General
-
Target
Clumsy0.zip
-
Size
6.9MB
-
Sample
241015-2cgkxszgqg
-
MD5
7aec3f27d7ec6172ed8ddd5e16b402a9
-
SHA1
6d3f60f6353a25e033a3d83ec4a2701b556f369e
-
SHA256
5170cf7842d1beea31099a684797bc0ee656e2e0d700b840ac6349d15d15b90d
-
SHA512
1d2b9ea38c71960653da599b5fc0cecd585f1e4fd08bca855c68a41ec0a598dae52d257646e54ef9479a6efc3b37d44bc18b15c7407c7b0d5a1439305f27efed
-
SSDEEP
196608:tqFhHeN/FJMIDJf89gsAGK5SEQReuAKe3bUF:gU/Fqyf89gsfNZAKh
Static task
static1
Behavioral task
behavioral1
Sample
Clumsy0.4v3/Clumsy0.4v3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Clumsy0.4v3/Clumsy0.4v3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Clumsy0.4v3/WinDivert.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Clumsy0.4v3/WinDivert.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Clumsy0.4v3/WinDivert64.sys
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Clumsy0.4v3/WinDivert64.sys
Resource
win10v2004-20241007-en
Malware Config
Targets
-
-
Target
Clumsy0.4v3/Clumsy0.4v3.exe
-
Size
6.8MB
-
MD5
9fd3c49b9da98a810d4f0b392f0ab0d9
-
SHA1
98a44a3fba9cc28e49dfb9f632bbdc7b28f56a14
-
SHA256
b3f7f7969e0785bbcd065f3ae393813b3a8b29a4a1f7a16e0c62f9d9d4746d6f
-
SHA512
2129b5fb23a984eb9a81001c1fc928d893c4c13605f10c156b00101891451f7a4b9f899728412ea9f859ae887701ba7ae8c4979b235c747c2c3e6eb23af1eacd
-
SSDEEP
196608:pqFhHeN/FJMIDJf89gsAGK5SEQReuAKe3bUb:cU/Fqyf89gsfNZAKP
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Clipboard Data
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
-
Executes dropped EXE
-
Loads dropped DLL
-
Unsecured Credentials: Credentials In Files
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Enumerates processes with tasklist
-
-
-
Target
Clumsy0.4v3/WinDivert.dll
-
Size
15KB
-
MD5
1b1284100327d972e017f565dbecf80e
-
SHA1
5b4f0c122a80478973eb6f9cb3bbcaf186295aea
-
SHA256
9444a6e6b66f13f666f9c60d1935824f61c7256e35a8cf0440e29baa7fbe42c7
-
SHA512
4ccb9e233a3573f6eded0efa8fa54ed929818394cdf2153623d902c749d37751da6f489354aa50968e53d42d5ce339f6368dedb7858a4ff43a1927b4338954a4
-
SSDEEP
384:EHGiP0PYf9pHuGvATXlQRNq/EbUKxcneWuDlE:E9MQf90GvQXlQvAEcehD
Score1/10 -
-
-
Target
Clumsy0.4v3/WinDivert64.sys
-
Size
37KB
-
MD5
3bd5ac2e9d96e680f5dbdd183a58c47d
-
SHA1
83b08cb5e61c7b37bd710ea01196a26fc8f38610
-
SHA256
208c092fe77f161c5a313b916d73fa7f6d10dd289bab8bb5dfb3d59aacb27f25
-
SHA512
6cccd7971f423f72f5dbd01a83a2d27bb2bde63c4d1f5e127d77cfa0df85c289a2c3cd95c110ce38b58b9ea9a49aad18ae50f352ac6b21740d0294f771fbcb78
-
SSDEEP
768:R5VorUqgJs3/KtdrbYiZdNSRUYjbMUYOUaCdHUZ9fdCrYc:vVorUn9cRUuILLd07fdCU
Score1/10 -
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
1Obfuscated Files or Information
1Command Obfuscation
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3