Analysis
-
max time kernel
110s -
max time network
131s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
07-12-2021 12:56
Static task
static1
Behavioral task
behavioral1
Sample
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe
Resource
win10-en-20211014
General
-
Target
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe
-
Size
767KB
-
MD5
98b52264ed1fea478041b0a318fbc3c6
-
SHA1
c7085124bee6c4b3c76312384fcc598e2fdfc4a0
-
SHA256
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c
-
SHA512
6c18339e1dfbbbf91fd3a300127fb1b9bc38acc9c9892d03df187a7024291e544d21ec7f54ef82b1dace5d1fc033b807041cfc5e0bcbadc353ed96453c7869e6
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
SmartClock.exepid process 1324 SmartClock.exe -
Drops startup file 1 IoCs
Processes:
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 1324 SmartClock.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exedescription pid process target process PID 3468 wrote to memory of 1324 3468 15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe SmartClock.exe PID 3468 wrote to memory of 1324 3468 15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe SmartClock.exe PID 3468 wrote to memory of 1324 3468 15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe SmartClock.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe"C:\Users\Admin\AppData\Local\Temp\15bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c.exe"1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
98b52264ed1fea478041b0a318fbc3c6
SHA1c7085124bee6c4b3c76312384fcc598e2fdfc4a0
SHA25615bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c
SHA5126c18339e1dfbbbf91fd3a300127fb1b9bc38acc9c9892d03df187a7024291e544d21ec7f54ef82b1dace5d1fc033b807041cfc5e0bcbadc353ed96453c7869e6
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
98b52264ed1fea478041b0a318fbc3c6
SHA1c7085124bee6c4b3c76312384fcc598e2fdfc4a0
SHA25615bf44d71b89c75e4c9315abbcf0bbdb535a840c772575fccdb3eecb555e387c
SHA5126c18339e1dfbbbf91fd3a300127fb1b9bc38acc9c9892d03df187a7024291e544d21ec7f54ef82b1dace5d1fc033b807041cfc5e0bcbadc353ed96453c7869e6
-
memory/1324-118-0x0000000000000000-mapping.dmp
-
memory/1324-121-0x00000000006F1000-0x0000000000771000-memory.dmpFilesize
512KB
-
memory/1324-122-0x0000000000540000-0x000000000068A000-memory.dmpFilesize
1.3MB
-
memory/1324-123-0x0000000000400000-0x0000000000540000-memory.dmpFilesize
1.2MB
-
memory/3468-115-0x0000000000781000-0x0000000000801000-memory.dmpFilesize
512KB
-
memory/3468-116-0x00000000006B0000-0x0000000000741000-memory.dmpFilesize
580KB
-
memory/3468-117-0x0000000000400000-0x0000000000540000-memory.dmpFilesize
1.2MB