Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:41
Behavioral task
behavioral1
Sample
cc0e1e02e12cc64f4dceb4df23eeabbb.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
cc0e1e02e12cc64f4dceb4df23eeabbb.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
cc0e1e02e12cc64f4dceb4df23eeabbb.exe
-
Size
1.1MB
-
MD5
cc0e1e02e12cc64f4dceb4df23eeabbb
-
SHA1
8e673cbd98a7d63bf874b4434494d8ca9c642f87
-
SHA256
271af3d935212d2f2efe62775f20ccda94a12ce1a60f5c18a78e90b16e4f9f67
-
SHA512
84acab40770ab6af2e3ac21924a271ffff8bb2390e24639038a49324b5edd77b91ea67cdeef6d93f95fddda6c8767cc1b316c2899173f020315d38697303c8e5
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
cc0e1e02e12cc64f4dceb4df23eeabbb.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc cc0e1e02e12cc64f4dceb4df23eeabbb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service cc0e1e02e12cc64f4dceb4df23eeabbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 cc0e1e02e12cc64f4dceb4df23eeabbb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc cc0e1e02e12cc64f4dceb4df23eeabbb.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service cc0e1e02e12cc64f4dceb4df23eeabbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 cc0e1e02e12cc64f4dceb4df23eeabbb.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
cc0e1e02e12cc64f4dceb4df23eeabbb.execc0e1e02e12cc64f4dceb4df23eeabbb.exepid process 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe 1928 cc0e1e02e12cc64f4dceb4df23eeabbb.exe 1928 cc0e1e02e12cc64f4dceb4df23eeabbb.exe 1928 cc0e1e02e12cc64f4dceb4df23eeabbb.exe 1928 cc0e1e02e12cc64f4dceb4df23eeabbb.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
cc0e1e02e12cc64f4dceb4df23eeabbb.execmd.exedescription pid process target process PID 3324 wrote to memory of 1928 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe cc0e1e02e12cc64f4dceb4df23eeabbb.exe PID 3324 wrote to memory of 1928 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe cc0e1e02e12cc64f4dceb4df23eeabbb.exe PID 3324 wrote to memory of 1928 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe cc0e1e02e12cc64f4dceb4df23eeabbb.exe PID 3324 wrote to memory of 2900 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe cmd.exe PID 3324 wrote to memory of 2900 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe cmd.exe PID 3324 wrote to memory of 2900 3324 cc0e1e02e12cc64f4dceb4df23eeabbb.exe cmd.exe PID 2900 wrote to memory of 212 2900 cmd.exe PING.EXE PID 2900 wrote to memory of 212 2900 cmd.exe PING.EXE PID 2900 wrote to memory of 212 2900 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe"C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exeC:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\cc0e1e02e12cc64f4dceb4df23eeabbb.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe