15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c

General

Target

15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe
Size

767KB
MD5

98b52264ed1fea478041b0a318fbc3c6
SHA1

c7085124bee6c4b3c76312384fcc598e2fdfc4a0
SHA256

15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c
SHA512

6c18339e1dfbbbf91fd3a300127fb1b9bc38acc9c9892d03df187a7024291e544d21ec7f54ef82b1dace5d1fc033b807041cfc5e0bcbadc353ed96453c7869e6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

SmartClock.exe

pid process

1324 SmartClock.exe

pid	process
1324	SmartClock.exe

Drops startup file 1 IoCs

Processes:

15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

SmartClock.exe

pid process

1324 SmartClock.exe

pid	process
1324	SmartClock.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe

description	pid	process	target process
PID 3468 wrote to memory of 1324	3468	15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe	SmartClock.exe
PID 3468 wrote to memory of 1324	3468	15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe	SmartClock.exe
PID 3468 wrote to memory of 1324	3468	15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe	SmartClock.exe

C:\Users\Admin\AppData\Local\Temp\15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe
"C:\Users\Admin\AppData\Local\Temp\15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:1324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
98b52264ed1fea478041b0a318fbc3c6

SHA1
c7085124bee6c4b3c76312384fcc598e2fdfc4a0

SHA256
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c

SHA512
6c18339e1dfbbbf91fd3a300127fb1b9bc38acc9c9892d03df187a7024291e544d21ec7f54ef82b1dace5d1fc033b807041cfc5e0bcbadc353ed96453c7869e6

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
MD5
98b52264ed1fea478041b0a318fbc3c6

SHA1
c7085124bee6c4b3c76312384fcc598e2fdfc4a0

SHA256
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c

SHA512
6c18339e1dfbbbf91fd3a300127fb1b9bc38acc9c9892d03df187a7024291e544d21ec7f54ef82b1dace5d1fc033b807041cfc5e0bcbadc353ed96453c7869e6

Download Submit
memory/1324-118-0x0000000000000000-mapping.dmp

Download
memory/1324-121-0x00000000006F1000-0x0000000000771000-memory.dmp

Filesize
512KB

Download
memory/1324-122-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/1324-123-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/3468-115-0x0000000000781000-0x0000000000801000-memory.dmp

Filesize
512KB

Download
memory/3468-116-0x00000000006B0000-0x0000000000741000-memory.dmp

Filesize
580KB

Download
memory/3468-117-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing