b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

BARTBehkaA4180175187623885384.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BARTBehkaA4180175187623885384.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	BARTBehkaA4180175187623885384.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1960	BARTBehkaA4180175187623885384.exe
1960	BARTBehkaA4180175187623885384.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1696	BARTBehkaA4180175187623885384.exe
1696	BARTBehkaA4180175187623885384.exe
1696	BARTBehkaA4180175187623885384.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1696	BARTBehkaA4180175187623885384.exe
1696	BARTBehkaA4180175187623885384.exe
1696	BARTBehkaA4180175187623885384.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 1960	4504	BARTBehkaA4180175187623885384.exe	80
PID 4504 wrote to memory of 1960	4504	BARTBehkaA4180175187623885384.exe	80
PID 4504 wrote to memory of 1960	4504	BARTBehkaA4180175187623885384.exe	80
PID 4504 wrote to memory of 1696	4504	BARTBehkaA4180175187623885384.exe	81
PID 4504 wrote to memory of 1696	4504	BARTBehkaA4180175187623885384.exe	81
PID 4504 wrote to memory of 1696	4504	BARTBehkaA4180175187623885384.exe	81

C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe
"C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe
  "C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe
  "C:\Users\Admin\AppData\Local\Temp\BARTBehkaA4180175187623885384.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
7f231b27464e7753d84297087fa1dc8e

SHA1
13655d7aa12750974622c91638dcda71b079ac2d

SHA256
3b7ad765a87e398eddc0eb790fbac90abdf2f913bb4ff13dd88b69dc8befff7b

SHA512
ddc95b9cbf10cf2f6a20432a4b03bb66ca57f9f40a780434d2e1bd72ca4c91a5922cad32962ab384b666c1c44d0be16facef3c4f3768f10f13ee8309601dc1c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
c380493b082642ec38a43437fc3bd41f

SHA1
5b10239a2b86d74b16d3edcfd282659a89c62812

SHA256
bb2e49d13f9ff954d4746cdf41ca0d838f92ab18a9387a31acd6afcc4153f3b9

SHA512
c2db6fac7e3b280a9bd49be1ed3ca3f7cb4dae4cc0480999a3c8b6e1ff41874cf3572584e1863e65e9e738ae6a3a228ffd74fa890243f4f2937546006ad56e6f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1a0d9f41e5fb7956e2452e4f8fd10060

SHA1
bfcb17ca893c07127bab3829cc027435188d9292

SHA256
13ae1052f782bcadd9068f066f76bd903d3f6e60e49b5bb9dde7693246a250d5

SHA512
4bf37b36346dddef42542b2f7cf99fd3a4be2abb3ffadd62a0a3a826f8920f5c895170b2eb3f7b6c461b0feaa37f4d3ebdd4bc1c1885b0b9759c9e714b8ca6d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
d2e65f370a51a8cba052ef782447ad4d

SHA1
f9a5c1fbee95a7283667c9ea239e848af311defa

SHA256
351fce7d2caf882f882aae3d6ab0016b110be0e9a91bb859117412b1a1a565e6

SHA512
bf28dccc89d3f4c34214aba717146c4f710213148661e5e3d8f1c1e3a307478388c6ac7d723f2995e0f582c556a96ead696fece4e8a3b9c27e805ec3bbc1d9a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
34bf7ae7f3b321508ca014bbf44c5e54

SHA1
d292696dcd2b75ff6ad1260cf37f75d489ca5602

SHA256
38d797286cdaea46258ee987d917cd2c8ea44c27c6ca8e2dff51a142cd3f3196

SHA512
a98abe29a54a4af19827b3f6097ccbe7b39b90961aa739ba6aca248712507af94579ee92c5672ef8896b8c66750da6614443143756af62435c9cd1954f80dc1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1696-147-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/1696-138-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/1960-137-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/1960-146-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/1960-150-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/4504-132-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/4504-134-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download
memory/4504-149-0x0000000000030000-0x0000000000C42000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing