Overview

overview

10

Static

static

3

Clutt6.6.6.exe

windows10-2004-x64

Analysis

  • max time kernel
    61s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/03/2025, 12:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Clutt6.6.6.exe

  • Size

    4.5MB

  • MD5

    ebe2598356ddaa94e3c507a3bf3fbaaf

  • SHA1

    12fbb71303fbad2d1d6b644d67f3d895ed417ea2

  • SHA256

    bce721a6081d418d0e00bce7dfb5a6b957767b0138690f7e5d642181556b8296

  • SHA512

    e541c1e25c081530b7102445d57c70ceaabb3a719ac895b1322305d3b2e0c6d8cd42dbb231285473a48c8221d94cfd3f9aab431a2aaaf551b55b060d83f87552

  • SSDEEP

    98304:jpwhVUMFFWIV5grw46s655grwrI8FFhnhV:Vw0MFsd6s6P3FTn

Score
10/10
bootkitdefense_evasiondiscoveryexploitpersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Disables RegEdit via registry modification 1 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Possible privilege escalation attempt 6 IoCs
    exploit
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies file permissions 1 TTPs 6 IoCs
    discovery
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in Program Files directory 13 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Clutt6.6.6.exe
    "C:\Users\Admin\AppData\Local\Temp\Clutt6.6.6.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Disables RegEdit via registry modification
    • Checks computer location settings
    • Writes to the Master Boot Record (MBR)
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && takeown /f C:\Windows\System32\drivers && icacls C:\Windows\System32\drivers /grant "%username%:F" && takeown /f C:\Windows\System32\Boot && icacls C:\Windows\System32\Boot /grant "%username%:F" && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:3356
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32 /grant "Admin:F"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:2748
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\drivers
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:1124
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\drivers /grant "Admin:F"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:3360
      • C:\Windows\system32\takeown.exe
        takeown /f C:\Windows\System32\Boot
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        • Suspicious use of AdjustPrivilegeToken
        PID:5924
      • C:\Windows\system32\icacls.exe
        icacls C:\Windows\System32\Boot /grant "Admin:F"
        3⤵
        • Possible privilege escalation attempt
        • Modifies file permissions
        PID:5556
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x3f4 0x4b8
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1164
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3911055 /state1:0x41c64e6d
    1⤵
      PID:5124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/216-0-0x00007FFA52FD3000-0x00007FFA52FD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/216-1-0x0000000000F70000-0x0000000001400000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/216-2-0x00007FFA52FD0000-0x00007FFA53A91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/216-3-0x00007FFA52FD0000-0x00007FFA53A91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/216-17-0x00007FFA52FD3000-0x00007FFA52FD5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/216-18-0x00007FFA52FD0000-0x00007FFA53A91000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/216-22-0x000000001CFB0000-0x000000001CFF6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/216-27-0x000000001CFB0000-0x000000001CFF6000-memory.dmp

      Filesize

      280KB

      Download