d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234

General

Target

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
Size

3.0MB
MD5

c8eeac24eca23bd1df10b02d5430432d
SHA1

39194c57c0488eca2ca7600d03783f6df4957688
SHA256

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234
SHA512

e67f30c7bdac4b57cdad769b332b586a25c8d95fd0361a90986fad1e5ee2746b4a67c6a74defadf92a2499f6b5fb7b7a26057a5148ad270e45bacd366419f94f

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

pid	Process
740	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

pid	Process
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

pid	Process
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
604	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe

description	pid	Process	procid_target
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 740	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	27
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28
PID 1660 wrote to memory of 604	1660	d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe	28

C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
"C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
  "C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe
  "C:\Users\Admin\AppData\Local\Temp\d3b606e08c524995b585d6649183387068ee1dda60dc7e11c950966a7e73f234.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5
f081b05ec5ea5049c4ee1407b3ccc511

SHA1
baa735bbe2883900500e4035310ec74beaca0a07

SHA256
e005b6187c17806af744da0d09d58f7aeaeaa233a61692163c1efdaf39e31a74

SHA512
f4f024b2a18e014dec038f46dbeee6e5f72152bfb2591f320fd0e358b00603aad6841bf5a4761dd6b8f739d627c65382a109d8cfb6476c983a109f8e0ade6264

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5
0e2e613769607c838a2a9fd044d67c13

SHA1
fae1c03130f33fc009c00a2740b39830239eecf4

SHA256
72d22b9acde26e92661cfa1364c7b9ec48d55ab6d54830cec1fdb6a89d2da8d8

SHA512
b990f7a6c64d840011a89acd8af9918a685a5c4165e5a209f0ffe00193867394771e34b16d14a9bdbc18df89b603dc1ffd3bede355ef12c8adeadbf186d90141

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5
347f1027d1575bec9a6556fa432c4410

SHA1
c4abe557c8d7853d0ffcd3b74d8adea2d62fdd97

SHA256
1243c165972fa51f670e30494b937892bccd17944f8f4c17c1042294bc77cd63

SHA512
1932c84c412b685c8a660bc5541198e36dd51c5333b25c91343189fca2ffd886d1838401035a0d63541aeb21cbbdecc0c7ef292e1830fa5ae7025d87e2ca549e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
380a0a12101b3b64d819648e5ce39256

SHA1
e1b0f2b800dc48777e1c716ab46c668730176a62

SHA256
b8aa9d1bd86c9e1099148a387ff72c961f948d29ca293e32374d1e3e92f96133

SHA512
6adf77108973aa0bd3ad4f21aea339f61d28cf1db474d6dac60525fae7788be2a125e51b83dfd33eebbcef9f98a58a1cf02e5a01ec9cc7990083b23f382dcc9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
f4f88b4a210de21dbdc4ac27ad0c7f22

SHA1
7ccffde4e67c2d7102227e3310e8dd903c59afcb

SHA256
eb2d3a1bb309f566f307dc84650343029d215139b1e9f734f929a8c48ebc66e4

SHA512
50e4331d283ffb6709632e7df755ef7f4b077c7c6603d0cbc48bffc9934286531ea6cef62ab9dc94bbe5e3ea9a2dc5971ee7d19693f00054b769f37e47e421ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/604-84-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/604-81-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/604-76-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/740-74-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/740-79-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/1660-61-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/1660-70-0x00000000037E0000-0x00000000037E1000-memory.dmp

Filesize
4KB

Download
memory/1660-67-0x0000000003790000-0x0000000003791000-memory.dmp

Filesize
4KB

Download
memory/1660-66-0x0000000003740000-0x0000000003741000-memory.dmp

Filesize
4KB

Download
memory/1660-65-0x00000000036E0000-0x00000000036E1000-memory.dmp

Filesize
4KB

Download
memory/1660-64-0x00000000036D0000-0x00000000036D1000-memory.dmp

Filesize
4KB

Download
memory/1660-63-0x00000000036C0000-0x00000000036C1000-memory.dmp

Filesize
4KB

Download
memory/1660-72-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/1660-69-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1660-68-0x00000000037A0000-0x00000000037A1000-memory.dmp

Filesize
4KB

Download
memory/1660-71-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/1660-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1660-62-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/1660-59-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1660-60-0x00000000034C0000-0x00000000034C1000-memory.dmp

Filesize
4KB

Download
memory/1660-58-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1660-57-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download
memory/1660-55-0x00000000002B0000-0x0000000000EE5000-memory.dmp

Filesize
12.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads