Analysis
-
max time kernel
30s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe
-
Size
2.0MB
-
MD5
756575777026dd82004723c1d7bbd975
-
SHA1
a9cbad5a0f542451ddfe3c23ddbece40953d5a00
-
SHA256
8b63511ebb39d3086d1350c698bc790ef69348dc2cfa249bdd1866801da39f5a
-
SHA512
9a588cdb42e4295b17ff6593f7f16b9af4278c7b741a6e5b54355c09c9505de2df0edf5258dd22240021046d7cbc0a4ec772507f016a7109823bd9e997ba2b08
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exeSecuriteInfo.com.Variant.Zusy.302928.9710.27107.exepid process 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe 4072 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe 4072 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe 4072 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe 4072 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Variant.Zusy.302928.9710.27107.execmd.exedescription pid process target process PID 3372 wrote to memory of 4072 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe PID 3372 wrote to memory of 4072 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe PID 3372 wrote to memory of 4072 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe PID 3372 wrote to memory of 760 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe cmd.exe PID 3372 wrote to memory of 760 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe cmd.exe PID 3372 wrote to memory of 760 3372 SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe cmd.exe PID 760 wrote to memory of 508 760 cmd.exe PING.EXE PID 760 wrote to memory of 508 760 cmd.exe PING.EXE PID 760 wrote to memory of 508 760 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Zusy.302928.9710.27107.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe