatesMicrosoft-DPX43.5.8.4.exe

Filesize
757.1MB

MD5
a5b74ec7797837c58a6c7c4832c7f095

SHA1
f47be4d0ac00802c34bbd2e9de63e2d0e38ddb47

SHA256
57a1085e1628454f3c3f2ae8ebda4741ed3ff939a63ba0059582d64e6a43c894

SHA512
9e54bb01d7bb5ba0fb842082105fb827f6aa74c403387a4919f5c00330e67d29aaad996064f37993d5a116d8b4e7a41d58277ea5e38103f8918955ef6b1d9e66

Download Submit
\ProgramData\TemplatesMicrosoft-DPX43.5.8.4\TemplatesMicrosoft-DPX43.5.8.4.exe

Filesize
757.1MB

MD5
a5b74ec7797837c58a6c7c4832c7f095

SHA1
f47be4d0ac00802c34bbd2e9de63e2d0e38ddb47

SHA256
57a1085e1628454f3c3f2ae8ebda4741ed3ff939a63ba0059582d64e6a43c894

SHA512
9e54bb01d7bb5ba0fb842082105fb827f6aa74c403387a4919f5c00330e67d29aaad996064f37993d5a116d8b4e7a41d58277ea5e38103f8918955ef6b1d9e66

Download Submit
memory/1148-54-0x000000013FF40000-0x000000014065E000-memory.dmp

Filesize
7.1MB

Download
memory/2020-59-0x000000013FBF0000-0x000000014030E000-memory.dmp

Filesize
7.1MB

Download