Loading ...

Play interactive tourEdit tour

Analysis Report clop ransomware

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:196971
Start date:18.12.2019
Start time:11:15:13
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 25s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:clop ransomware (renamed file extension from none to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.evad.winEXE@3/47@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 40.9% (good quality ratio 35.1%)
  • Quality average: 72.2%
  • Quality standard deviation: 36%
HCA Information:
  • Successful, ratio: 51%
  • Number of executed functions: 27
  • Number of non-executed functions: 40
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Clop Ransomware
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Replication Through Removable Media1Command-Line Interface2Hidden Files and Directories1Process Injection2Masquerading1Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData Encrypted11Standard Cryptographic Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaExecution through API1Registry Run Keys / Startup Folder1Accessibility FeaturesHidden Files and Directories1Network SniffingQuery Registry1Replication Through Removable Media1Data from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionSoftware Packing21Input CaptureVirtualization/Sandbox Evasion2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion2Credentials in FilesProcess Discovery3Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection2Account ManipulationPeripheral Device Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDeobfuscate/Decode Files or Information1Brute ForceSecurity Software Discovery21Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskObfuscated Files or Information2Two-Factor Authentication InterceptionFile and Directory Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistorySystem Information Discovery33Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for sampleShow sources
Source: clop ransomware.exeAvira: detection malicious, Label: TR/Zudochka.tztrl
Multi AV Scanner detection for submitted fileShow sources
Source: clop ransomware.exeVirustotal: Detection: 86%Perma Link
Source: clop ransomware.exeMetadefender: Detection: 66%Perma Link
Machine Learning detection for sampleShow sources
Source: clop ransomware.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.0.clop ransomware.exe.400000.0.unpackAvira: Label: TR/Zudochka.tztrl

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040D040 WriteFile,SetErrorMode,lstrlenA,CryptStringToBinaryA,CryptDecodeObjectEx,CryptAcquireContextW,CryptImportPublicKeyInfoEx,CryptEncrypt,GlobalAlloc,CryptEncrypt,0_2_0040D040
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040D200 VirtualAlloc,SetErrorMode,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptGenKey,CryptExportKey,CryptExportKey,CryptDestroyKey,CryptReleaseContext,0_2_0040D200
Public key (encryption) foundShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBL0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBL0_2_0040D9F0
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBL0_2_0040DA20
Source: clop ransomware.exeBinary or memory string: -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCpEnzYAtPzcmKnw41bLkkkDDmZ 1YB4weOpyx0lY8gVl0gvveTMKhmhYNzjc5uQfXH3fbGmbbdELle/u7YsdXkuNHRQ ThnFfs+q7SIw1nibfYa4c9KA4ftfr69dZTt4T/RzRzsISVNU1Q6me59k9bBqxgiy DRjJhl79BT65Ggn+uQIDAQAB -----END PUBL

Spreading:

barindex
Checks for available system drives (often done to infect USB drives)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: z:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: x:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: v:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: t:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: r:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: p:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: n:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: l:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: j:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: h:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: f:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: b:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: y:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: w:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: u:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: s:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: q:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: o:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: m:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: k:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: i:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: g:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\OpenWith.exeFile opened: c:Jump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile opened: a:Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040B480 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,StrStrW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,FindFirstFileW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW0_2_0040B480
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040BE90 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,StrStrW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,StrStrW,StrStrW,FindFirstFileW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,F0_2_0040BE90
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040D88A FindFirstFileTransactedA,0_2_0040D88A
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004046B5 FindFirstFileExA,0_2_004046B5

Networking:

barindex
Downloads filesShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\Application Data\Temporary Internet Files\ClopReadMe.txtJump to behavior
Urls found in memory or binary dataShow sources
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: OpenWith.exe, 00000007.00000002.2185337136.000001FB527A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: clop ransomware.exe, 00000000.00000003.1956860464.0000000002BEA000.00000004.00000001.sdmpString found in binary or memory: https://www.verivox.de/company/datenschutz/

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Clop RansomwareShow sources
Source: Yara matchFile source: Process Memory Space: clop ransomware.exe PID: 3824, type: MEMORY
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile deleted: C:\Users\user\Desktop\HMPPSXQPQV.pdfJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile deleted: C:\Users\user\Desktop\LIJDSFKJZG.xlsxJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile deleted: C:\Users\user\Desktop\HMPPSXQPQV.docxJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile deleted: C:\Users\user\Desktop\LFOPODGVOH.docxJump to behavior

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 00000006.00000002.2167138375.0000025640508000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detects LockerGoga ransomware binaries Author: Florian Roth
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040A0E50_2_0040A0E5
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004330450_2_00433045
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0043215D0_2_0043215D
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004332C00_2_004332C0
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00431C320_2_00431C32
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00432CAC0_2_00432CAC
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004335C50_2_004335C5
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0042CEDC0_2_0042CEDC
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004326A10_2_004326A1
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: String function: 0042B330 appears 32 times
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: String function: 0040D8D0 appears 44 times
Sample file is different than original file name gathered from version infoShow sources
Source: clop ransomware.exe, 00000000.00000002.2163380138.0000000000980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs clop ransomware.exe
Source: clop ransomware.exe, 00000000.00000002.2162402654.0000000000490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamempr.dll.muij% vs clop ransomware.exe
Source: clop ransomware.exe, 00000000.00000002.2165305205.0000000002A50000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs clop ransomware.exe
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: drprov.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: ntlanman.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: davclnt.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: browcli.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeSection loaded: dpapi.dllJump to behavior
Yara signature matchShow sources
Source: 00000006.00000002.2167138375.0000025640508000.00000004.00000020.sdmp, type: MEMORYMatched rule: Ransom_LockerGoga_Mar19_1 date = 2019-03-19, hash3 = bdf36127817413f625d2625d3133760af724d6ad2410bea7297ddc116abc268f, hash2 = 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26, hash1 = c97d9bbc80b573bdeeda3812f4d00e5183493dd0d5805e2508728f65977dda15, author = Florian Roth, description = Detects LockerGoga ransomware binaries, reference = https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202, license = https://creativecommons.org/licenses/by-nc/4.0/
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.evad.winEXE@3/47@0/0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040D8D0 GetCurrentThread,Sleep,CreateToolhelp32Snapshot,lstrcpyW,lstrcpyW,lstrlenW,CharUpperBuffW,CloseHandle,Process32FirstW,lstrcpyW,lstrlenW,CharUpperBuffW,lstrcmpW,OpenProcess,TerminateProcess,CloseHandle,lstrcpyW,Process32NextW,CloseHandle,0_2_0040D8D0
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040DAA0 StrStrW,SetErrorMode,wsprintfW,CreateFileW,CloseHandle,lstrcmpW,GetModuleHandleW,FindResourceW,LoadResource,LockResource,SizeofResource,GlobalAlloc,CreateFileW,WriteFile,CloseHandle,GlobalFree,0_2_0040DAA0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Users\user\Desktop\desktop.ini.ClopJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:14160:120:WilError_01
Source: C:\Users\user\Desktop\clop ransomware.exeMutant created: \Sessions\1\BaseNamedObjects\CLOP#666
Creates temporary filesShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Temp\ClopReadMe.txtJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: popup.txt0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: //...//0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: 12345678900_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: zoolz.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: mysqld-nt.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: syntime.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: agntsv.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: mysqld-opt.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: tbirdonfig.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: dbeng50.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: oautoupds.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: thebat.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: dbsnmp.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: oomm.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: thebat64.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: ensv.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: ossd.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: thunderbird.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: exel.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: onenote.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: visio.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: orale.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: winword.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: infopath.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: outlook.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: wordpad.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: isqlplussv.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: powerpnt.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: xfssvon.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: msaess.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: tmlisten.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: msftesql.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: sqlagent.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: PNTMon.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: mspub.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: sqlbrowser.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: NTAoSMgr.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: sqlservr.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: Ntrtsan.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: sqlwriter.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: mbamtray.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: mysqld.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: steam.exe0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: CLOP#6660_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: %c:0_2_0040D450
Source: C:\Users\user\Desktop\clop ransomware.exeCommand line argument: *.*0_2_0040D450
PE file has an executable .text section and no other executable sectionShow sources
Source: clop ransomware.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile read: C:\$Recycle.Bin\S-1-5-18\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: clop ransomware.exeVirustotal: Detection: 86%
Source: clop ransomware.exeMetadefender: Detection: 66%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\clop ransomware.exe 'C:\Users\user\Desktop\clop ransomware.exe'
Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ClopReadMe.txt
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeUnpacked PE file: 0.2.clop ransomware.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeUnpacked PE file: 0.2.clop ransomware.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00401936 push ecx; ret 0_2_00401949
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0042B375 push ecx; ret 0_2_0042B388

Persistence and Installation Behavior:

barindex
Creates license or readme fileShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\$Recycle.Bin\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\$Recycle.Bin\S-1-5-18\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\$Recycle.Bin\S-1-5-21-58933367-3072710494-194312298-1001\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\$Recycle.Bin\S-1-5-21-58933367-3072710494-194312298-1002\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\All Users\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\History\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Microsoft\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\Application Data\Application Data\Temp\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Local\Application Data\Temporary Internet Files\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Roaming\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\AppData\Roaming\Microsoft\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Cookies\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Documents\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Documents\My Music\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Documents\My Pictures\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Documents\My Videos\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Downloads\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Favorites\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Links\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\NetHood\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\PrintHood\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Recent\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Saved Games\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\SendTo\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\ClopReadMe.txtJump to behavior

Boot Survival:

barindex
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\desktop.ini.ClopJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\Desktop.ini.ClopJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessibility\ClopReadMe.txtJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Desktop.ini.ClopJump to behavior
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\Documents and Settings\Default\Start Menu\Programs\Accessories\ClopReadMe.txtJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itselfShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeFile created: C:\$Recycle.Bin\ClopReadMe.txtJump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\OpenWith.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_0-17287
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeThread delayed: delay time: 300000Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\clop ransomware.exe TID: 384Thread sleep time: -300000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040B480 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,StrStrW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,FindFirstFileW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,FindNextFileW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW0_2_0040B480
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040BE90 SetErrorMode,lstrcpyW,lstrcpyW,lstrcatW,lstrcatW,lstrcpyW,lstrcatW,FindFirstFileW,StrStrW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,lstrcmpW,lstrcmpW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,wsprintfW,lstrcpyA,lstrcpyW,lstrcpyW,CreateThread,WaitForSingleObject,FindNextFileW,FindClose,FindClose,lstrcpyW,lstrcatW,StrStrW,StrStrW,FindFirstFileW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,StrStrW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,F0_2_0040BE90
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040D88A FindFirstFileTransactedA,0_2_0040D88A
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004046B5 FindFirstFileExA,0_2_004046B5
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: clop ransomware.exe, 00000000.00000002.2165305205.0000000002A50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: clop ransomware.exe, 00000000.00000002.2165305205.0000000002A50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: clop ransomware.exe, 00000000.00000002.2165305205.0000000002A50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: clop ransomware.exe, 00000000.00000002.2165305205.0000000002A50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeAPI call chain: ExitProcess graph end nodegraph_0-17289
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00404274 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00404274
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040335D mov eax, dword ptr fs:[00000030h]0_2_0040335D
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004064AF GetProcessHeap,0_2_004064AF
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00401832 SetUnhandledExceptionFilter,0_2_00401832
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00401241 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00401241
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_00404274 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00404274
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004016E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004016E4
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004256A5 SetUnhandledExceptionFilter,0_2_004256A5

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: clop ransomware.exe, 00000000.00000002.2163488807.0000000000D60000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.2167807411.0000025640AF0000.00000002.00000001.sdmp, OpenWith.exe, 00000007.00000002.2181016027.000001FB4E530000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: clop ransomware.exe, 00000000.00000002.2163488807.0000000000D60000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.2167807411.0000025640AF0000.00000002.00000001.sdmp, OpenWith.exe, 00000007.00000002.2181016027.000001FB4E530000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: clop ransomware.exe, 00000000.00000002.2163488807.0000000000D60000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.2167807411.0000025640AF0000.00000002.00000001.sdmp, OpenWith.exe, 00000007.00000002.2181016027.000001FB4E530000.00000002.00000001.sdmpBinary or memory string: Progman
Source: clop ransomware.exe, 00000000.00000002.2163488807.0000000000D60000.00000002.00000001.sdmp, notepad.exe, 00000006.00000002.2167807411.0000025640AF0000.00000002.00000001.sdmp, OpenWith.exe, 00000007.00000002.2181016027.000001FB4E530000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,___crtGetLocaleInfoA,0_2_00435378
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,___crtGetLocaleInfoA,0_2_0043537C
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: __crtGetLocaleInfoA_stat,0_2_0043672A
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_0040194B cpuid 0_2_0040194B
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ClopReadMe.txt VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeCode function: 0_2_004015CC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,RtlQueryPerformanceCounter,0_2_004015CC
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\Desktop\clop ransomware.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

TimeTypeDescription
11:16:53API Interceptor1x Sleep call for process: clop ransomware.exe modified
11:17:58AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ClopReadMe.txt
11:18:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.Clop
11:18:15API Interceptor1x Sleep call for process: OpenWith.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
clop ransomware.exe86%VirustotalBrowse
clop ransomware.exe67%MetadefenderBrowse
clop ransomware.exe100%AviraTR/Zudochka.tztrl
clop ransomware.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.0.clop ransomware.exe.400000.0.unpack100%AviraTR/Zudochka.tztrlDownload File
0.2.clop ransomware.exe.400000.0.unpack100%AviraHEUR/AGEN.1039569Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://www.jiyu-kobo.co.jp/0%VirustotalBrowse
http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%Avira URL Cloudsafe
http://www.sandoll.co.kr0%VirustotalBrowse
http://www.sandoll.co.kr0%URL Reputationsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.zhongyicts.com.cn0%VirustotalBrowse
http://www.zhongyicts.com.cn0%URL Reputationsafe
http://www.sakkal.com0%VirustotalBrowse
http://www.sakkal.com0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2167138375.0000025640508000.00000004.00000020.sdmpRansom_LockerGoga_Mar19_1Detects LockerGoga ransomware binariesFlorian Roth
  • 0x3984:$rn1: This may lead to the impossibility of recovery of the certain files.
Process Memory Space: clop ransomware.exe PID: 3824JoeSecurity_ClopYara detected Clop RansomwareJoe Security

    Unpacked PEs

    No yara matches

    Sigma Overview

    No Sigma rule has matched

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.