afe071d3cbbef49fabc6c06027accd96f0562ea41845cd8b8c78f6248222e674

General

Target

50e8102c4ac460dc5dfa79253cae992a.exe
Size

687KB
MD5

50e8102c4ac460dc5dfa79253cae992a
SHA1

e44f21a1657eceb57f0630af58082f8abedeb086
SHA256

afe071d3cbbef49fabc6c06027accd96f0562ea41845cd8b8c78f6248222e674
SHA512

008b95df9e744ce3b2f3a1ac38d1ae5a9e96ee32276b6ba74a439c44a7a6d181ae3336a485eafb903cd93ee131c1742a761d7197f656dea96f1e6ee44b652ae0

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

50e8102c4ac460dc5dfa79253cae992a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	50e8102c4ac460dc5dfa79253cae992a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	50e8102c4ac460dc5dfa79253cae992a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	50e8102c4ac460dc5dfa79253cae992a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	50e8102c4ac460dc5dfa79253cae992a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	50e8102c4ac460dc5dfa79253cae992a.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	50e8102c4ac460dc5dfa79253cae992a.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2652 PING.EXE

pid	process
2652	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

50e8102c4ac460dc5dfa79253cae992a.exe50e8102c4ac460dc5dfa79253cae992a.exe

pid	process
984	50e8102c4ac460dc5dfa79253cae992a.exe
984	50e8102c4ac460dc5dfa79253cae992a.exe
2376	50e8102c4ac460dc5dfa79253cae992a.exe
2376	50e8102c4ac460dc5dfa79253cae992a.exe
2376	50e8102c4ac460dc5dfa79253cae992a.exe
2376	50e8102c4ac460dc5dfa79253cae992a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

50e8102c4ac460dc5dfa79253cae992a.execmd.exe

description	pid	process	target process
PID 984 wrote to memory of 2376	984	50e8102c4ac460dc5dfa79253cae992a.exe	50e8102c4ac460dc5dfa79253cae992a.exe
PID 984 wrote to memory of 2376	984	50e8102c4ac460dc5dfa79253cae992a.exe	50e8102c4ac460dc5dfa79253cae992a.exe
PID 984 wrote to memory of 2376	984	50e8102c4ac460dc5dfa79253cae992a.exe	50e8102c4ac460dc5dfa79253cae992a.exe
PID 984 wrote to memory of 2668	984	50e8102c4ac460dc5dfa79253cae992a.exe	cmd.exe
PID 984 wrote to memory of 2668	984	50e8102c4ac460dc5dfa79253cae992a.exe	cmd.exe
PID 984 wrote to memory of 2668	984	50e8102c4ac460dc5dfa79253cae992a.exe	cmd.exe
PID 2668 wrote to memory of 2652	2668	cmd.exe	PING.EXE
PID 2668 wrote to memory of 2652	2668	cmd.exe	PING.EXE
PID 2668 wrote to memory of 2652	2668	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\50e8102c4ac460dc5dfa79253cae992a.exe
"C:\Users\Admin\AppData\Local\Temp\50e8102c4ac460dc5dfa79253cae992a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\50e8102c4ac460dc5dfa79253cae992a.exe
C:\Users\Admin\AppData\Local\Temp\50e8102c4ac460dc5dfa79253cae992a.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2376

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\50e8102c4ac460dc5dfa79253cae992a.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2668

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:2652

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2376-0-0x0000000000000000-mapping.dmp

Download
memory/2376-1-0x00000000026F0000-0x00000000026F1000-memory.dmp

Filesize
4KB

Download
memory/2652-3-0x0000000000000000-mapping.dmp

Download
memory/2668-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads