1bceaf4f262ef3c132b824d2ac4727b33b113b974665015ccd265e347dba02e2

Analysis

max time kernel
16s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2023, 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clp2.exe
Size

7.1MB
MD5

5e1dac9feac98acbe6fd54766f3d1d1e
SHA1

cec1b04e2440a2f90e6d77ad77518dda1e7be404
SHA256

1bceaf4f262ef3c132b824d2ac4727b33b113b974665015ccd265e347dba02e2
SHA512

89b5e7c3604291807a5883cfe85027cef12f92ca429af5f648c0a564cbcfbe03123be6882ab6937d1386431e5ae25123b9866592bc2733654e4500f55796c3f2
SSDEEP

98304:xIZc7bvM1hiOh6lj5PXm6hC59xph1avNQHbsNhILM5WdN3SzK9zu:xI6/Ohhh6lY6I5phIvNQCILM5WLC+9C

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3636	TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run	clp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8 = "C:\\ProgramData\\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8\\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8.exe"	clp2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3636	1916	clp2.exe	84
PID 1916 wrote to memory of 3636	1916	clp2.exe	84

C:\Users\Admin\AppData\Local\Temp\clp2.exe
"C:\Users\Admin\AppData\Local\Temp\clp2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1916
- C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8.exe
  C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8.exe
  2⤵
  - Executes dropped EXE
  PID:3636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8.exe

Filesize
117.8MB

MD5
42754fe1db3bd8eea748b4aba5a5c097

SHA1
5b41a7f7e8c71e4fab439ab2ef2b307108764c85

SHA256
2775b2e96b22c6660bf56cc8f2783f443520f72436d724223ef1fde8d9f0ebd3

SHA512
108b8a616f14fa2a539eaad5e7177d3b81c66937346e344be8502f0f7988d8c34a7e10117a8f45cd1e03fda1b1552e1dccc5599b8a7e3f80db79b70d0b6c03ab

Download Submit
C:\ProgramData\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8\TemplatesMozilla-1de4eec8-1241-4177-a864-e594e8d1fb38-DPX42.8.0.8.exe

Filesize
117.2MB

MD5
dc44b0299dcae5ceadc5a26cdb91507f

SHA1
c23990fcdd46897e0f20d111af53a668af0495e1

SHA256
77287f56743e4307bf570d14291924a1ee8a24436b59f82a212e815b113fd056

SHA512
8381becbbf952819fefb74d5fae879a02415eaca5412797fef6eb9def9e5a6200f2711fdeaa4c4db426f6aa29c62f73927714feda6bde3404626cc188d824d33

Download Submit
memory/1916-133-0x00007FF683030000-0x00007FF68374E000-memory.dmp

Filesize
7.1MB

Download
memory/3636-138-0x00007FF785650000-0x00007FF785D6E000-memory.dmp

Filesize
7.1MB

Download