07f8ecb6b5cba0b1594f52abf15aea38ca30b47e88fde0a30bfadc2987ed3a85

Resubmissions

01/02/2025, 12:45

250201-pzbxqsvlal 10

01/02/2025, 12:44

250201-pyks9asmey 8

Analysis

max time kernel
22s
max time network
24s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250128-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01/02/2025, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

clear.rar
Size

79KB
MD5

d48f855ab685f45c2c775e504929e547
SHA1

e3ab6da9e65ac042fd226590cfcef2407d7ac90a
SHA256

07f8ecb6b5cba0b1594f52abf15aea38ca30b47e88fde0a30bfadc2987ed3a85
SHA512

fa4f372147bc6458b7b32708665a1b633e0b9ce664a3978ce1b58cde6ee49c819094a968f370554ce2c39cd544049b8093aa119862b3178737d02405beb80457
SSDEEP

1536:qwLUIWRKuqamoNybu883Jf7MP4BfPVdvSQJBLTFGEbafNQg/MEgyts1LOS7xC02S:qwL8KKNUu883x7LBTbuNQuHtq6YC0wq9

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2200	powershell.exe
4456	powershell.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
11	2100	Cleaner.exe
16	3888	Cleaner.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation	clear.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000\Control Panel\International\Geo\Nation	clear.exe

Executes dropped EXE 4 IoCs

pid	Process
2100	Cleaner.exe
2052	clear.exe
3888	Cleaner.exe
4296	clear.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
16	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clear.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clear.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings	clear.exe
Key created	\REGISTRY\USER\S-1-5-21-3933156042-2316999077-2687276773-1000_Classes\Local Settings	clear.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4456	powershell.exe
4456	powershell.exe
2200	powershell.exe
2200	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1140	7zFM.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeRestorePrivilege	1140	7zFM.exe
Token: 35	1140	7zFM.exe
Token: SeSecurityPrivilege	1140	7zFM.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeIncreaseQuotaPrivilege	4456	powershell.exe
Token: SeSecurityPrivilege	4456	powershell.exe
Token: SeTakeOwnershipPrivilege	4456	powershell.exe
Token: SeLoadDriverPrivilege	4456	powershell.exe
Token: SeSystemProfilePrivilege	4456	powershell.exe
Token: SeSystemtimePrivilege	4456	powershell.exe
Token: SeProfSingleProcessPrivilege	4456	powershell.exe
Token: SeIncBasePriorityPrivilege	4456	powershell.exe
Token: SeCreatePagefilePrivilege	4456	powershell.exe
Token: SeBackupPrivilege	4456	powershell.exe
Token: SeRestorePrivilege	4456	powershell.exe
Token: SeShutdownPrivilege	4456	powershell.exe
Token: SeDebugPrivilege	4456	powershell.exe
Token: SeSystemEnvironmentPrivilege	4456	powershell.exe
Token: SeRemoteShutdownPrivilege	4456	powershell.exe
Token: SeUndockPrivilege	4456	powershell.exe
Token: SeManageVolumePrivilege	4456	powershell.exe
Token: 33	4456	powershell.exe
Token: 34	4456	powershell.exe
Token: 35	4456	powershell.exe
Token: 36	4456	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	powershell.exe
Token: SeSecurityPrivilege	2200	powershell.exe
Token: SeTakeOwnershipPrivilege	2200	powershell.exe
Token: SeLoadDriverPrivilege	2200	powershell.exe
Token: SeSystemProfilePrivilege	2200	powershell.exe
Token: SeSystemtimePrivilege	2200	powershell.exe
Token: SeProfSingleProcessPrivilege	2200	powershell.exe
Token: SeIncBasePriorityPrivilege	2200	powershell.exe
Token: SeCreatePagefilePrivilege	2200	powershell.exe
Token: SeBackupPrivilege	2200	powershell.exe
Token: SeRestorePrivilege	2200	powershell.exe
Token: SeShutdownPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeSystemEnvironmentPrivilege	2200	powershell.exe
Token: SeRemoteShutdownPrivilege	2200	powershell.exe
Token: SeUndockPrivilege	2200	powershell.exe
Token: SeManageVolumePrivilege	2200	powershell.exe
Token: 33	2200	powershell.exe
Token: 34	2200	powershell.exe
Token: 35	2200	powershell.exe
Token: 36	2200	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1140	7zFM.exe
1140	7zFM.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2052	2100	Cleaner.exe	91
PID 2100 wrote to memory of 2052	2100	Cleaner.exe	91
PID 2100 wrote to memory of 2052	2100	Cleaner.exe	91
PID 2100 wrote to memory of 4456	2100	Cleaner.exe	92
PID 2100 wrote to memory of 4456	2100	Cleaner.exe	92
PID 2052 wrote to memory of 2860	2052	clear.exe	95
PID 2052 wrote to memory of 2860	2052	clear.exe	95
PID 2052 wrote to memory of 2860	2052	clear.exe	95
PID 3888 wrote to memory of 4296	3888	Cleaner.exe	98
PID 3888 wrote to memory of 4296	3888	Cleaner.exe	98
PID 3888 wrote to memory of 4296	3888	Cleaner.exe	98
PID 3888 wrote to memory of 2200	3888	Cleaner.exe	99
PID 3888 wrote to memory of 2200	3888	Cleaner.exe	99
PID 4296 wrote to memory of 4260	4296	clear.exe	101
PID 4296 wrote to memory of 4260	4296	clear.exe	101
PID 4296 wrote to memory of 4260	4296	clear.exe	101

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\clear.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1140

C:\Users\Admin\Desktop\Cleaner.exe
"C:\Users\Admin\Desktop\Cleaner.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Roaming\clear.exe
  "C:\Users\Admin\AppData\Roaming\clear.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WindowsPowershell\VI0chP82TFTqVrG3Bjsvcsa.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4456

C:\Users\Admin\Desktop\Cleaner.exe
"C:\Users\Admin\Desktop\Cleaner.exe"
1⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\AppData\Roaming\clear.exe
  "C:\Users\Admin\AppData\Roaming\clear.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WindowsPowershell\VI0chP82TFTqVrG3Bjsvcsa.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cnrdvhj2.nni.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\WindowsPowershell\VI0chP82TFTqVrG3Bjsvcsa.vbe

Filesize
234B

MD5
9afb657dd844fefad285552032ecc886

SHA1
6865b6f32d63313b04201024e90e54051693df45

SHA256
f73aa12c945b0462d806891248c63d6615f91adfb1e3b13a302a7c373e936749

SHA512
30f5f439d6deed17fd97bcaa21591691148bdca3b56c441c7fb50abb74ab2efe1c5ea09e482a923e82b9cd0c1998db7642c222380c70ad763e758fc05a062726

Download Submit
C:\Users\Admin\AppData\Roaming\clear.exe

Filesize
827KB

MD5
9de87e0dc207d2fe931d2ef4739c6199

SHA1
b6ede8f33bdd3dbd48493f73a7aabcd7c5bfb73e

SHA256
a77581597346f5de29d7cbdc58c63915f56613a50a9cab38d54fee515bea7893

SHA512
23034afbc6abf9b215a009641ba8b5e96cb1585d05cbefba90e1c06fba38c94329a02d54adadcde60ab6833e28bb91150a874da655f8ebc388799af493701386

Download Submit
C:\Users\Admin\Desktop\Cleaner.deps.json

Filesize
413B

MD5
65abeb891565d28ac2b949935a1c0a75

SHA1
86322e06677475e0c19db51b97300d032f93c6ce

SHA256
efab1bdb04ee840cf24ee27ad0945d15137d7d5335cf6cfe422723fc1687d570

SHA512
93534ec48e18fe2f25c5d6e57df81e95ce26d1be9135902a1c3cda8512f2f49906c86fda2cd2c7f3c3e34aae546800a506cd2ae97a756e2284c77b7a534e9d78

Download Submit
C:\Users\Admin\Desktop\Cleaner.dll

Filesize
41KB

MD5
80454e38e47945bd36dbcb0594abb03f

SHA1
28e8d14d134545b472807c52ee716f02e3fd7f88

SHA256
a5a1906b41cb519d6f91568c36c39e584c6bd2b19d1b349f7db0932c9192d42b

SHA512
85c653486fd2fcada31e6d24b8e9410bbbb521e77e0c0853ceac0c94d572b1fafbe7ffa1757fc3ad921c4cd04de06981cc879abc428b53ad38aef5906a4ed576

Download Submit
C:\Users\Admin\Desktop\Cleaner.exe

Filesize
135KB

MD5
841b140605c0d2b5ac6e945aeb72d201

SHA1
dfe2431ffae7b8cbd0c8553dc31b8a282e2f421d

SHA256
07ae59d55b840b48328a77c5a8c03e400317a939410337ee73dacbe06dfaeb55

SHA512
f258d2057a85e87d3e520b7b8e986924a647e65b9748e359cee7cc7959acb8fda3e65ceeeeae69c5b5f5160b81e32346ae6c922163a951af9cf02a06fa6fc2c6

Download Submit
C:\Users\Admin\Desktop\Cleaner.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
memory/2200-60-0x0000025BC93E0000-0x0000025BC942C000-memory.dmp

Filesize
304KB

Download
memory/4456-18-0x0000025779270000-0x0000025779292000-memory.dmp

Filesize
136KB

Download
memory/4456-42-0x00000257792A0000-0x00000257792EC000-memory.dmp

Filesize
304KB

Download