Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:40
Behavioral task
behavioral1
Sample
a3364d7ee3c44217d737f9bebfebef06.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
a3364d7ee3c44217d737f9bebfebef06.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
a3364d7ee3c44217d737f9bebfebef06.exe
-
Size
1.2MB
-
MD5
a3364d7ee3c44217d737f9bebfebef06
-
SHA1
83ed0f17c0fac0508ddd495671da2d7e49b89758
-
SHA256
a5e45cc4c8c85b23bb9778543aef8894a3c92b623e7d09384c7afda35a9939fe
-
SHA512
b164b757933655f9010ae44b428d2708fded4be395c6a79edffd0b08c5b7d72daf0e3b8a8ac7022422f608ba7522f35e3e7989710b35b07a7bc544d2db7e446b
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
a3364d7ee3c44217d737f9bebfebef06.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service a3364d7ee3c44217d737f9bebfebef06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 a3364d7ee3c44217d737f9bebfebef06.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc a3364d7ee3c44217d737f9bebfebef06.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service a3364d7ee3c44217d737f9bebfebef06.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 a3364d7ee3c44217d737f9bebfebef06.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc a3364d7ee3c44217d737f9bebfebef06.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
a3364d7ee3c44217d737f9bebfebef06.exea3364d7ee3c44217d737f9bebfebef06.exepid process 3944 a3364d7ee3c44217d737f9bebfebef06.exe 3944 a3364d7ee3c44217d737f9bebfebef06.exe 2580 a3364d7ee3c44217d737f9bebfebef06.exe 2580 a3364d7ee3c44217d737f9bebfebef06.exe 2580 a3364d7ee3c44217d737f9bebfebef06.exe 2580 a3364d7ee3c44217d737f9bebfebef06.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a3364d7ee3c44217d737f9bebfebef06.execmd.exedescription pid process target process PID 3944 wrote to memory of 2580 3944 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 3944 wrote to memory of 2580 3944 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 3944 wrote to memory of 2580 3944 a3364d7ee3c44217d737f9bebfebef06.exe a3364d7ee3c44217d737f9bebfebef06.exe PID 3944 wrote to memory of 188 3944 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 3944 wrote to memory of 188 3944 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 3944 wrote to memory of 188 3944 a3364d7ee3c44217d737f9bebfebef06.exe cmd.exe PID 188 wrote to memory of 3188 188 cmd.exe PING.EXE PID 188 wrote to memory of 3188 188 cmd.exe PING.EXE PID 188 wrote to memory of 3188 188 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe"C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exeC:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\a3364d7ee3c44217d737f9bebfebef06.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe