Analysis
-
max time kernel
75s -
max time network
121s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
25-11-2021 16:27
Static task
static1
Behavioral task
behavioral1
Sample
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe
Resource
win10-en-20211014
General
-
Target
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe
-
Size
404KB
-
MD5
04cab1dbcee2d16284c7b5537d333f35
-
SHA1
4294136a11788c415785181c956b15865a758ffe
-
SHA256
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd
-
SHA512
bedbaf561859ede57591a1b8e443833e15f93c48fbe60bafce217189c0d200e682bd1280bb982ab3c8e8fd2891e9ff36487c05aa120c4a6bc632e2899c5bebea
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SmartClock.exepid process 2628 SmartClock.exe -
Drops startup file 1 IoCs
Processes:
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 2628 SmartClock.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exedescription pid process target process PID 2648 wrote to memory of 2628 2648 0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe SmartClock.exe PID 2648 wrote to memory of 2628 2648 0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe SmartClock.exe PID 2648 wrote to memory of 2628 2648 0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe SmartClock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe"C:\Users\Admin\AppData\Local\Temp\0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
04cab1dbcee2d16284c7b5537d333f35
SHA14294136a11788c415785181c956b15865a758ffe
SHA2560a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd
SHA512bedbaf561859ede57591a1b8e443833e15f93c48fbe60bafce217189c0d200e682bd1280bb982ab3c8e8fd2891e9ff36487c05aa120c4a6bc632e2899c5bebea
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
04cab1dbcee2d16284c7b5537d333f35
SHA14294136a11788c415785181c956b15865a758ffe
SHA2560a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd
SHA512bedbaf561859ede57591a1b8e443833e15f93c48fbe60bafce217189c0d200e682bd1280bb982ab3c8e8fd2891e9ff36487c05aa120c4a6bc632e2899c5bebea
-
memory/2628-117-0x0000000000000000-mapping.dmp
-
memory/2628-121-0x0000000001E49000-0x0000000001E75000-memory.dmpFilesize
176KB
-
memory/2628-122-0x0000000001C70000-0x0000000001DBA000-memory.dmpFilesize
1.3MB
-
memory/2628-123-0x0000000000400000-0x0000000001C1B000-memory.dmpFilesize
24.1MB
-
memory/2648-115-0x0000000001E59000-0x0000000001E85000-memory.dmpFilesize
176KB
-
memory/2648-116-0x0000000001C80000-0x0000000001DCA000-memory.dmpFilesize
1.3MB
-
memory/2648-120-0x0000000000400000-0x0000000001C1B000-memory.dmpFilesize
24.1MB