2873f7c2119b8d916aa916e1c9138835b0ab18937e24f1e94f9f5949a1b64177

Analysis

max time kernel
91s
max time network
93s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37ef42e0b21d765a7a2fa3e29a934d4b.exe
Size

1.1MB
MD5

37ef42e0b21d765a7a2fa3e29a934d4b
SHA1

c10d179ded62764b0428e57e3a053097d7d57f2d
SHA256

2873f7c2119b8d916aa916e1c9138835b0ab18937e24f1e94f9f5949a1b64177
SHA512

e006ddc0adaf282688fb3b47c3f58399205702ecb08bd25784e1945cf887e9860807a27bda2724b823a0869c7dad4714ede3a71f1dd44f164b3288f98014490c

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

vpn.exe4.exeSmartClock.exe

pid process

2040 vpn.exe
2044 4.exe
1784 SmartClock.exe
Drops startup file 1 IoCs

Processes:

4.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe

pid	process
2040	vpn.exe
2044	4.exe
1784	SmartClock.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

Loads dropped DLL 13 IoCs

Processes:

37ef42e0b21d765a7a2fa3e29a934d4b.exe4.exeSmartClock.exe

pid	process
1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe
1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe
1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe
1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe
2044	4.exe
2044	4.exe
2044	4.exe
2044	4.exe
2044	4.exe
2044	4.exe
1784	SmartClock.exe
1784	SmartClock.exe
1784	SmartClock.exe

Drops file in Program Files directory 3 IoCs

Processes:

37ef42e0b21d765a7a2fa3e29a934d4b.exe

description	ioc	process
File created	C:\Program Files (x86)\foler\olader\acppage.dll	37ef42e0b21d765a7a2fa3e29a934d4b.exe
File created	C:\Program Files (x86)\foler\olader\adprovider.dll	37ef42e0b21d765a7a2fa3e29a934d4b.exe
File created	C:\Program Files (x86)\foler\olader\acledit.dll	37ef42e0b21d765a7a2fa3e29a934d4b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1784 SmartClock.exe

pid	process
1784	SmartClock.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

37ef42e0b21d765a7a2fa3e29a934d4b.exe4.exe

description	pid	process	target process
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2040	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	vpn.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 1088 wrote to memory of 2044	1088	37ef42e0b21d765a7a2fa3e29a934d4b.exe	4.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe
PID 2044 wrote to memory of 1784	2044	4.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\37ef42e0b21d765a7a2fa3e29a934d4b.exe
"C:\Users\Admin\AppData\Local\Temp\37ef42e0b21d765a7a2fa3e29a934d4b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1088

C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
2⤵
- Executes dropped EXE
PID:2040

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
PID:1784

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
51aebb77c703d0ee1f9246828af5105f

SHA1
fe0710ab9e6663f2b76c5fe5ff76c9c9f7e741d2

SHA256
53f273aa3da76fc6b2f4293bf11b2c4695f0afd777ee7467b1f67af65b0b61ff

SHA512
d16449b33c43354bd082f9e37faf566f3a570445836227f104c99518c5ad8788ad5d5aa8db5e9fd0d7f9a2a48df381a6ec85a4fcba2f682a33295abaeff18012

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\4.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
MD5
51aebb77c703d0ee1f9246828af5105f

SHA1
fe0710ab9e6663f2b76c5fe5ff76c9c9f7e741d2

SHA256
53f273aa3da76fc6b2f4293bf11b2c4695f0afd777ee7467b1f67af65b0b61ff

SHA512
d16449b33c43354bd082f9e37faf566f3a570445836227f104c99518c5ad8788ad5d5aa8db5e9fd0d7f9a2a48df381a6ec85a4fcba2f682a33295abaeff18012

Download Submit
\Users\Admin\AppData\Local\Temp\nsn34B8.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
b3d504274b6b8a4be14d05ea2bd60a71

SHA1
772fe30c89748ce4282bf35c20ba7cc0c46c39d6

SHA256
1634be2ee33a2b486483ca00dcc612f9a475147315c9f3cb0421327799b1bc57

SHA512
fe7348f3298f5e45bf8adc7e728e9e7d2421b03f6da51a5d69b5fa011d23cfb599b18a37e039c24ccac419ec4adfb03d1058d1df664864744910039f2c256552

Download Submit
memory/1088-59-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1784-77-0x0000000000000000-mapping.dmp

Download
memory/1784-86-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/1784-87-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2040-62-0x0000000000000000-mapping.dmp

Download
memory/2044-66-0x0000000000000000-mapping.dmp

Download
memory/2044-84-0x0000000000230000-0x00000000002A1000-memory.dmp

Filesize
452KB

Download
memory/2044-85-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads