7ab5e5fc448bae685606379dc8bb15a63d42683fd81ad118bc5cc40248849a9f

Analysis

max time kernel
191s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0abb8a339194027c3e5d8f75dd568d.exe
Size

3.8MB
MD5

3e0abb8a339194027c3e5d8f75dd568d
SHA1

f49baeea7d2a1c467a6505f27a0124b45d26f61f
SHA256

7ab5e5fc448bae685606379dc8bb15a63d42683fd81ad118bc5cc40248849a9f
SHA512

f2bce29e4acd6e3027a30d386a74879ebabb328803e84a2df6aff9ec54933ce7c111b8b447325c37ae3f36e236c573fe4a47a67bfebb3f0d3116b6e21a926a61
SSDEEP

49152:SDvwCpukOImpN6XoNU9Ckh3vcAWfSHo6wgXeSdaEo8qgVX6pkmxEqpRMo2Q0X299:S8VBIMeoNLC+gwQPNo8qgECepxdYiW9c

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3e0abb8a339194027c3e5d8f75dd568d.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3e0abb8a339194027c3e5d8f75dd568d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	3e0abb8a339194027c3e5d8f75dd568d.exe
4784	3e0abb8a339194027c3e5d8f75dd568d.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4240	3e0abb8a339194027c3e5d8f75dd568d.exe
4240	3e0abb8a339194027c3e5d8f75dd568d.exe
4240	3e0abb8a339194027c3e5d8f75dd568d.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4240	3e0abb8a339194027c3e5d8f75dd568d.exe
4240	3e0abb8a339194027c3e5d8f75dd568d.exe
4240	3e0abb8a339194027c3e5d8f75dd568d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 4784	620	3e0abb8a339194027c3e5d8f75dd568d.exe	84
PID 620 wrote to memory of 4784	620	3e0abb8a339194027c3e5d8f75dd568d.exe	84
PID 620 wrote to memory of 4784	620	3e0abb8a339194027c3e5d8f75dd568d.exe	84
PID 620 wrote to memory of 4240	620	3e0abb8a339194027c3e5d8f75dd568d.exe	85
PID 620 wrote to memory of 4240	620	3e0abb8a339194027c3e5d8f75dd568d.exe	85
PID 620 wrote to memory of 4240	620	3e0abb8a339194027c3e5d8f75dd568d.exe	85

C:\Users\Admin\AppData\Local\Temp\3e0abb8a339194027c3e5d8f75dd568d.exe
"C:\Users\Admin\AppData\Local\Temp\3e0abb8a339194027c3e5d8f75dd568d.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\3e0abb8a339194027c3e5d8f75dd568d.exe
  "C:\Users\Admin\AppData\Local\Temp\3e0abb8a339194027c3e5d8f75dd568d.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4784
- C:\Users\Admin\AppData\Local\Temp\3e0abb8a339194027c3e5d8f75dd568d.exe
  "C:\Users\Admin\AppData\Local\Temp\3e0abb8a339194027c3e5d8f75dd568d.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
66e923db08a6fca397fe7d526a45ba68

SHA1
4b448128e9c4be0e26c0de6f198dabe3924516dc

SHA256
ec4d28eb6e9960945e91a9bd8421d51cfc9aba1796893c6bed0f21b23c8287c4

SHA512
b4e652473f13300b5e755b2c86f563c5d8010fbedc9bce72f15a9088781036857aae8a2421b2c8b774c913fae072ebd6214c77c9ddc5c8d4c14930c4ba14642b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
66e923db08a6fca397fe7d526a45ba68

SHA1
4b448128e9c4be0e26c0de6f198dabe3924516dc

SHA256
ec4d28eb6e9960945e91a9bd8421d51cfc9aba1796893c6bed0f21b23c8287c4

SHA512
b4e652473f13300b5e755b2c86f563c5d8010fbedc9bce72f15a9088781036857aae8a2421b2c8b774c913fae072ebd6214c77c9ddc5c8d4c14930c4ba14642b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
82b5b9dba78d8c1c23410e93956ddb14

SHA1
e9431e50629f4c7d986ad71b44c3fc848c0eef9a

SHA256
2d2c8edc6e8adba6ffbaabadebfe3b497c2dc7790a70a1d8de8a62ac80505e3f

SHA512
9f12d326c3183f1232dd9d8f77c4cbda260e71cdd3a7f4250a98bf3fe616dbe8a49479987145a798cd6805fa91dc99a7eeb86cec6846e7f8e6e9dce1e0661c53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
290c505e9e90ebc8c00168e0ea40dfd8

SHA1
d215c5938ea3b923df9478b506e74ce770841457

SHA256
f6de92f62a204d9cb9d5ee9e7f6e8029c7d994d485622d6619d8479fc837e0f5

SHA512
aeac7f3bcb1a805e704f2fa965b557f772f846037704b69d38db2226f9000ba2a407dde65199d25c139c2c2e1f1bd9455aa397cde99d3d0361762504af1f49f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
290c505e9e90ebc8c00168e0ea40dfd8

SHA1
d215c5938ea3b923df9478b506e74ce770841457

SHA256
f6de92f62a204d9cb9d5ee9e7f6e8029c7d994d485622d6619d8479fc837e0f5

SHA512
aeac7f3bcb1a805e704f2fa965b557f772f846037704b69d38db2226f9000ba2a407dde65199d25c139c2c2e1f1bd9455aa397cde99d3d0361762504af1f49f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
290c505e9e90ebc8c00168e0ea40dfd8

SHA1
d215c5938ea3b923df9478b506e74ce770841457

SHA256
f6de92f62a204d9cb9d5ee9e7f6e8029c7d994d485622d6619d8479fc837e0f5

SHA512
aeac7f3bcb1a805e704f2fa965b557f772f846037704b69d38db2226f9000ba2a407dde65199d25c139c2c2e1f1bd9455aa397cde99d3d0361762504af1f49f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
290c505e9e90ebc8c00168e0ea40dfd8

SHA1
d215c5938ea3b923df9478b506e74ce770841457

SHA256
f6de92f62a204d9cb9d5ee9e7f6e8029c7d994d485622d6619d8479fc837e0f5

SHA512
aeac7f3bcb1a805e704f2fa965b557f772f846037704b69d38db2226f9000ba2a407dde65199d25c139c2c2e1f1bd9455aa397cde99d3d0361762504af1f49f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
290c505e9e90ebc8c00168e0ea40dfd8

SHA1
d215c5938ea3b923df9478b506e74ce770841457

SHA256
f6de92f62a204d9cb9d5ee9e7f6e8029c7d994d485622d6619d8479fc837e0f5

SHA512
aeac7f3bcb1a805e704f2fa965b557f772f846037704b69d38db2226f9000ba2a407dde65199d25c139c2c2e1f1bd9455aa397cde99d3d0361762504af1f49f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61a885993f4209979506afb8e0a73229

SHA1
4f6371ba0ce2cf09f77a746baf54760a21533e75

SHA256
18e4d42130e2f06b756f557fa2f03764543f29e1a9903476576a344e1b60e1c2

SHA512
e2ec61cc08108bcbe265eb16aad090a7ef91eeac588cbd6f5305cc6c887abd7c54a12764e862776cff80ca1b2e638df6c3458906acda5896fe71e0430891e43b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
290c505e9e90ebc8c00168e0ea40dfd8

SHA1
d215c5938ea3b923df9478b506e74ce770841457

SHA256
f6de92f62a204d9cb9d5ee9e7f6e8029c7d994d485622d6619d8479fc837e0f5

SHA512
aeac7f3bcb1a805e704f2fa965b557f772f846037704b69d38db2226f9000ba2a407dde65199d25c139c2c2e1f1bd9455aa397cde99d3d0361762504af1f49f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a7d9fbbebc29d80dfa419b0ab59cd39e

SHA1
2cb2055fac2cc4b3a0b2c4a4c6c30193ac820a7f

SHA256
b0681b60b58208b8b39f2d903acd71210d969090e172e4a0cd18eadba7e7bff9

SHA512
1c14a30e9d262f899e2120909790ee7d1764035dac96952043429e6027c0317883bbe0c00a4cd984f4bebf50f1aa54416e2261a735ab392089ebf2904acd5717

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7e740d74be088d40fb8bab37b72749e7

SHA1
0fd30a6ea3d2e54d6c3666219cf63d1b526518eb

SHA256
c7847e21b58cbd0d17fbf8b0316e615b10373447c9532f8ccb9d3810d4427964

SHA512
749fd02af3ebacffebe5a7d5c9bf7ff2e72817251cc9c0a700fd1c8c488dcd690ca2d1a0713b8c000f755e920dcc1bcf64ac1a6d24416961efdd7187245f8dc0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7e740d74be088d40fb8bab37b72749e7

SHA1
0fd30a6ea3d2e54d6c3666219cf63d1b526518eb

SHA256
c7847e21b58cbd0d17fbf8b0316e615b10373447c9532f8ccb9d3810d4427964

SHA512
749fd02af3ebacffebe5a7d5c9bf7ff2e72817251cc9c0a700fd1c8c488dcd690ca2d1a0713b8c000f755e920dcc1bcf64ac1a6d24416961efdd7187245f8dc0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
688d2dc8d19416a5cfe8de4a8fc00298

SHA1
921a5e5af3b4c1bcc9e3b97b3a635f96f4b6997f

SHA256
59e893aee810d2682abaf30de869391e1b4a841501cca63cb4a44e8a19379338

SHA512
5300006e41c63c15afceb799b44815f1ae570fbe4ab1bca433c4291ed40e3e38287d98d9d063f0f3f9e3ca7862be31b1bc704e773e222921c9c4668b63828118

Download Submit
memory/620-156-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/620-135-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/620-136-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/4240-154-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/4240-163-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/4240-141-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/4784-162-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/4784-147-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download
memory/4784-140-0x0000000000F90000-0x0000000001FDC000-memory.dmp

Filesize
16.3MB

Download