Analysis
-
max time kernel
15s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 19:10
Behavioral task
behavioral1
Sample
978864d9-fedc-4a22-b5d4-35e38becb849.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
978864d9-fedc-4a22-b5d4-35e38becb849.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
978864d9-fedc-4a22-b5d4-35e38becb849.exe
-
Size
1.9MB
-
MD5
2cf20a1dd3693b996de4a559f1067850
-
SHA1
6483bb40a7e3817f93a3ae95c6caea01715a4946
-
SHA256
f6210da7865e00351c0e79464a1ba14a8ecc59dd79f650f2ff76f1697f6807b1
-
SHA512
4b817b777ce29fa2e633dd42ca6b849d5e708eb4968e65f49aed99ecf57e38c122229bc075dc996cf944e33e4a30b1a59179a3740ccd86177dff211ce4c48099
Score
1/10
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
978864d9-fedc-4a22-b5d4-35e38becb849.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service 978864d9-fedc-4a22-b5d4-35e38becb849.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 978864d9-fedc-4a22-b5d4-35e38becb849.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc 978864d9-fedc-4a22-b5d4-35e38becb849.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service 978864d9-fedc-4a22-b5d4-35e38becb849.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 978864d9-fedc-4a22-b5d4-35e38becb849.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc 978864d9-fedc-4a22-b5d4-35e38becb849.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
978864d9-fedc-4a22-b5d4-35e38becb849.exe978864d9-fedc-4a22-b5d4-35e38becb849.exepid process 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe 2516 978864d9-fedc-4a22-b5d4-35e38becb849.exe 2516 978864d9-fedc-4a22-b5d4-35e38becb849.exe 2516 978864d9-fedc-4a22-b5d4-35e38becb849.exe 2516 978864d9-fedc-4a22-b5d4-35e38becb849.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
978864d9-fedc-4a22-b5d4-35e38becb849.execmd.exedescription pid process target process PID 3008 wrote to memory of 2516 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe 978864d9-fedc-4a22-b5d4-35e38becb849.exe PID 3008 wrote to memory of 2516 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe 978864d9-fedc-4a22-b5d4-35e38becb849.exe PID 3008 wrote to memory of 2516 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe 978864d9-fedc-4a22-b5d4-35e38becb849.exe PID 3008 wrote to memory of 2576 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe cmd.exe PID 3008 wrote to memory of 2576 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe cmd.exe PID 3008 wrote to memory of 2576 3008 978864d9-fedc-4a22-b5d4-35e38becb849.exe cmd.exe PID 2576 wrote to memory of 204 2576 cmd.exe PING.EXE PID 2576 wrote to memory of 204 2576 cmd.exe PING.EXE PID 2576 wrote to memory of 204 2576 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\978864d9-fedc-4a22-b5d4-35e38becb849.exe"C:\Users\Admin\AppData\Local\Temp\978864d9-fedc-4a22-b5d4-35e38becb849.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\978864d9-fedc-4a22-b5d4-35e38becb849.exeC:\Users\Admin\AppData\Local\Temp\978864d9-fedc-4a22-b5d4-35e38becb849.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\978864d9-fedc-4a22-b5d4-35e38becb849.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe