718d0c897ff489c2ea06346a5e38ebd3bae844a32fb17e4e0179ae4106aa8d7e

Analysis

max time kernel
131s
max time network
223s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clumsy.zip
Size

3.9MB
MD5

4540076e0aafad3e9be704e805fb05e0
SHA1

bcbbd6a2df76ae3093784a77eb00b79c781abd4d
SHA256

718d0c897ff489c2ea06346a5e38ebd3bae844a32fb17e4e0179ae4106aa8d7e
SHA512

103f1c6a93cfa2d431a8032b5ff4393c0b5fbe44bd795bc1e695f4abc7a0547d3e690a8d991a352bd945ff6c60f9fa076bd9b682a17e2d5a2e0f93c8fe3aa52c
SSDEEP

98304:Z0/vz7NHbeFWErxloaCuc8Ty3pbfbLFP2mq9nm:Z0/bdbe1roaCuc0AnLOm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2244	clumsy 0.2 v6.exe
1484	binder.exe
4324	clumsy 0.2 v6.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4012	2244	WerFault.exe	105
1672	4324	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clumsy 0.2 v6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clumsy 0.2 v6.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1776	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4040	7zG.exe
Token: 35	4040	7zG.exe
Token: SeSecurityPrivilege	4040	7zG.exe
Token: SeSecurityPrivilege	4040	7zG.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4040	7zG.exe
1484	binder.exe
1484	binder.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1484	binder.exe
1484	binder.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\clumsy.zip
1⤵
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4076 /prefetch:8
1⤵
PID:2772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5040

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\clumsy\" -spe -an -ai#7zMap4265:70:7zEvent23168
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4040

C:\Users\Admin\Desktop\clumsy\clumsy 0.2 v6.exe
"C:\Users\Admin\Desktop\clumsy\clumsy 0.2 v6.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 884
  2⤵
  - Program crash
  PID:4012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2244 -ip 2244
1⤵
PID:3856

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\clumsy\config.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1776

C:\Users\Admin\Desktop\clumsy\binder.exe
"C:\Users\Admin\Desktop\clumsy\binder.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1484

C:\Users\Admin\Desktop\clumsy\clumsy 0.2 v6.exe
"C:\Users\Admin\Desktop\clumsy\clumsy 0.2 v6.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 860
  2⤵
  - Program crash
  PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 4324 -ip 4324
1⤵
PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\clumsy\binder.exe

Filesize
1.2MB

MD5
32b7fdb92f748d373a4578af47e063df

SHA1
347cbb5bc1e16f60230b445ce9ed879f2210a4b7

SHA256
82f9113b1cb88a9c9822c58f96a98332a8eb0f830a4cdbfcd79763f6165df14b

SHA512
302596a9942858b4a885a60744311fccc302e7fe354e464d97704eca8df71ea4c1a9fadbebcce6f4409afe44ae430a365056653e0a56468d7989fe18d99ded97

Download Submit
C:\Users\Admin\Desktop\clumsy\clumsy 0.2 v6.exe

Filesize
665KB

MD5
fa80399205e0cf1dabd46a1dfd5a66dd

SHA1
6721a35af00c70821032f6e5ddb79a8ba55515cc

SHA256
c9417bf78d6d3db7915ec9fcfd5770fd6d3c86a8a86b1ee1d5775e3f72890c1a

SHA512
aba5b45e70bd2fd06f882902ca095733510756989c91e37800722324b4fe93dff2f79b8a8866904ef45b515906dba21b29f5c5abcaf5ec249bba96162fd99b14

Download Submit
C:\Users\Admin\Desktop\clumsy\config.txt

Filesize
1KB

MD5
2aed648eab59b35c6346bd6cbaac21d1

SHA1
8807171464e20584389ec6c4dec807c91b974cf0

SHA256
895b48c92098574bee372187e8d2ac365f6f88cc0434a0e48ed5807a0e568811

SHA512
11a46746f317693606c666939f73cf24206883e7c52d457d85bf98dc4a1c304b13bbcd1c81cce4b7773866d08e94b8ac2c8793e9b26a458448efd9f17f062324

Download Submit
memory/2244-16-0x00000000001A0000-0x000000000024C000-memory.dmp

Filesize
688KB

Download
memory/2244-17-0x0000000004BC0000-0x0000000004BC8000-memory.dmp

Filesize
32KB

Download
memory/2244-18-0x0000000005220000-0x00000000057C4000-memory.dmp

Filesize
5.6MB

Download