be3e75185f64f7c2cb9ced0e7dff0d13f93f3252c8003e1e671d0786af61fcd2

General

Target

6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Size

2.0MB
MD5

6c7657c8b77cc0ddc806f7ed7dfe3fef
SHA1

d929deb7c152b1730022a0aa78be45a147b80cce
SHA256

be3e75185f64f7c2cb9ced0e7dff0d13f93f3252c8003e1e671d0786af61fcd2
SHA512

bd5a88c2938a5a896426e0f073dea766f4a7bda002eaa4e4458a1670fef790638102c76671fc4f94c300208db60665d713bf30a3fe8a625e60327f0d3afaeecd

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

6c7657c8b77cc0ddc806f7ed7dfe3fef.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

588 PING.EXE

pid	process
588	PING.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

6c7657c8b77cc0ddc806f7ed7dfe3fef.exe6c7657c8b77cc0ddc806f7ed7dfe3fef.exe

pid	process
4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
4296	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
4296	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
4296	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
4296	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6c7657c8b77cc0ddc806f7ed7dfe3fef.execmd.exe

description	pid	process	target process
PID 4800 wrote to memory of 4296	4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
PID 4800 wrote to memory of 4296	4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
PID 4800 wrote to memory of 4296	4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
PID 4800 wrote to memory of 4444	4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe	cmd.exe
PID 4800 wrote to memory of 4444	4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe	cmd.exe
PID 4800 wrote to memory of 4444	4800	6c7657c8b77cc0ddc806f7ed7dfe3fef.exe	cmd.exe
PID 4444 wrote to memory of 588	4444	cmd.exe	PING.EXE
PID 4444 wrote to memory of 588	4444	cmd.exe	PING.EXE
PID 4444 wrote to memory of 588	4444	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
"C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800

C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe /C
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4296

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\SysWOW64\PING.EXE
ping.exe -n 6 127.0.0.1
3⤵
- Runs ping.exe
PID:588

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-3-0x0000000000000000-mapping.dmp

Download
memory/4296-0-0x0000000000000000-mapping.dmp

Download
memory/4296-1-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/4444-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads