Malware Analysis Report

2025-08-06 00:05

Sample ID 240223-n4kvrsfe2w
Target clearplaytube_eu_1121.exe
SHA256 4e33a786d312df1b6977fef14c66e9780c33c0deadb1e4c771f4380febefb002
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4e33a786d312df1b6977fef14c66e9780c33c0deadb1e4c771f4380febefb002

Threat Level: Shows suspicious behavior

The file clearplaytube_eu_1121.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Kills process with taskkill

Script User-Agent

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 11:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 11:57

Reported

2024-02-23 12:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-3E6GS.tmp\clearplaytube_eu_1121.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe

"C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe"

C:\Users\Admin\AppData\Local\Temp\is-3E6GS.tmp\clearplaytube_eu_1121.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3E6GS.tmp\clearplaytube_eu_1121.tmp" /SL5="$50152,3757788,1102336,C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe"

Network

N/A

Files

memory/2200-0-0x0000000000400000-0x000000000051A000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3E6GS.tmp\clearplaytube_eu_1121.tmp

MD5 eecede149990d5e0f606bceb308f8786
SHA1 f443401c4be2cf50f34a5823146c7754a3834a8c
SHA256 99a3a28c9b44afa86f8d7dc8a374f855c6a7d8b932e2512e4f7ebc72da95343a
SHA512 2a8ecaf9f493074d05b90362e57d920f2f06a2f5f86381839adae6ca4fec271c4dcf67fe479ad488d0c82455d34fef157071806cd1c1ab330baa51bf40a28046

memory/2764-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2764-10-0x0000000000400000-0x000000000075E000-memory.dmp

memory/2200-12-0x0000000000400000-0x000000000051A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 11:57

Reported

2024-02-23 12:03

Platform

win10v2004-20240221-en

Max time kernel

324s

Max time network

330s

Command Line

"C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\shlwapi_p.dll C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files\Google\Chrome\Application\dlls\Shlwapi.dll C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\app.crx C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\Extensions\updates.xml C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files\Clear Play Tube\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files\Clear Play Tube\is-DIOT5.tmp C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File opened for modification C:\Program Files\Clear Play Tube\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files\Google\Chrome\Application\chrome.exe.manifest C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File opened for modification C:\Program Files\Google\Chrome\Application\dlls\dlls.manifest C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files\Google\Chrome\Application\Extensions\app.crx C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A
File created C:\Program Files\Google\Chrome\Application\Extensions\updates.xml C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe

"C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe"

C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp" /SL5="$E004E,3757788,1102336,C:\Users\Admin\AppData\Local\Temp\clearplaytube_eu_1121.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "msedge.exe"

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /f /im "chrome.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 browsebooster.com udp
US 167.71.161.167:443 browsebooster.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 167.161.71.167.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 167.71.161.167:443 browsebooster.com tcp

Files

memory/4940-0-0x0000000000400000-0x000000000051A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TR97L.tmp\clearplaytube_eu_1121.tmp

MD5 eecede149990d5e0f606bceb308f8786
SHA1 f443401c4be2cf50f34a5823146c7754a3834a8c
SHA256 99a3a28c9b44afa86f8d7dc8a374f855c6a7d8b932e2512e4f7ebc72da95343a
SHA512 2a8ecaf9f493074d05b90362e57d920f2f06a2f5f86381839adae6ca4fec271c4dcf67fe479ad488d0c82455d34fef157071806cd1c1ab330baa51bf40a28046

memory/5076-5-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/4940-7-0x0000000000400000-0x000000000051A000-memory.dmp

memory/5076-8-0x0000000000400000-0x000000000075E000-memory.dmp

memory/5076-11-0x0000000000E50000-0x0000000000E51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IG1N3.tmp\dlls.manifest

MD5 963fb7657217be957d7d4732d892e55c
SHA1 593578a69d1044a896eb8ec2da856e94d359ef6b
SHA256 1d4a8c5e18d7a189036f1074ffae7927b0450864f5c8622a44205e04ef13ce12
SHA512 f875fa56bcda6299681d2ca2852d5ae04504b1df8d8824170215d4c136a568fc2548ada88ea75178ce23b4649f1713a863926c4d02125cb29475251bf5781fdd

memory/5076-66-0x0000000000400000-0x000000000075E000-memory.dmp

memory/5076-74-0x0000000000400000-0x000000000075E000-memory.dmp

memory/4940-75-0x0000000000400000-0x000000000051A000-memory.dmp