Overview

overview

10

Static

static

1

ClipPlusCo...up.msi

windows7-x64

7

ClipPlusCo...up.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    9s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2024 03:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ClipPlusCommunitySetup.msi

  • Size

    17.1MB

  • MD5

    eb64b1dbb38961bdb4c0f4b724b1ed3d

  • SHA1

    a375bc847388cdddc6cffd57dc7f0c3d6be72cdf

  • SHA256

    cf5d6c68811f37d9ae1a9cc62abc1987fdd8900d271fdaa01d4a84853d7db10d

  • SHA512

    5c56b478f88002e10b3bea6ed2151a8e89e1693270effaa6ded943b1325b0d1e1a4aa9fa66fd8b372f70da86feab6cee781518bb50514dfb341a9767a01d36a7

  • SSDEEP

    393216:QnEbwdw5PBbXDqPiHNTS3ByWhGhz3iQw0FHufQMfh1GD6QGhNgqx9OPNQNI62vho:pbwdwnBtcFhG1w0MVZ1GD6QGhNpwsIne

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 10 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ClipPlusCommunitySetup.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1752
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe
      "C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe"
      2⤵
      • Executes dropped EXE
      PID:2336
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2300
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "00000000000005B4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f762f8b.rbs
    Filesize

    12KB

    MD5

    887d72d4d8c100149f9289c1409634d3

    SHA1

    133b55db661cd47e2ac96172208797554e6e795d

    SHA256

    719471bd38fded54efe7f234d8bc7fecf19753ea7e7d56c9d1df8de4802de509

    SHA512

    fc9da272485b9b078b69914bb0d3758073e09aa0a43cb2b73df27260405bb65a6349ea7928c7b2fda0a19e458830ae2e192ff651efb5c4af67595e8f41ca6734

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    762e389f1d67ca38d7c3aafdd25af6aa

    SHA1

    7f9cec8349d6651e8971fdb41f7fa2fa3699d24e

    SHA256

    5524b8c15e07488ed79954acb87559fac8effccfadb095a251de26e71a8328ed

    SHA512

    43dc6aeb09f1941aa0124c078b521eee95456d8d18b25cc551a09b217109e2d59139395c352e7696055d732bda3f719ce83d3e21da8562e6dd1f39fd44dde933

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll
    Filesize

    135KB

    MD5

    8e58fcc0672a66c827c6f90fa4b58538

    SHA1

    3e807dfd27259ae7548692a05af4fe54f8dd32ed

    SHA256

    6e1bf8ea63f9923687709f4e2f0dac7ff558b2ab923e8c8aa147384746e05b1d

    SHA512

    0e9faf457a278ad4c5dd171f65c24f6a027696d931a9a2a2edd4e467da8b8a9e4ab3b1fd2d758f5744bf84bece88c046cda5f7e4204bead14d7c36a46702b768

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_vst.dll
    Filesize

    27KB

    MD5

    5efb2702c0b3d8eeac563372a33a6ed0

    SHA1

    c7f969ea2e53b1bd5dbeba7dd56bff0cc4c9ea99

    SHA256

    40545a369fa7b72d23a58050d32dc524b6905e9b0229719022dbda0d2fa8765b

    SHA512

    8119526f8573ea6e5bed16a57d56084260afee511c9aad3d542388a783548e5b32ed8fb568d5b97deed791162bcd5577fcc3c76abf4d147ea13bea5c2a6ea794

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll
    Filesize

    99KB

    MD5

    26f75c4dd4a8a7c98f0d76aa6b2522af

    SHA1

    4e45cd0e91334b56fb0a1e29e2b5922b828b9127

    SHA256

    587492c53f4b61403f39996d5676092feb4cc340b6455fd947484398bed8a02f

    SHA512

    e3e19781ceafa2aeea8bfe9aa8eb5b764557b583cbc9ae38e7639e65c7889c642af356e7e6c26f72f4fe4282858f770d99af04e1aa953e1fcc07379f81b1fac6

    Download Submit
  • C:\Users\Admin\AppData\Local\Programs\Clip Plus Community\dsw.exe
    Filesize

    768KB

    MD5

    490ffe88b9b87b90f50e41c8fa72f68d

    SHA1

    2e9d2f448db6593bf27b4a71cccb156a4758f683

    SHA256

    a783de929d2442aeabce2d6ca55d0a14b7e72200502826080307937b1d218ce4

    SHA512

    1a07103aff0da5fb3e91e93921bcfeaae264be5de859fc0f7a4eabe31c9f49b35b759eb78bd6bdcba3596f849587a15f376301b623f88481ecd19ad86f0dc10e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab1335.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar13E3.tmp
    Filesize

    171KB

    MD5

    9c0c641c06238516f27941aa1166d427

    SHA1

    64cd549fb8cf014fcd9312aa7a5b023847b6c977

    SHA256

    4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

    SHA512

    936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

    Download Submit
  • C:\Windows\Installer\f762f89.msi
    Filesize

    832KB

    MD5

    289098e37d2bd3d1ec3a89eb4967fe49

    SHA1

    99a58b3fad8889582177379e7c657ef1d48965ea

    SHA256

    8fd8406fd678a8bc3c22c10bb6d51a6b599c9a57090c3fcdc071c32a8a60c544

    SHA512

    ede816228a73681903bdf8ef3a1437ac56c80795d559a62336094877748a63027ed797d7c4b9ddf67f4abe433b7ee1de5f93e31dc467f610416449a0d1b48eb5

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\SampleDisplay.dll
    Filesize

    64KB

    MD5

    34cce64d0c4656a98af9aa032f435dda

    SHA1

    60ce5f40533e156c715c5ae25c276a81304ee50d

    SHA256

    23fd95fcd2e6c9f4fbbf2a800516d432fb101f2a084dc018486b926dbfef8629

    SHA512

    cbdb3497b5d4dcf3709005c523ec1b7605ed0c835e4faade4e5de34efb849b0b43d2408b47b7000e20ef06982959b69efd0f5d905e4bed2ddfeabf7a1ca15986

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bass.dll
    Filesize

    126KB

    MD5

    861e5ce2570714f160bd7a1c589ce76b

    SHA1

    32abb50bca2afe681ec37a1e11692e6c81c6f8ed

    SHA256

    ce51320f7fd9c31ced6c791800937bb261f1e1995a348dc3120781ddd96c623f

    SHA512

    6edcb4367342377cd56c1ea13cd184fd03795462dd8f1bc050162b58fdc22f04bf1b54985c1a7cd7562ca286ed21c0530a3007ea2d7134b4d98bc67b52d77503

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bass_fx.dll
    Filesize

    67KB

    MD5

    d8ccb4b8235f31a3c73485fde18b0187

    SHA1

    723bd0f39b32aff806a7651ebc0cdbcea494c57e

    SHA256

    7bc733acc1d2b89e5a6546f4ebc321b1c2370e42354ea415bc5fcc6807275eba

    SHA512

    8edafd699f9fbec0db334b9bc96a73a9196895120f3406fff28406fd0565415ac98665c9837a5b1e0c5027162ff26bf3a316ecda6a0b51d92eb5d7002b814713

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc.dll
    Filesize

    31KB

    MD5

    a6f27196423a3d1c0caa4a0caf98893a

    SHA1

    58b97697fa349b40071df4272b4efbd1dd295595

    SHA256

    d3b9e4646f7b1cb9123914313cec23ec804bd81c4ff8b09b43c2cde5ee3e4222

    SHA512

    0a84cf847b80b0c2e6df9274a4199db8559757781faec508cd8999bea2c8fb5cd9bed1698144b82b86b2c6938fa8006c482a09c1b46d6bb8d2a2648a2011dea0

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\bassenc_opus.dll
    Filesize

    64KB

    MD5

    0bace2cd6cf0710216276a20e6ba3227

    SHA1

    b2174c6deff11dbe833e7d7e0980006fdfadd03d

    SHA256

    fd71c3a4650d2227ce4e07619fb812e4e0213c33284ac081750767ed0a9b644a

    SHA512

    8a6f207326b82bbd1d002e58e485932f0128f6f196e8ae21308296aa65d7c49c85dc4658509747a396677ba1e0c57abead5d326ecd3e74e67e860473970dac56

    Download Submit
  • \Users\Admin\AppData\Local\Programs\Clip Plus Community\basswasapi.dll
    Filesize

    21KB

    MD5

    cdfbe254cc64959fc0fc1200f41f34c0

    SHA1

    4e0919a8a5c4b23441e51965eaaa77f485584c01

    SHA256

    9513129c0bb417698a60c5e4dd232963605d1c84e01b9f883f63d03b453173a9

    SHA512

    63704a7a4d0cd8b53972e29fcbee71f2c3eb86a0411f90fc8375e67cb4b3bddb36c753f3f5b113c3ca333c381f86a19e2168218cc2074f05ad1143bc118cd610

    Download Submit