ab5fd5b542977645488e296770bbb76137d4893ecb9eddaf3e492bce5f5aa6ce

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4.exe
Size

356KB
MD5

63298373ec0b3d06cd3b6e9cffd4ab79
SHA1

2f6482a9d617e7d0bc21e78258cb08677de52e69
SHA256

eebd782f6612da1133b0e130bf751578de50cadfd0268b98ce4a31815edc636c
SHA512

3948a304b82c055e37082948668c11b39cb3c47adc729cb2d7018fde5b78441f84420b101122360906f03c5299eb543082cc55513bfc84513042416faa5276a1
SSDEEP

6144:wcNwDljd8nQCbKRgAs2EPwGTfJ7ahjJFKVV1:qBd8nQ9RgAs2237ahjGV

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk	4.exe

Executes dropped EXE 1 IoCs

pid	Process
2892	SmartClock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	752	WerFault.exe	88

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2892	SmartClock.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 2892	752	4.exe	92
PID 752 wrote to memory of 2892	752	4.exe	92
PID 752 wrote to memory of 2892	752	4.exe	92

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
  "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:2892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 968
  2⤵
  - Program crash
  PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 752 -ip 752
1⤵
PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Filesize
356KB

MD5
63298373ec0b3d06cd3b6e9cffd4ab79

SHA1
2f6482a9d617e7d0bc21e78258cb08677de52e69

SHA256
eebd782f6612da1133b0e130bf751578de50cadfd0268b98ce4a31815edc636c

SHA512
3948a304b82c055e37082948668c11b39cb3c47adc729cb2d7018fde5b78441f84420b101122360906f03c5299eb543082cc55513bfc84513042416faa5276a1

Download Submit
memory/752-1-0x00000000034A0000-0x00000000035A0000-memory.dmp

Filesize
1024KB

Download
memory/752-2-0x0000000004FA0000-0x0000000004FC6000-memory.dmp

Filesize
152KB

Download
memory/752-10-0x0000000000400000-0x0000000003255000-memory.dmp

Filesize
46.3MB

Download
memory/752-15-0x0000000000400000-0x0000000003255000-memory.dmp

Filesize
46.3MB

Download
memory/2892-12-0x0000000003550000-0x0000000003650000-memory.dmp

Filesize
1024KB

Download
memory/2892-13-0x00000000034C0000-0x00000000034E6000-memory.dmp

Filesize
152KB

Download
memory/2892-14-0x0000000000400000-0x0000000003255000-memory.dmp

Filesize
46.3MB

Download
memory/2892-18-0x0000000003550000-0x0000000003650000-memory.dmp

Filesize
1024KB

Download