Analysis
-
max time kernel
12s -
max time network
62s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 23:58
Static task
static1
Behavioral task
behavioral1
Sample
b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe
-
Size
203KB
-
MD5
b118d48f93298898291372087e0e7ba2
-
SHA1
81e8a390c05feb80c97b081d133f8f541e7b5b5d
-
SHA256
b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811
-
SHA512
1dd27aebf1a46fba1ec6809e413a38059f26458417910fa59e27004e7344b224a4bb0dce3d132c6cfe36c09f32294f68f933a2784a6a49bef9cdcd7cc47083e4
Malware Config
Signatures
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Service b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Service b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exeb3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exepid process 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe 768 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe 768 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe 768 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe 768 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.execmd.exedescription pid process target process PID 828 wrote to memory of 768 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe PID 828 wrote to memory of 768 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe PID 828 wrote to memory of 768 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe PID 828 wrote to memory of 3756 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe cmd.exe PID 828 wrote to memory of 3756 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe cmd.exe PID 828 wrote to memory of 3756 828 b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe cmd.exe PID 3756 wrote to memory of 2760 3756 cmd.exe PING.EXE PID 3756 wrote to memory of 2760 3756 cmd.exe PING.EXE PID 3756 wrote to memory of 2760 3756 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe"C:\Users\Admin\AppData\Local\Temp\b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exeC:\Users\Admin\AppData\Local\Temp\b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\b3869c8c61ce01dc2e8ef889c7f9cf5fa0bc92bf529654aae33d07d5fcc18811.bin.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe