0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd

General

Target

0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe
Size

404KB
MD5

04cab1dbcee2d16284c7b5537d333f35
SHA1

4294136a11788c415785181c956b15865a758ffe
SHA256

0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd
SHA512

bedbaf561859ede57591a1b8e443833e15f93c48fbe60bafce217189c0d200e682bd1280bb982ab3c8e8fd2891e9ff36487c05aa120c4a6bc632e2899c5bebea

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SmartClock.exe

pid process

2628 SmartClock.exe

pid	process
2628	SmartClock.exe

Drops startup file 1 IoCs

Processes:

0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

2628 SmartClock.exe

pid	process
2628	SmartClock.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe

description	pid	process	target process
PID 2648 wrote to memory of 2628	2648	0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe	SmartClock.exe
PID 2648 wrote to memory of 2628	2648	0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe	SmartClock.exe
PID 2648 wrote to memory of 2628	2648	0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe
"C:\Users\Admin\AppData\Local\Temp\0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:2648

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
04cab1dbcee2d16284c7b5537d333f35

SHA1
4294136a11788c415785181c956b15865a758ffe

SHA256
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd

SHA512
bedbaf561859ede57591a1b8e443833e15f93c48fbe60bafce217189c0d200e682bd1280bb982ab3c8e8fd2891e9ff36487c05aa120c4a6bc632e2899c5bebea

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
04cab1dbcee2d16284c7b5537d333f35

SHA1
4294136a11788c415785181c956b15865a758ffe

SHA256
0a7ec324aeaef589927ae91bdd48990e2bdb48e55c13c24dda46049723fdfccd

SHA512
bedbaf561859ede57591a1b8e443833e15f93c48fbe60bafce217189c0d200e682bd1280bb982ab3c8e8fd2891e9ff36487c05aa120c4a6bc632e2899c5bebea

Download Submit
memory/2628-117-0x0000000000000000-mapping.dmp

Download
memory/2628-121-0x0000000001E49000-0x0000000001E75000-memory.dmp

Filesize
176KB

Download
memory/2628-122-0x0000000001C70000-0x0000000001DBA000-memory.dmp

Filesize
1.3MB

Download
memory/2628-123-0x0000000000400000-0x0000000001C1B000-memory.dmp

Filesize
24.1MB

Download
memory/2648-115-0x0000000001E59000-0x0000000001E85000-memory.dmp

Filesize
176KB

Download
memory/2648-116-0x0000000001C80000-0x0000000001DCA000-memory.dmp

Filesize
1.3MB

Download
memory/2648-120-0x0000000000400000-0x0000000001C1B000-memory.dmp

Filesize
24.1MB

Download

Analysis

Sharing