cd2e9ceda23c8eff5f5e5483fa8817066c46623f3a5b37c168d2a31f28329734

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09/01/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winclearup2.0.6.0612.exe
Size

1.0MB
MD5

11aed657ecc10a863c8da86be8d46ba0
SHA1

dd2a85baf820ace322603d16ecf2267d7a2e6523
SHA256

4dab8e9083aa99e3c2a8032aa21517a2d6f9d198b40e2a288c95d2cf4b4a7d60
SHA512

9b8069045a8f99f247bafba93a379edc247ac83226dded581959f594e75856cb7c2ca7b9dc8bcc3a378d404f7afd8bb4e655adb7ae7583bd617f8c4227cd62fd
SSDEEP

24576:7I39d0E5C8RK/ijLv7tKsfL/vKuGvm9zEwA/LKBJhsR5WhgebVKo0Ld8:76dv0oK/8z7hfzvK4tcKBxVbv4e

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2344	is-M7BO0.tmp

Loads dropped DLL 3 IoCs

pid	Process
2488	winclearup2.0.6.0612.exe
2344	is-M7BO0.tmp
2344	is-M7BO0.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2344	is-M7BO0.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28
PID 2488 wrote to memory of 2344	2488	winclearup2.0.6.0612.exe	28

C:\Users\Admin\AppData\Local\Temp\winclearup2.0.6.0612.exe
"C:\Users\Admin\AppData\Local\Temp\winclearup2.0.6.0612.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\is-ST3KL.tmp\is-M7BO0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-ST3KL.tmp\is-M7BO0.tmp" /SL4 $40016 "C:\Users\Admin\AppData\Local\Temp\winclearup2.0.6.0612.exe" 842181 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-ST3KL.tmp\is-M7BO0.tmp

Filesize
402KB

MD5
c735073c02944aeb749d654bd9264b6a

SHA1
235cde5c388a6e58e2a2c50521cae80031fcedc3

SHA256
8cb69f0ac412b68a4da40cffb3c24892f15efb1f69c4149730cd580c9cb25f05

SHA512
b37c1942bbab3dc24d5955cb8ce4741873e868ab5d2f7a8cdfd6c9495fc8058f2e518d5537060ee3e38b424fd4e956734796737b5b8454d6e805310d5835bceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ST3KL.tmp\is-M7BO0.tmp

Filesize
256KB

MD5
f24f2f5a069731a69763d53cbb8ef24f

SHA1
7ef82b005b6b53b066077a8072fc36cf82d2ba56

SHA256
0340ec4172da313555e891dc25c3e7c2226eddfeaef75bbb28b44e3cfef4f5d3

SHA512
d8a85aac1e2bb403e265a02eb7754aaf40ca67bd7a4d79dfe587d1ffe40562f58cf407aefce7510d9d8b2e1902a9a3be1b57ff0e556e3f6cdfb243eabad1baea

Download Submit
\Users\Admin\AppData\Local\Temp\is-R9JS9.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-ST3KL.tmp\is-M7BO0.tmp

Filesize
647KB

MD5
b683339ce008e97a0243a0f83bca1e09

SHA1
a8a4c078225ec9d94912762bda3a745d83dbe8f4

SHA256
5c6b8a1ab73cd03140040a3093e0d8466c666cd3fe17e8660dbc1a30d0b6f925

SHA512
c39b2501f5887c363633c94b04d58396a0d285ff65963ed513e99ff2dd7f36da323904278c6a64b9f1f637aaeed17e3d9d40540baa9805369cc664a32c62c780

Download Submit
memory/2344-17-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2488-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2488-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download