fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
162s
max time network
139s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-05-2023 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	tmp.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

tmp.exe

pid	Process
668	tmp.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

tmp.exe

pid	Process
1932	tmp.exe
1932	tmp.exe
1932	tmp.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

tmp.exe

pid	Process
1932	tmp.exe
1932	tmp.exe
1932	tmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

tmp.exe

description	pid	Process	procid_target
PID 1916 wrote to memory of 668	1916	tmp.exe	27
PID 1916 wrote to memory of 668	1916	tmp.exe	27
PID 1916 wrote to memory of 668	1916	tmp.exe	27
PID 1916 wrote to memory of 668	1916	tmp.exe	27
PID 1916 wrote to memory of 1932	1916	tmp.exe	28
PID 1916 wrote to memory of 1932	1916	tmp.exe	28
PID 1916 wrote to memory of 1932	1916	tmp.exe	28
PID 1916 wrote to memory of 1932	1916	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:668
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
23280d9475423b8ec9805b6a3e4d33c6

SHA1
7b77be96c5dade9c39ecbc10e3248010bc41b8da

SHA256
898594583b40a46b52a3d552619e8a92d8c43680e93e141b7cd357c0027ed54f

SHA512
316011ac102a5ee20767755d73b31a24d0592b553c1019e270497648a7ed56a525b823b873d0d687a667634b301e2111e8c74f94c4138ba0dad78900968797fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
bdff08fbd9862daf6a6f31f69a4d6b2a

SHA1
0f624c8126b842f88574f8fb8df0adced4b969c2

SHA256
d6f7d37231e4c9edd3fd79f680f7c6759f5606778b5c08b07db4cc84facb43af

SHA512
6f2f9bb1a424d6859607ed632980c6a582c7a1d4c1ff48695f8f4790165af1bdb27fd404891e4659f5e8cfd3b17a9403058ce4c8e797019127795141f974dc12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b8074aab4d908d30c383e1fdf97f2de8

SHA1
fd772d4bbd5edacb963b1faea0b6ca14ded4aa1e

SHA256
4b6663109242d1961a407d33dda3ca8124914cc9252f8e2653b072f175ed2fdc

SHA512
9be1afd392a0f25a81af20b181a9be9f814bc77aa80e39f4e48d0f3d204bef6248dea89dca70b3439d7f251fabea09bb9eea093546b440d84630ca855a3cb6c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b8074aab4d908d30c383e1fdf97f2de8

SHA1
fd772d4bbd5edacb963b1faea0b6ca14ded4aa1e

SHA256
4b6663109242d1961a407d33dda3ca8124914cc9252f8e2653b072f175ed2fdc

SHA512
9be1afd392a0f25a81af20b181a9be9f814bc77aa80e39f4e48d0f3d204bef6248dea89dca70b3439d7f251fabea09bb9eea093546b440d84630ca855a3cb6c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7339c969ba59731dccc3a6c14c4ca29

SHA1
2503913f08cb55df6c0d2c05429de90707426777

SHA256
fb133f04512b67d4976ce507a1af453fac8f467fb9ea7ec89782c4f0a5a87813

SHA512
dcdb6afb97d0f4f30e5a1122dff029e3c05d04c874e7b8493bd42977955a62e732a583a03d4af4372c029387cca7b9516aca9e66588777e4bbe02a95cd35876d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61fbfce0c6d24464034aa3358b711da8

SHA1
8a3d6f1e69739b1c605df4c3b88d499f76828ce4

SHA256
4c60a4d0250f9b0670f69b76c398079d867431b7f6914b0e573c11d38bee53a0

SHA512
9298940e67d95a218ae325eb75072ad165633f6f1fbb895b1c0ad5515c0bb3a626f0d94fe8a4785caaef7888f4af724826d29d50a2c1818f256067995555fbf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61fbfce0c6d24464034aa3358b711da8

SHA1
8a3d6f1e69739b1c605df4c3b88d499f76828ce4

SHA256
4c60a4d0250f9b0670f69b76c398079d867431b7f6914b0e573c11d38bee53a0

SHA512
9298940e67d95a218ae325eb75072ad165633f6f1fbb895b1c0ad5515c0bb3a626f0d94fe8a4785caaef7888f4af724826d29d50a2c1818f256067995555fbf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7339c969ba59731dccc3a6c14c4ca29

SHA1
2503913f08cb55df6c0d2c05429de90707426777

SHA256
fb133f04512b67d4976ce507a1af453fac8f467fb9ea7ec89782c4f0a5a87813

SHA512
dcdb6afb97d0f4f30e5a1122dff029e3c05d04c874e7b8493bd42977955a62e732a583a03d4af4372c029387cca7b9516aca9e66588777e4bbe02a95cd35876d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61fbfce0c6d24464034aa3358b711da8

SHA1
8a3d6f1e69739b1c605df4c3b88d499f76828ce4

SHA256
4c60a4d0250f9b0670f69b76c398079d867431b7f6914b0e573c11d38bee53a0

SHA512
9298940e67d95a218ae325eb75072ad165633f6f1fbb895b1c0ad5515c0bb3a626f0d94fe8a4785caaef7888f4af724826d29d50a2c1818f256067995555fbf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7339c969ba59731dccc3a6c14c4ca29

SHA1
2503913f08cb55df6c0d2c05429de90707426777

SHA256
fb133f04512b67d4976ce507a1af453fac8f467fb9ea7ec89782c4f0a5a87813

SHA512
dcdb6afb97d0f4f30e5a1122dff029e3c05d04c874e7b8493bd42977955a62e732a583a03d4af4372c029387cca7b9516aca9e66588777e4bbe02a95cd35876d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61fbfce0c6d24464034aa3358b711da8

SHA1
8a3d6f1e69739b1c605df4c3b88d499f76828ce4

SHA256
4c60a4d0250f9b0670f69b76c398079d867431b7f6914b0e573c11d38bee53a0

SHA512
9298940e67d95a218ae325eb75072ad165633f6f1fbb895b1c0ad5515c0bb3a626f0d94fe8a4785caaef7888f4af724826d29d50a2c1818f256067995555fbf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7339c969ba59731dccc3a6c14c4ca29

SHA1
2503913f08cb55df6c0d2c05429de90707426777

SHA256
fb133f04512b67d4976ce507a1af453fac8f467fb9ea7ec89782c4f0a5a87813

SHA512
dcdb6afb97d0f4f30e5a1122dff029e3c05d04c874e7b8493bd42977955a62e732a583a03d4af4372c029387cca7b9516aca9e66588777e4bbe02a95cd35876d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61fbfce0c6d24464034aa3358b711da8

SHA1
8a3d6f1e69739b1c605df4c3b88d499f76828ce4

SHA256
4c60a4d0250f9b0670f69b76c398079d867431b7f6914b0e573c11d38bee53a0

SHA512
9298940e67d95a218ae325eb75072ad165633f6f1fbb895b1c0ad5515c0bb3a626f0d94fe8a4785caaef7888f4af724826d29d50a2c1818f256067995555fbf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
61fbfce0c6d24464034aa3358b711da8

SHA1
8a3d6f1e69739b1c605df4c3b88d499f76828ce4

SHA256
4c60a4d0250f9b0670f69b76c398079d867431b7f6914b0e573c11d38bee53a0

SHA512
9298940e67d95a218ae325eb75072ad165633f6f1fbb895b1c0ad5515c0bb3a626f0d94fe8a4785caaef7888f4af724826d29d50a2c1818f256067995555fbf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7339c969ba59731dccc3a6c14c4ca29

SHA1
2503913f08cb55df6c0d2c05429de90707426777

SHA256
fb133f04512b67d4976ce507a1af453fac8f467fb9ea7ec89782c4f0a5a87813

SHA512
dcdb6afb97d0f4f30e5a1122dff029e3c05d04c874e7b8493bd42977955a62e732a583a03d4af4372c029387cca7b9516aca9e66588777e4bbe02a95cd35876d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5e34b862a2873fb8ab613e5c8d1e85b1

SHA1
2eb02b4ac3075c08cc92b9834e709065cd6db3ee

SHA256
d9b5d4cf4e4d9f7b72c24d005885fd6585bff7203818599136757e4dfbdee956

SHA512
aa072a1eecf303f74ecb6c6a513dd4729a63ebcedca5fbb0982908ae1d8db79d3dbb85ed3be1b030ca53ccdba545e79215e1f3f8b3c99bbfbc808c0a50070c7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb9e7b8a87e1a419e64698572c4be8fc

SHA1
248b5c9af5cf6ca237474459ce62fadb532c501c

SHA256
eded7cede2d2ba62fca548ccde4afd9c847beb95b5297f6899fe70153e818ce7

SHA512
fc459f1101c8a7259c19ba323b386d2c22eeeadbd7d842634c850820449817b136c86700257fcb1b020a6b59161f3a342fa4b67b2b3aaede75b8c02ade195016

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eb9e7b8a87e1a419e64698572c4be8fc

SHA1
248b5c9af5cf6ca237474459ce62fadb532c501c

SHA256
eded7cede2d2ba62fca548ccde4afd9c847beb95b5297f6899fe70153e818ce7

SHA512
fc459f1101c8a7259c19ba323b386d2c22eeeadbd7d842634c850820449817b136c86700257fcb1b020a6b59161f3a342fa4b67b2b3aaede75b8c02ade195016

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ec79ee4199a7fd93087115a0e656e016

SHA1
ceda654ab793bfc2207e22f2c787c463cd9d4a7b

SHA256
c247c2f82caf6671de90db90665203f32499866894449890fca5e9234f7602c4

SHA512
86a12d67b76b111f15be6292f808a51cc9d0d284dc5c3397acca03f67504c9e8414c53b9d2fce8a817096bd38f4998a8f408a33bf89fdf5d29da0b13821e632e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
23cc3a82c5611447dbd16e1669e620b6

SHA1
d3c185e9fd1013d47c2d7bc70fe2c6ce72b7c017

SHA256
02f53f55aa4b48c0018b1e74968283a292c885807e0f661e9551e9e49a326771

SHA512
e70027ec4d38bda3cafe397a6a48a5b72f58957608a826d25b9ec1f391d3eef3f0c12b759a9fcfafc43f8f2a2aa04b516fe8e95101ade5da34e6941c99bc884f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
23cc3a82c5611447dbd16e1669e620b6

SHA1
d3c185e9fd1013d47c2d7bc70fe2c6ce72b7c017

SHA256
02f53f55aa4b48c0018b1e74968283a292c885807e0f661e9551e9e49a326771

SHA512
e70027ec4d38bda3cafe397a6a48a5b72f58957608a826d25b9ec1f391d3eef3f0c12b759a9fcfafc43f8f2a2aa04b516fe8e95101ade5da34e6941c99bc884f

Download Submit
memory/668-328-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/668-239-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/668-472-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/668-62-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/668-183-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1916-54-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1916-56-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1916-193-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1916-452-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1916-101-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1916-80-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/1916-79-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/1932-184-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1932-240-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1932-63-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download
memory/1932-81-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1932-473-0x00000000008E0000-0x000000000195E000-memory.dmp

Filesize
16.5MB

Download