Analysis
-
max time kernel
11s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 09:42
Static task
static1
Behavioral task
behavioral1
Sample
99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe
-
Size
1.0MB
-
MD5
b4c4124ef49eef7085d34ddab3b4ae9f
-
SHA1
87e3ffc0b6274a3084d1b0f97af29037bcc317bf
-
SHA256
99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39
-
SHA512
20e0c48b4ada8916ef03cb92b92a9c3557327feaacb409bac648b8d50f1c7ae9d2ddc89ad931bfebaf5af8ac16b1a8a2012d2832facb015379748ad8d6946955
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exepid process 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 3232 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 3232 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 3232 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 3232 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.execmd.exedescription pid process target process PID 8 wrote to memory of 3232 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe PID 8 wrote to memory of 3232 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe PID 8 wrote to memory of 3232 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe PID 8 wrote to memory of 212 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe cmd.exe PID 8 wrote to memory of 212 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe cmd.exe PID 8 wrote to memory of 212 8 99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe cmd.exe PID 212 wrote to memory of 1016 212 cmd.exe PING.EXE PID 212 wrote to memory of 1016 212 cmd.exe PING.EXE PID 212 wrote to memory of 1016 212 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exeC:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\99dd144822a3644e0e0ffcd2e5c9b03b4ad1be6c6ad4699747ff1b1e124d6f39.exe.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe