b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

BARTBehkaA4180175187623885384.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BARTBehkaA4180175187623885384.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BARTBehkaA4180175187623885384.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1144	BARTBehkaA4180175187623885384.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1504	BARTBehkaA4180175187623885384.exe
1504	BARTBehkaA4180175187623885384.exe
1504	BARTBehkaA4180175187623885384.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1504	BARTBehkaA4180175187623885384.exe
1504	BARTBehkaA4180175187623885384.exe
1504	BARTBehkaA4180175187623885384.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1144	1992	BARTBehkaA4180175187623885384.exe	28
PID 1992 wrote to memory of 1144	1992	BARTBehkaA4180175187623885384.exe	28
PID 1992 wrote to memory of 1144	1992	BARTBehkaA4180175187623885384.exe	28
PID 1992 wrote to memory of 1144	1992	BARTBehkaA4180175187623885384.exe	28
PID 1992 wrote to memory of 1504	1992	BARTBehkaA4180175187623885384.exe	29
PID 1992 wrote to memory of 1504	1992	BARTBehkaA4180175187623885384.exe	29
PID 1992 wrote to memory of 1504	1992	BARTBehkaA4180175187623885384.exe	29
PID 1992 wrote to memory of 1504	1992	BARTBehkaA4180175187623885384.exe	29

C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe
"C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe
  "C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1144
- C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe
  "C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1016a39d2e1155c9a3246109c8219e57

SHA1
266b87b8be6c58fcc678343d8e693ac770ae30a1

SHA256
2de5c9676dc90478abac81945a6c4f52e65fc906f02fd5919ec1ec20f82841f3

SHA512
a4495c987053ea32e94a3552136d0cfce38eed04d1b466d7e831c7cca5eccb4aba2e077ff5e19fdaeb301b3d909478d6a574618de01a8549f938ac54dc259368

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
7c5bfc60e21fd33b70e3a7c435c3812c

SHA1
66babfbc904139bbebf7c3421afe7f28c7cfeeeb

SHA256
0cefacdbcd49299df3d24b9c3e4e017184153054f0e2a82947aec611f8792e50

SHA512
2f505e99d29b63d36d133044dbc8e47fa53decfa03ac23bf728da2967661292798b52db90308b845eeb3b5120beb96f4c5ce5b8b056eef369406addac2cb319f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ac216963bf0fcce3c6c08ae9c81c1064

SHA1
bb250d61af92fbc4f35690d5220cbfce0162f5da

SHA256
ed478966c4bcd2f2811d31d99d3494d2d8bde8de8e40fd57afc032c6698a1a71

SHA512
ff26a7ba2f2bef5db1f80ffb140019243f0d62cc713cd56abba43844dfb84e8f1486d50c0c389b2213c990a5b935ab6dec1ab79447a4d093d6223f306a0d9378

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
23238a4fa496b9da4f5a1c3e0dd641b7

SHA1
d92452e785d73af1e9de25fb76cdfd37d5bc131b

SHA256
eaa396057881be8616e25a1c4ce78c7156eb6b4717b2282e97d0f19d6d9a14bd

SHA512
e9b10dc706b387446fdc194afbb599a0d72a57e9c20b747fb867bf8a1fbeb26d400dead2970aad6c811b4bae019c6041f7bc3d1fe6ad3bc6c39c1ca46d6bdc31

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
e48b9d17ab9521f2d8d7d53b3c8ab69b

SHA1
b95cdc3a23e8eb46af95903331f0ffae6b5c6edd

SHA256
731f133e915104d75f4cc410fe3b5efe1e1d04c82871283bcc5d4e0a2c67273e

SHA512
acb2232f5c7dd4f7a6b28a6fffefe435b54714b8d0b5cce77a1b7fc8b0a9d3a93664a5186be2542f531edefdfe20b4460d1e4a52775757a30703f58d55e3dc62

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1144-67-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1144-62-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1144-165-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1504-65-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1504-72-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1504-166-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1992-54-0x00000000763A1000-0x00000000763A3000-memory.dmp

Filesize
8KB

Download
memory/1992-58-0x00000000748B1000-0x00000000748B3000-memory.dmp

Filesize
8KB

Download
memory/1992-57-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1992-55-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download
memory/1992-164-0x0000000000E50000-0x0000000001A62000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing