8ae220cb541961d5e510b58d77473c8549928c508858849ef2c6b9e3025b2a3a

General

Target

سنرقم شرفك.exe
Size

3.8MB
MD5

bd5f12302cb63f6da40f93bc1d3a7a4f
SHA1

f865d61a7f3a4a2aab3291e9b5c39be0741fbf3c
SHA256

8ae220cb541961d5e510b58d77473c8549928c508858849ef2c6b9e3025b2a3a
SHA512

4bc8788de8d4dddf83639cea7a9f91f00f1a474e2c29bd26dbda1580103fa31dcc00536ed7a39bb4c4412fd23ab2b91413924d6cb70a03428adfeffbd665be43
SSDEEP

98304:LNqOTCe/EuoYA/SSsMVn6SjZQ3q2qkaukTj:LEOTCe/EqDaXj6au8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	سنرقم شرفك.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	سنرقم شرفك.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4380	سنرقم شرفك.exe
4380	سنرقم شرفك.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5056	سنرقم شرفك.exe
5056	سنرقم شرفك.exe
5056	سنرقم شرفك.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5056	سنرقم شرفك.exe
5056	سنرقم شرفك.exe
5056	سنرقم شرفك.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2492	سنرقم شرفك.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 4380	2492	سنرقم شرفك.exe	79
PID 2492 wrote to memory of 4380	2492	سنرقم شرفك.exe	79
PID 2492 wrote to memory of 4380	2492	سنرقم شرفك.exe	79
PID 2492 wrote to memory of 5056	2492	سنرقم شرفك.exe	80
PID 2492 wrote to memory of 5056	2492	سنرقم شرفك.exe	80
PID 2492 wrote to memory of 5056	2492	سنرقم شرفك.exe	80

C:\Users\Admin\AppData\Local\Temp\سنرقم شرفك.exe
"C:\Users\Admin\AppData\Local\Temp\سنرقم شرفك.exe"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\سنرقم شرفك.exe
  "C:\Users\Admin\AppData\Local\Temp\سنرقم شرفك.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Users\Admin\AppData\Local\Temp\سنرقم شرفك.exe
  "C:\Users\Admin\AppData\Local\Temp\سنرقم شرفك.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
0d2f1a333e9b0ce4bfeca5b69b0b40bf

SHA1
24feaefeccdaceaf5534c31363132423ab3b2312

SHA256
247c002da842a2a9f8ae5445baea89ebf1aca4cb161cc36b11ced35dca67b815

SHA512
29d05743142fb3c3830f33d78b90b0564143518fbeffa62bb5442630e218a8ae4014c7addd900dbe41730526dce0e166d0f4692b7e7930e0d273448f06773b26

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
0d2f1a333e9b0ce4bfeca5b69b0b40bf

SHA1
24feaefeccdaceaf5534c31363132423ab3b2312

SHA256
247c002da842a2a9f8ae5445baea89ebf1aca4cb161cc36b11ced35dca67b815

SHA512
29d05743142fb3c3830f33d78b90b0564143518fbeffa62bb5442630e218a8ae4014c7addd900dbe41730526dce0e166d0f4692b7e7930e0d273448f06773b26

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
188e4d52b1095b90d58d113261ad1fbf

SHA1
07690d9c65df83a651c22c1280c1388608797219

SHA256
75fae46ae87711780e750fc173d35d0889bf007f59b3900f03fae77888da6675

SHA512
e630b2285ae11bb641c50f1da28d6faa9b90a82f02510089947abf1656b44c0e9843bce7ae8ee3fa12e38fa0c9af6394b08f7b7078cc1caa96b8cdc8186e6ed2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
112B

MD5
65a4237a0fde62f3fd78f1d9c0d34934

SHA1
e2ecd3964881156c8ca9e55b2b2bd4a261f0724f

SHA256
47d646ac98f5f8db383477a6b16ec2fd5381b535f739cb1eb6e218ebe2d7e13f

SHA512
531ab80b6ee599ca4a453b559253006e0779a544220dd4b07e29ea57722dbc28443c7d2d719b7af22104bb84b04d7323d631a4a1251c47ab23d19e9a97cb1c42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
112B

MD5
f33c4ab1ecb556ab09435cf25267db9e

SHA1
cd046fd685e7db106b7bd6881d3492f9dac66019

SHA256
67079c217ca967b674a47bcc4e65c7b7a431545641f7c6a6f0334529bb021960

SHA512
756bd395f4cffa4cb76f6892a58fc749e4892f74a2f8ba59d1defa3161eecd92eadff8f17ff2d572acb63aa59910a0cd94719765ea8ec608b3a1c7440cb9636c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
112B

MD5
65a4237a0fde62f3fd78f1d9c0d34934

SHA1
e2ecd3964881156c8ca9e55b2b2bd4a261f0724f

SHA256
47d646ac98f5f8db383477a6b16ec2fd5381b535f739cb1eb6e218ebe2d7e13f

SHA512
531ab80b6ee599ca4a453b559253006e0779a544220dd4b07e29ea57722dbc28443c7d2d719b7af22104bb84b04d7323d631a4a1251c47ab23d19e9a97cb1c42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
234B

MD5
34d691a41b116f24ab04ac6b2edcb2c0

SHA1
abe30566cb99db97e46b9819db7a27aaf87fe265

SHA256
40c874fc895f96fa3095c48775dde34475154d17cfb9889f9577417f12b81238

SHA512
0e81bf7d2f233648bc41cf8e563fcb057ad6e9b3d2112bae42c24b0777c8443258212d6e31c68a1c0e466fe575b7886c24eac2017456dc093ae41b2703874906

Download Submit
memory/2492-132-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/2492-135-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/2492-133-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/4380-138-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/4380-145-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/4380-151-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/5056-139-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download
memory/5056-146-0x0000000000AC0000-0x00000000018EB000-memory.dmp

Filesize
14.2MB

Download

Analysis

Sharing