Analysis
-
max time kernel
14s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:54
Behavioral task
behavioral1
Sample
1a7b03295b16ef16cd1d92bf8887509b.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1a7b03295b16ef16cd1d92bf8887509b.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
1a7b03295b16ef16cd1d92bf8887509b.exe
-
Size
620KB
-
MD5
1a7b03295b16ef16cd1d92bf8887509b
-
SHA1
0e7b91a041cc7796df741d08d0ad3385ea0b57d0
-
SHA256
7ec71cc6ad5841a4db6a15705ba7a68fc2c888426d3a0b56ac96f1c87bbdcdd9
-
SHA512
9d15e8f7ac27d3fa3a45b1f58f3996bf382adc927578f9b8bfec20ddb89204a99ef2a9ba6ce137f5e1a30eaa0753e1a923a3c8b6c29abe5b2a3e48d9a2ce5053
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
1a7b03295b16ef16cd1d92bf8887509b.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 1a7b03295b16ef16cd1d92bf8887509b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 1a7b03295b16ef16cd1d92bf8887509b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 1a7b03295b16ef16cd1d92bf8887509b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 1a7b03295b16ef16cd1d92bf8887509b.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 1a7b03295b16ef16cd1d92bf8887509b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 1a7b03295b16ef16cd1d92bf8887509b.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
1a7b03295b16ef16cd1d92bf8887509b.exe1a7b03295b16ef16cd1d92bf8887509b.exepid process 4768 1a7b03295b16ef16cd1d92bf8887509b.exe 4768 1a7b03295b16ef16cd1d92bf8887509b.exe 3840 1a7b03295b16ef16cd1d92bf8887509b.exe 3840 1a7b03295b16ef16cd1d92bf8887509b.exe 3840 1a7b03295b16ef16cd1d92bf8887509b.exe 3840 1a7b03295b16ef16cd1d92bf8887509b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
1a7b03295b16ef16cd1d92bf8887509b.execmd.exedescription pid process target process PID 4768 wrote to memory of 3840 4768 1a7b03295b16ef16cd1d92bf8887509b.exe 1a7b03295b16ef16cd1d92bf8887509b.exe PID 4768 wrote to memory of 3840 4768 1a7b03295b16ef16cd1d92bf8887509b.exe 1a7b03295b16ef16cd1d92bf8887509b.exe PID 4768 wrote to memory of 3840 4768 1a7b03295b16ef16cd1d92bf8887509b.exe 1a7b03295b16ef16cd1d92bf8887509b.exe PID 4768 wrote to memory of 2808 4768 1a7b03295b16ef16cd1d92bf8887509b.exe cmd.exe PID 4768 wrote to memory of 2808 4768 1a7b03295b16ef16cd1d92bf8887509b.exe cmd.exe PID 4768 wrote to memory of 2808 4768 1a7b03295b16ef16cd1d92bf8887509b.exe cmd.exe PID 2808 wrote to memory of 508 2808 cmd.exe PING.EXE PID 2808 wrote to memory of 508 2808 cmd.exe PING.EXE PID 2808 wrote to memory of 508 2808 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a7b03295b16ef16cd1d92bf8887509b.exe"C:\Users\Admin\AppData\Local\Temp\1a7b03295b16ef16cd1d92bf8887509b.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1a7b03295b16ef16cd1d92bf8887509b.exeC:\Users\Admin\AppData\Local\Temp\1a7b03295b16ef16cd1d92bf8887509b.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\1a7b03295b16ef16cd1d92bf8887509b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe