d7b9f1141c649c08254a4978f98211a5ab3b10591693fcf271409e36beae2933

Analysis

max time kernel
91s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2023, 08:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0dbe3504bc5daa73e7b3f75bbb104e42.exe
Size

3.7MB
MD5

0dbe3504bc5daa73e7b3f75bbb104e42
SHA1

9779751121508f17cbd831e9c2780b4cf0e1b96c
SHA256

d7b9f1141c649c08254a4978f98211a5ab3b10591693fcf271409e36beae2933
SHA512

22153d236dcf7d022c25d00abf55a18e2f886f77fec54eb189d30fa124fb9428bf2a9edb6c3109a02887f12bde84bad19d74a38f97413e231b7bfd21f40df3c5
SSDEEP

98304:6DVetNW7yslAQjm+L7yhTd0j3d1VLgianug565Blpc:IcSmzOMmJ1VLRO6fc

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	0dbe3504bc5daa73e7b3f75bbb104e42.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	0dbe3504bc5daa73e7b3f75bbb104e42.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	0dbe3504bc5daa73e7b3f75bbb104e42.exe
1132	0dbe3504bc5daa73e7b3f75bbb104e42.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1532	0dbe3504bc5daa73e7b3f75bbb104e42.exe
1532	0dbe3504bc5daa73e7b3f75bbb104e42.exe
1532	0dbe3504bc5daa73e7b3f75bbb104e42.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1532	0dbe3504bc5daa73e7b3f75bbb104e42.exe
1532	0dbe3504bc5daa73e7b3f75bbb104e42.exe
1532	0dbe3504bc5daa73e7b3f75bbb104e42.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3916 wrote to memory of 1132	3916	0dbe3504bc5daa73e7b3f75bbb104e42.exe	79
PID 3916 wrote to memory of 1132	3916	0dbe3504bc5daa73e7b3f75bbb104e42.exe	79
PID 3916 wrote to memory of 1132	3916	0dbe3504bc5daa73e7b3f75bbb104e42.exe	79
PID 3916 wrote to memory of 1532	3916	0dbe3504bc5daa73e7b3f75bbb104e42.exe	80
PID 3916 wrote to memory of 1532	3916	0dbe3504bc5daa73e7b3f75bbb104e42.exe	80
PID 3916 wrote to memory of 1532	3916	0dbe3504bc5daa73e7b3f75bbb104e42.exe	80

C:\Users\Admin\AppData\Local\Temp\0dbe3504bc5daa73e7b3f75bbb104e42.exe
"C:\Users\Admin\AppData\Local\Temp\0dbe3504bc5daa73e7b3f75bbb104e42.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\0dbe3504bc5daa73e7b3f75bbb104e42.exe
  "C:\Users\Admin\AppData\Local\Temp\0dbe3504bc5daa73e7b3f75bbb104e42.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\0dbe3504bc5daa73e7b3f75bbb104e42.exe
  "C:\Users\Admin\AppData\Local\Temp\0dbe3504bc5daa73e7b3f75bbb104e42.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1532

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
8da67275ee592bf341732845abd02d24

SHA1
edfe7870a726be5538aefb2536687d80c1e56bd8

SHA256
e5871184aa19740671c75c060da04cc87409d86b74194628dd540b2f5a65dd56

SHA512
b4b82fc9986f1868b778131c84b78260b57dd1b58075ad5a124a855b925411587f2428c139026e79bbe9aa65d057845402e1884a23f2e68f65c0ef6224977c32

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
030aab7a4e27357d6e1cb8b2b6c4bee5

SHA1
f6de86432cdb93692d8e3e05ce18b080f73e5f68

SHA256
683335504182f926a1d0ff0061f6bc0d6752718b5f3e3fc0586b1cffb5baa0e0

SHA512
f96185aa9d0d97b8029052e57d31686d5edd5ec157196ef5ff0361c62e0043091d9e757c3117bcc739abe9f5f4080ec9ccf32e9026c295859af70bc5963fc195

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3205d6b09784cbb7bfbe7449eaac0a3f

SHA1
4ee955eb90871bfd648d319573f12918d56b7aba

SHA256
9a1b2b52992d588db8cc0e4c6a591bb5b6ae3d9e4ce881cf2bafeec22282103c

SHA512
d0ffe42c6aee5e71dba1298b774997c6f29e0e251de4d7898b51d79f98b5222b6e9e2cc75fe7e75eb9dadf0cfd8b28920d4c9fd0577b08ccf4c32ccb7ee49ba8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
283B

MD5
979412445e04edddb523bbf64f2d9e25

SHA1
c627de03ba6be7c2e52c4ac0c8494b250f8ea4fb

SHA256
c253a9db55efeb183543baa5965f0d279b0e4ecd7e6211e231e8e8f5c8dfe596

SHA512
f548475ee4e83bfe01c39444c90502f86cf5245eb51335d3d13186b967df0f7cacaf9ce5125f3ce104e08a1f27c215af08bf185afe771d74ee5c0872aa7f4c3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
f77d4a774ce2051db26662d062126b09

SHA1
999643e055b4389b003f56a85b4fef617de96ed7

SHA256
b66148ffca6b6c019d3a1b1cf55a3206d9cd79ecb71f0082bab7e1347e7ff810

SHA512
beb910384b9dd01cc47eb722bfadf5ddfc9cfc49500d9a0ec7af8cb4e516482d236a39d0e6f9e9c26963e2aa0a9540e5614523f53611f0b06cf278659a330bf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
999833d9625e0b4ea1aa0cb5738e5e0e

SHA1
7634a652e5ed86b8f4f1341d19dd1ee749f04990

SHA256
e58888643a214961201ac3db130e2728c7dae67affc76e2ab62e0e5ec42bdcf9

SHA512
8eafa6c8fe5290c9e44c3a6657d2b8d40df6247b8dcc44922cf00e9117d6174d6341960617243c7dd3956ec052dda5240baffbcdc5f748c3131e596e5208f8f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
f77d4a774ce2051db26662d062126b09

SHA1
999643e055b4389b003f56a85b4fef617de96ed7

SHA256
b66148ffca6b6c019d3a1b1cf55a3206d9cd79ecb71f0082bab7e1347e7ff810

SHA512
beb910384b9dd01cc47eb722bfadf5ddfc9cfc49500d9a0ec7af8cb4e516482d236a39d0e6f9e9c26963e2aa0a9540e5614523f53611f0b06cf278659a330bf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
999833d9625e0b4ea1aa0cb5738e5e0e

SHA1
7634a652e5ed86b8f4f1341d19dd1ee749f04990

SHA256
e58888643a214961201ac3db130e2728c7dae67affc76e2ab62e0e5ec42bdcf9

SHA512
8eafa6c8fe5290c9e44c3a6657d2b8d40df6247b8dcc44922cf00e9117d6174d6341960617243c7dd3956ec052dda5240baffbcdc5f748c3131e596e5208f8f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
f77d4a774ce2051db26662d062126b09

SHA1
999643e055b4389b003f56a85b4fef617de96ed7

SHA256
b66148ffca6b6c019d3a1b1cf55a3206d9cd79ecb71f0082bab7e1347e7ff810

SHA512
beb910384b9dd01cc47eb722bfadf5ddfc9cfc49500d9a0ec7af8cb4e516482d236a39d0e6f9e9c26963e2aa0a9540e5614523f53611f0b06cf278659a330bf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
999833d9625e0b4ea1aa0cb5738e5e0e

SHA1
7634a652e5ed86b8f4f1341d19dd1ee749f04990

SHA256
e58888643a214961201ac3db130e2728c7dae67affc76e2ab62e0e5ec42bdcf9

SHA512
8eafa6c8fe5290c9e44c3a6657d2b8d40df6247b8dcc44922cf00e9117d6174d6341960617243c7dd3956ec052dda5240baffbcdc5f748c3131e596e5208f8f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
f77d4a774ce2051db26662d062126b09

SHA1
999643e055b4389b003f56a85b4fef617de96ed7

SHA256
b66148ffca6b6c019d3a1b1cf55a3206d9cd79ecb71f0082bab7e1347e7ff810

SHA512
beb910384b9dd01cc47eb722bfadf5ddfc9cfc49500d9a0ec7af8cb4e516482d236a39d0e6f9e9c26963e2aa0a9540e5614523f53611f0b06cf278659a330bf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
395B

MD5
999833d9625e0b4ea1aa0cb5738e5e0e

SHA1
7634a652e5ed86b8f4f1341d19dd1ee749f04990

SHA256
e58888643a214961201ac3db130e2728c7dae67affc76e2ab62e0e5ec42bdcf9

SHA512
8eafa6c8fe5290c9e44c3a6657d2b8d40df6247b8dcc44922cf00e9117d6174d6341960617243c7dd3956ec052dda5240baffbcdc5f748c3131e596e5208f8f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8834d99f6c2309f67e79167900c9e23c

SHA1
3581243ffeee91d500e609960d85aea3c57a94ff

SHA256
d2504537ef8e036e808567df13fce11ec3c1ded388522fbe335d733ae3e70ccb

SHA512
b2fff3292115e3db4d85732c615d1ba200004e824ded5fc9a88d9b0db9754e0817461041095647af4e25411886276a17a19c7154b015a48261c1b3a8e73acb92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8834d99f6c2309f67e79167900c9e23c

SHA1
3581243ffeee91d500e609960d85aea3c57a94ff

SHA256
d2504537ef8e036e808567df13fce11ec3c1ded388522fbe335d733ae3e70ccb

SHA512
b2fff3292115e3db4d85732c615d1ba200004e824ded5fc9a88d9b0db9754e0817461041095647af4e25411886276a17a19c7154b015a48261c1b3a8e73acb92

Download Submit
memory/1132-144-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/1132-151-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/1132-137-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/1532-152-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/1532-146-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/1532-138-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/3916-150-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/3916-133-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download
memory/3916-132-0x00000000005D0000-0x0000000001561000-memory.dmp

Filesize
15.6MB

Download