Analysis
-
max time kernel
11s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:50
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe
-
Size
2.6MB
-
MD5
9f1331b4968f26255e5331cb003ff25d
-
SHA1
457e69a75a56bc9dfd414ea7aa52b732396a463d
-
SHA256
fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559
-
SHA512
34a8d5fa280cef867eaef5a1b6f5df4e477476ed046ef105fee42a43e15d395576072aa148ffd31805451849ca3e309316caf145a641745c25bdab2591824267
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Executes dropped EXE 1 IoCs
Processes:
SmartClock.exepid process 2576 SmartClock.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SmartClock.exeSecuriteInfo.com.Variant.Razy.463744.1299.18235.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SmartClock.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SmartClock.exe -
Drops startup file 1 IoCs
Processes:
SecuriteInfo.com.Variant.Razy.463744.1299.18235.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe -
Processes:
SecuriteInfo.com.Variant.Razy.463744.1299.18235.exeSmartClock.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SmartClock.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SecuriteInfo.com.Variant.Razy.463744.1299.18235.exeSmartClock.exepid process 2868 SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe 2576 SmartClock.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 2576 SmartClock.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SecuriteInfo.com.Variant.Razy.463744.1299.18235.exedescription pid process target process PID 2868 wrote to memory of 2576 2868 SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe SmartClock.exe PID 2868 wrote to memory of 2576 2868 SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe SmartClock.exe PID 2868 wrote to memory of 2576 2868 SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe SmartClock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.463744.1299.18235.exe"1⤵
- Checks BIOS information in registry
- Drops startup file
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
9f1331b4968f26255e5331cb003ff25d
SHA1457e69a75a56bc9dfd414ea7aa52b732396a463d
SHA256fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559
SHA51234a8d5fa280cef867eaef5a1b6f5df4e477476ed046ef105fee42a43e15d395576072aa148ffd31805451849ca3e309316caf145a641745c25bdab2591824267
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
9f1331b4968f26255e5331cb003ff25d
SHA1457e69a75a56bc9dfd414ea7aa52b732396a463d
SHA256fdf5f9635c047cde3c096139490f3462d03434986b1450ca5f01be74e1f5b559
SHA51234a8d5fa280cef867eaef5a1b6f5df4e477476ed046ef105fee42a43e15d395576072aa148ffd31805451849ca3e309316caf145a641745c25bdab2591824267
-
memory/2576-1-0x0000000000000000-mapping.dmp
-
memory/2576-4-0x0000000000DC0000-0x0000000001493000-memory.dmpFilesize
6.8MB
-
memory/2868-0-0x0000000000D60000-0x0000000001433000-memory.dmpFilesize
6.8MB