69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d

General

Target

69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe
Size

404KB
MD5

3dd64bad7093671bc8892602189d7ff2
SHA1

9e573c37bd5ccbc4ccdc20d129a7bf30bdd5ce44
SHA256

69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d
SHA512

dbd02c12ce60e3b46d401d7a03c0d94ac84ed667de84d70d8f4c6e73894f3bbf6dce2f93d6924a079beaf537b56dccf347d4fa0ed294ec870d2f6def31270a67

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SmartClock.exe

pid process

752 SmartClock.exe

pid	process
752	SmartClock.exe

Drops startup file 1 IoCs

Processes:

69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

752 SmartClock.exe

pid	process
752	SmartClock.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe

description	pid	process	target process
PID 2756 wrote to memory of 752	2756	69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe	SmartClock.exe
PID 2756 wrote to memory of 752	2756	69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe	SmartClock.exe
PID 2756 wrote to memory of 752	2756	69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe
"C:\Users\Admin\AppData\Local\Temp\69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:752

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
3dd64bad7093671bc8892602189d7ff2

SHA1
9e573c37bd5ccbc4ccdc20d129a7bf30bdd5ce44

SHA256
69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d

SHA512
dbd02c12ce60e3b46d401d7a03c0d94ac84ed667de84d70d8f4c6e73894f3bbf6dce2f93d6924a079beaf537b56dccf347d4fa0ed294ec870d2f6def31270a67

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
3dd64bad7093671bc8892602189d7ff2

SHA1
9e573c37bd5ccbc4ccdc20d129a7bf30bdd5ce44

SHA256
69c05a508e316c42b4a911a2ef8ccf3abc6a6ffe107b4917385caf83f1dd7a9d

SHA512
dbd02c12ce60e3b46d401d7a03c0d94ac84ed667de84d70d8f4c6e73894f3bbf6dce2f93d6924a079beaf537b56dccf347d4fa0ed294ec870d2f6def31270a67

Download Submit
memory/752-118-0x0000000000000000-mapping.dmp

Download
memory/752-121-0x0000000001E68000-0x0000000001E94000-memory.dmp

Filesize
176KB

Download
memory/752-122-0x0000000001C20000-0x0000000001D6A000-memory.dmp

Filesize
1.3MB

Download
memory/752-123-0x0000000000400000-0x0000000001C1B000-memory.dmp

Filesize
24.1MB

Download
memory/2756-115-0x0000000001DF9000-0x0000000001E25000-memory.dmp

Filesize
176KB

Download
memory/2756-116-0x0000000003980000-0x00000000039BC000-memory.dmp

Filesize
240KB

Download
memory/2756-117-0x0000000000400000-0x0000000001C1B000-memory.dmp

Filesize
24.1MB

Download

Analysis

Sharing