9e9219c60ca6cd18bc84b9c768d3ac0b9376de8ecba9994a8a51a5aa2b5770a2

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/02/2024, 23:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad1cabf590cbb8d0e991de3246704499.exe
Size

228KB
MD5

ad1cabf590cbb8d0e991de3246704499
SHA1

35a88115893fba0c64fd564d49203bac08e2619f
SHA256

9e9219c60ca6cd18bc84b9c768d3ac0b9376de8ecba9994a8a51a5aa2b5770a2
SHA512

1a41b151bf5098422f1481c777e6000ce4b766d6e854d3fdb7884a731fe7cb84e937de7a84560d1bc2e3a04be28da2ef8af1a9d20255127680dadbbc36fac0e6
SSDEEP

6144:j5x1dG3SuVUf3wB0Xslof8UAzi3LX2u7yDcN+A:txzTuVgABpUAzKX2UGM

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	Clisia.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\W1WIWQ1NPG = "C:\\Windows\\Clisia.exe"	Clisia.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Clisia.exe	ad1cabf590cbb8d0e991de3246704499.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	ad1cabf590cbb8d0e991de3246704499.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	ad1cabf590cbb8d0e991de3246704499.exe
File created	C:\Windows\Clisia.exe	ad1cabf590cbb8d0e991de3246704499.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	Clisia.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\International	Clisia.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe
2176	Clisia.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1848 wrote to memory of 2176	1848	ad1cabf590cbb8d0e991de3246704499.exe	28
PID 1848 wrote to memory of 2176	1848	ad1cabf590cbb8d0e991de3246704499.exe	28
PID 1848 wrote to memory of 2176	1848	ad1cabf590cbb8d0e991de3246704499.exe	28
PID 1848 wrote to memory of 2176	1848	ad1cabf590cbb8d0e991de3246704499.exe	28

C:\Users\Admin\AppData\Local\Temp\ad1cabf590cbb8d0e991de3246704499.exe
"C:\Users\Admin\AppData\Local\Temp\ad1cabf590cbb8d0e991de3246704499.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1848
- C:\Windows\Clisia.exe
  C:\Windows\Clisia.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Clisia.exe

Filesize
228KB

MD5
ad1cabf590cbb8d0e991de3246704499

SHA1
35a88115893fba0c64fd564d49203bac08e2619f

SHA256
9e9219c60ca6cd18bc84b9c768d3ac0b9376de8ecba9994a8a51a5aa2b5770a2

SHA512
1a41b151bf5098422f1481c777e6000ce4b766d6e854d3fdb7884a731fe7cb84e937de7a84560d1bc2e3a04be28da2ef8af1a9d20255127680dadbbc36fac0e6

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
344B

MD5
81d959c724964eaa5ce31a07326955ae

SHA1
cdc0f84eab7a157ffb5a160fe9e1e9dee0bbf1eb

SHA256
12773678237cbbfd2b82223ee1bebf7fc303eb7793292c7cf9845bf9009d76b0

SHA512
e2b4a2e705b8a1c4929e124d5b279600e0f3fc5287876363b61289ae7f3d0dae22d5f2d814f86255c8ee20fd95256eecf70d23f02e65b0ea5e79ef2a4f14afae

Download Submit
memory/1848-27030-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1848-2-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-47286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-45547-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2176-47298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download