Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
25-11-2021 16:04
Static task
static1
Behavioral task
behavioral1
Sample
177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe
Resource
win10-en-20211104
General
-
Target
177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe
-
Size
405KB
-
MD5
f06fa5f511d7ea0b7a73972afa28f055
-
SHA1
e82484b10f69ae9009080a893fbb5da0dcb55aab
-
SHA256
177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f
-
SHA512
c59daf79e78bddc72b657b21991ac10208c5631224562b86475afdd67f119f20168695a8b5bf756ff091228d8e6b587c21b84386b75fc358372a5e3d43efd0e5
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SmartClock.exepid process 3308 SmartClock.exe -
Drops startup file 1 IoCs
Processes:
177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 3308 SmartClock.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exedescription pid process target process PID 2672 wrote to memory of 3308 2672 177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe SmartClock.exe PID 2672 wrote to memory of 3308 2672 177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe SmartClock.exe PID 2672 wrote to memory of 3308 2672 177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe SmartClock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe"C:\Users\Admin\AppData\Local\Temp\177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
f06fa5f511d7ea0b7a73972afa28f055
SHA1e82484b10f69ae9009080a893fbb5da0dcb55aab
SHA256177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f
SHA512c59daf79e78bddc72b657b21991ac10208c5631224562b86475afdd67f119f20168695a8b5bf756ff091228d8e6b587c21b84386b75fc358372a5e3d43efd0e5
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
f06fa5f511d7ea0b7a73972afa28f055
SHA1e82484b10f69ae9009080a893fbb5da0dcb55aab
SHA256177f45d70a766b8e76dd8d45a43df809a61ad63aece44dd407f8513644fc871f
SHA512c59daf79e78bddc72b657b21991ac10208c5631224562b86475afdd67f119f20168695a8b5bf756ff091228d8e6b587c21b84386b75fc358372a5e3d43efd0e5
-
memory/2672-119-0x0000000003940000-0x000000000397C000-memory.dmpFilesize
240KB
-
memory/2672-123-0x0000000000400000-0x0000000001C1B000-memory.dmpFilesize
24.1MB
-
memory/3308-120-0x0000000000000000-mapping.dmp
-
memory/3308-125-0x0000000000400000-0x0000000001C1B000-memory.dmpFilesize
24.1MB