Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-06-2022 23:42
Static task
static1
Behavioral task
behavioral1
Sample
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe
Resource
win7-20220414-en
General
-
Target
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe
-
Size
221KB
-
MD5
93a1498df07b4d368895de25c32be22e
-
SHA1
cd4ec1f2efc6cc9474777a37ee9743681ac6a94a
-
SHA256
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446
-
SHA512
b3486e1380aab5d30d5a44fa4d61aa12da8229929fadf9021cf3b89536f9d564bee648c0ad6b8680fb05ad4edb46785d65b8945c4f54311b0930ebafec911ba2
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exepid process 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 2500 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 2500 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 2500 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 2500 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.execmd.exedescription pid process target process PID 4052 wrote to memory of 2500 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 4052 wrote to memory of 2500 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 4052 wrote to memory of 2500 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe PID 4052 wrote to memory of 4040 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 4052 wrote to memory of 4040 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 4052 wrote to memory of 4040 4052 16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe cmd.exe PID 4040 wrote to memory of 3604 4040 cmd.exe PING.EXE PID 4040 wrote to memory of 3604 4040 cmd.exe PING.EXE PID 4040 wrote to memory of 3604 4040 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe"C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exeC:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe /C2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\16a6cc139dbc41cff9f775238f5a111962824745adcd0d746ee68fe1b793f446.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping.exe -n 6 127.0.0.13⤵
- Runs ping.exe