621b28440d4dc9ea07cf3a81589b36edc971232d40a03569cfef5f4e2293d321

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19/01/2024, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qoit.exe
Size

197KB
MD5

4a5f97f2d4ba48afb818f4cf45815c7d
SHA1

eea689be8c284615b6a5e68627963392f93f508a
SHA256

086489a8a319c510fcd611d9d5adf08b5b42f977424f6740e968ad33085bfe68
SHA512

b51d93f3925abc7dbfa36f63b1103c9035f2f0e85e7d5ec6817c9b12702d92dd39d26e0a6ec545c4f8bfe4c7c2465e48d62372a725d96d17130d737dcc8f2c05
SSDEEP

3072:8WzpQ31AGXxU829DwivpY/2mp4YqF05luFVgsI5/DuT61m:8MKfXSv90ivpA2IluFVgsI5/

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	qoit.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	SmartClock.exe

Loads dropped DLL 3 IoCs

pid	Process
2104	qoit.exe
2104	qoit.exe
2104	qoit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2056	SmartClock.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2056	2104	qoit.exe	28
PID 2104 wrote to memory of 2056	2104	qoit.exe	28
PID 2104 wrote to memory of 2056	2104	qoit.exe	28
PID 2104 wrote to memory of 2056	2104	qoit.exe	28

C:\Users\Admin\AppData\Local\Temp\qoit.exe
"C:\Users\Admin\AppData\Local\Temp\qoit.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
90KB

MD5
9ea9367cbfb66fc9aa5af07123710382

SHA1
2e50e421ab5270a07290b276be1a6c4040946e6d

SHA256
86b908153adbcbe1f5e2a7d92c12f806af004d4c7df9f8d72e72c90edb7e74c5

SHA512
b1f1940e86a40245ceba3e97a9adac267726b66014957b0ae4351f86a8acf182ee49769b3ad4e6c75f106f90fea68b3893e569a9dae488fbd938134168f7d60a

Download Submit
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
91KB

MD5
9df98c0b97120c4295e09fd6b02e19eb

SHA1
2758faa1abb32b209df33827a1a08f5664c76027

SHA256
c01d683d65468259a4b1d98a0db2b9c5874ea89a80685bcdaffd0dca7551153c

SHA512
1ac70d17a3c6ef57377b0dc86d8882eb75ffd97c55b0a41140551f49d86b9598626d7c0b3406ca38c7cb1a4d2965a2a619c3476389bb9b9d8a43566f0e3f5531

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
156KB

MD5
80de6119550d7a015024f429ec806ff0

SHA1
b418a347d682d22eb3f46fa933cb686864ef7900

SHA256
f9707f4465ec8013baa4a79f7043a7e54bf62ae1eb1fd0f232e0bd9d36ab6cd5

SHA512
fc34256d29da80c5fd82651d326cab56b0f131bf856f3ee61d7918f80e0ceaac4c798d03e3e779a8e564e3bdbc064b95f4a4ea7ebc9ebca0a98071510217dfae

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
197KB

MD5
4a5f97f2d4ba48afb818f4cf45815c7d

SHA1
eea689be8c284615b6a5e68627963392f93f508a

SHA256
086489a8a319c510fcd611d9d5adf08b5b42f977424f6740e968ad33085bfe68

SHA512
b51d93f3925abc7dbfa36f63b1103c9035f2f0e85e7d5ec6817c9b12702d92dd39d26e0a6ec545c4f8bfe4c7c2465e48d62372a725d96d17130d737dcc8f2c05

Download Submit
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
102KB

MD5
acfb3a4fcf673b211cc6f0eeb0f22b36

SHA1
63318511ebb3c5428db48fd371470dcefdc6b6b8

SHA256
e4dbe13b13bd9b321a993b864764740a8e91d803fee4565bc90fa34f8af8ac65

SHA512
8ade63323d9233b45266de9267b28c43ab76443f5a7d152aa2bbabf27eb961d137562d377810f1f4938b81ede11f9159d4c0a87b8f50baf6f4d7b7bfddb7a26b

Download Submit
memory/2056-18-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2056-19-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/2104-3-0x0000000000220000-0x0000000000246000-memory.dmp

Filesize
152KB

Download
memory/2104-2-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/2104-17-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/2104-15-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download