Analysis
-
max time kernel
16s -
max time network
104s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:51
Behavioral task
behavioral1
Sample
6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
6c7657c8b77cc0ddc806f7ed7dfe3fef.exe
-
Size
2.0MB
-
MD5
6c7657c8b77cc0ddc806f7ed7dfe3fef
-
SHA1
d929deb7c152b1730022a0aa78be45a147b80cce
-
SHA256
be3e75185f64f7c2cb9ced0e7dff0d13f93f3252c8003e1e671d0786af61fcd2
-
SHA512
bd5a88c2938a5a896426e0f073dea766f4a7bda002eaa4e4458a1670fef790638102c76671fc4f94c300208db60665d713bf30a3fe8a625e60327f0d3afaeecd
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
6c7657c8b77cc0ddc806f7ed7dfe3fef.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
6c7657c8b77cc0ddc806f7ed7dfe3fef.exe6c7657c8b77cc0ddc806f7ed7dfe3fef.exepid process 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 4296 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 4296 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 4296 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 4296 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
6c7657c8b77cc0ddc806f7ed7dfe3fef.execmd.exedescription pid process target process PID 4800 wrote to memory of 4296 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe PID 4800 wrote to memory of 4296 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe PID 4800 wrote to memory of 4296 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe PID 4800 wrote to memory of 4444 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe cmd.exe PID 4800 wrote to memory of 4444 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe cmd.exe PID 4800 wrote to memory of 4444 4800 6c7657c8b77cc0ddc806f7ed7dfe3fef.exe cmd.exe PID 4444 wrote to memory of 588 4444 cmd.exe PING.EXE PID 4444 wrote to memory of 588 4444 cmd.exe PING.EXE PID 4444 wrote to memory of 588 4444 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe"C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exeC:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\6c7657c8b77cc0ddc806f7ed7dfe3fef.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe
PID:588