3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Size

9.5MB
MD5

1f08e087b978850e763e8af924462c20
SHA1

b70e86cd645e7de69feec9ab9c7bafd90fcb28dd
SHA256

3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45
SHA512

b8e50e69db391c4bc57c43f8cf74400674b99e7d402d77ec6cc63b3ad6cd0bd201b59682ad0121e9ad36e99f110ef55df6590a0e3a5226a95910b7b34b5e3bc7
SSDEEP

98304:BiAYMQSlV4A5UC0td7tS4MkKY2rzailsSq9I5TRkiuwzUsEObHFcPEWWOnpMaEJT:BY6UCEqk12rzF7qeSEUHOVWWMpH6UW

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.iiko.ru
Port:
21
Username:
partners
Password:
partners#iiko

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3032	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\ = "URL:clearbat Protocol"	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\URL Protocol	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\shell\open	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CLEAR.bat.exe\" \"%1\""	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\DefaultIcon	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CLEAR.bat.exe,1\""	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\shell\open\command	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLEARbat\shell	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe

C:\Users\Admin\AppData\Local\Temp\3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe
"C:\Users\Admin\AppData\Local\Temp\3de0043103731d2291d226904824c586ad24da293c50ab0ddae3da006b7fdb45.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar379B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\DataBases\Admin\DataBase.db

Filesize
16KB

MD5
5385919f7f0aa6f6c403a34508848488

SHA1
12325e3e7965d324ec6bda18610d2d42ee650d7e

SHA256
b2f521ee64df9d6eb84737f3bfacebdc8b63e7b9e9f4a1533592f208d97c52d2

SHA512
dda04a280e97cc2ed1834f3f3b8a737a3b0af484d1cc50e69302984e234a6de373e0c9bfafaf33afbf876e0107d17e99de2d69fea82402122dd5a356b1a977f1

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\Logs\full_030724.log

Filesize
1KB

MD5
cfb30230426d918f3d637436ea0b04a3

SHA1
587e92f0d61af83c50ee93a43f01a6d36c328ad6

SHA256
e226ca4b913ea1b6a85288bceed32b92d78886470f88ed8edc11949a020e64ef

SHA512
1f23eb766c8519cbeabd6006736c32425cfe969a28843457002bfc96e420e69af110aacdf85511efa0f079de4f0cf95f672a8628b75f67881c36a96e36fb17a3

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\Logs\full_030724.log

Filesize
2KB

MD5
fb01e4c2213b24b8eb8bfe6dd0927413

SHA1
6619177e1da33a44f04df72fd249f43ceee9571c

SHA256
c24bd1c7710d2318c696c875fc5d9e34ee9277f7ea4e888bf692242a5de4c59d

SHA512
c149a852db40047728a4ee796989279aaa4f5e2f3f390b7c185e990132db8c9c19a23c2248b673816061529b7b79ed29bcd777f382905653e8122f12db156c3f

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\Logs\full_030724.log

Filesize
3KB

MD5
2afb1f922004fab69cd501d08766692d

SHA1
d388b9eba4bcb56a3aa6f363e95c3c656a78e41e

SHA256
39ff715f694319d0d7fda6fe32c82d8e5db8428710939b4d5a3391e7de8fa31f

SHA512
e04ec696b955c4e3eeaad349bb957dd892169942746a72606b4ed7a46a509df26da5d1aab63c22b3c69b8828582f4dbb35234cde888350c898e5e892d5eff3f7

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\Logs\full_030724.log

Filesize
4KB

MD5
0c6a7009c67be2618cb9f461282efb1b

SHA1
440eb5055e3aa585efde14ae47d14991d0a240b2

SHA256
88673dd0bbec053e593a8a3cc1480e778edb134a36c8ddcf807759da4e4999c8

SHA512
15e48f7ba1ae89c18cf237b127c66bf11ad035bbd77e9b5a7d428ebb938e0e8e489ce15c1c9098c09510c0541737c9e0cffb28b5293edc8ca98dbe1640fa596f

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\config\Admin\config.xml

Filesize
1KB

MD5
6a765285461c4b92c32c68c332fad9ea

SHA1
d534c6b2ba023ff3eef21badb926b1850b458e41

SHA256
e6fe1a50fd9a5e894f3e70865bb97a00375edc1312bf348422022962c0c85147

SHA512
4bd7a6c9b262dc535c31f421ec5d6fb15480126773b4c749e824976547a933ba28bd8b841ca25021bbb5130960dc3bf000b9b08296bab90d53f8f8526370e5d0

Download Submit
C:\Users\Admin\AppData\Roaming\CLEAR_bat\config\iiko_versions.dat

Filesize
698B

MD5
a2e3d9d1be01245967c1460e38b183a3

SHA1
9b255ba02df398f5d51b8b189b6f3e2d2ed9cba0

SHA256
46615facd068bfa6ca07f87bcf63bd89b2e88e711196bfd71e631d625ac7b901

SHA512
c855842c427c786214412ed8c3c4e8954b9f5fa117a6e7b8e638ee471cb195863ca74f3b917d7a44c6ad15aa45a5ed8b3bb0ebb5972e120b1f7b4d8caa4575f8

Download Submit
\Users\Admin\AppData\Local\Temp\Costura\FC1F072F8F916A131FB270C09E841BCA\32\sqlite.interop.dll

Filesize
1.3MB

MD5
8be215abf1f36aa3d23555a671e7e3be

SHA1
547d59580b7843f90aaca238012a8a0c886330e6

SHA256
83f332ea9535814f18be4ee768682ecc7720794aedc30659eb165e46257a7cae

SHA512
38cf4aea676dacd2e719833ca504ac8751a5fe700214ff4ac2b77c0542928a6a1aa3780ed7418387affed67ab6be97f1439633249af22d62e075c1cdfdf5449b

Download Submit
memory/3032-6-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-440-0x0000000006520000-0x0000000006528000-memory.dmp

Filesize
32KB

Download
memory/3032-7-0x0000000006080000-0x00000000064B6000-memory.dmp

Filesize
4.2MB

Download
memory/3032-208-0x00000000051F0000-0x0000000005252000-memory.dmp

Filesize
392KB

Download
memory/3032-217-0x0000000006530000-0x000000000658A000-memory.dmp

Filesize
360KB

Download
memory/3032-218-0x0000000004E00000-0x0000000004E1A000-memory.dmp

Filesize
104KB

Download
memory/3032-219-0x0000000007D00000-0x0000000007D5A000-memory.dmp

Filesize
360KB

Download
memory/3032-220-0x0000000005A80000-0x0000000005AB2000-memory.dmp

Filesize
200KB

Download
memory/3032-221-0x0000000008730000-0x00000000088B2000-memory.dmp

Filesize
1.5MB

Download
memory/3032-222-0x0000000005630000-0x000000000563A000-memory.dmp

Filesize
40KB

Download
memory/3032-223-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/3032-224-0x0000000005AC0000-0x0000000005AE0000-memory.dmp

Filesize
128KB

Download
memory/3032-31-0x00000000077A0000-0x0000000007852000-memory.dmp

Filesize
712KB

Download
memory/3032-10-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/3032-8-0x00000000005B0000-0x00000000005DE000-memory.dmp

Filesize
184KB

Download
memory/3032-355-0x0000000005ED0000-0x0000000005F00000-memory.dmp

Filesize
192KB

Download
memory/3032-9-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/3032-0-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/3032-439-0x0000000006500000-0x000000000650C000-memory.dmp

Filesize
48KB

Download
memory/3032-1-0x0000000000DD0000-0x0000000001754000-memory.dmp

Filesize
9.5MB

Download
memory/3032-441-0x0000000006590000-0x0000000006598000-memory.dmp

Filesize
32KB

Download
memory/3032-442-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-443-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-446-0x00000000742AE000-0x00000000742AF000-memory.dmp

Filesize
4KB

Download
memory/3032-447-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-448-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/3032-449-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/3032-450-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/3032-451-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads