55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
145s
max time network
156s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a21768190f3b9feae33aaef660cb7a83.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a21768190f3b9feae33aaef660cb7a83.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2528	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2532	a21768190f3b9feae33aaef660cb7a83.exe
2532	a21768190f3b9feae33aaef660cb7a83.exe
2532	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2532	a21768190f3b9feae33aaef660cb7a83.exe
2532	a21768190f3b9feae33aaef660cb7a83.exe
2532	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2528	2300	a21768190f3b9feae33aaef660cb7a83.exe	28
PID 2300 wrote to memory of 2528	2300	a21768190f3b9feae33aaef660cb7a83.exe	28
PID 2300 wrote to memory of 2528	2300	a21768190f3b9feae33aaef660cb7a83.exe	28
PID 2300 wrote to memory of 2528	2300	a21768190f3b9feae33aaef660cb7a83.exe	28
PID 2300 wrote to memory of 2532	2300	a21768190f3b9feae33aaef660cb7a83.exe	29
PID 2300 wrote to memory of 2532	2300	a21768190f3b9feae33aaef660cb7a83.exe	29
PID 2300 wrote to memory of 2532	2300	a21768190f3b9feae33aaef660cb7a83.exe	29
PID 2300 wrote to memory of 2532	2300	a21768190f3b9feae33aaef660cb7a83.exe	29

C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe
"C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe
  "C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe
  "C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
8bcf4b30a1d1464ece16e9d8300d64ad

SHA1
ae65e08f05e02dd34991f57586aab9d24bfbb3fa

SHA256
3e2cda8bfcbba6bbdbb88a4976bc7f994c60d342257a6663f6fc391c7a2a5a70

SHA512
a4e6cec3fb463fa5caffe570907a155ad4ca4c81f9b13d336a5e91fc271334cfb8481d772eb1532bf87e98fc39d51bfe8f6fa6e2a012011bf4d5435ff65b0b12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0323949a0ddb0c1b12269bc8b8c68cdb

SHA1
95aaf20e322cb496fa955e49ebf84c45cda7e14a

SHA256
35a7d590f83e1ac4935845ebb403f61e46e2866325f21e3e010a8bf9058426e2

SHA512
06377c0217b08eedeca499007303c2926fca36cef4a5710fe15067fa127c4c6db4490677675e1d7391f244ceaf6d7777d51bc893dc99827d5441f8f5fc6ea13b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c41d7e94fa97c7a054e133a6d4ab16ef

SHA1
450fe63ff9b02631710dd786ce13e129e8fd4bfb

SHA256
1f7f9fd973ec7022615a849c393a4a1ed4f8c556ac67e2bf90265b52f1d07c46

SHA512
9d0e6492375ad5d38f7a778d41e5cda701b256c9a1b1379f5672f57008f4f2e1fa0f5b5582a24cc9829de42cff965478656f9c4a7cbfea01608ef68afb799d89

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
7d988129369e1a12331b30e211898596

SHA1
5b9df5e7bff841656296c88dc6a40a4c5396a443

SHA256
d3d6b052664730355b7875f6318f7e430462aee7b187cfad95d138aee30d7119

SHA512
fc1a75bbb18c8f493eb3385a5c5c49530281e7fc9e5869973e38f7fc58b8fc361a5a6f116e873ca2d5829a5d105775fb9fff1b653a953565f81b18fcc4644124

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4c96c843a75f4b953fcea1e9fafd82cb

SHA1
cc7dd0088c6ba6b74af9838a9cc967093e06565f

SHA256
f1cc93dd205b5231432828eb4d9852388f0c419a0a6fbbcf4464423b21266705

SHA512
f532b4960076c2250e4c455994a2f7f58335748b87310a580aa2d6814069033e9bde6ab51005989df429463d8893033b2bb005d3f5c245e44bdbd3696adcb07b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
abadfc21eb4d894422ab940c100bbeae

SHA1
bbd31d8669f7a42bdf2a823d8fd57c3493099980

SHA256
8cf98bd383048e0e95e7b3cc98e7a03bdab32b81896d0746e5b8c6c820f4cb07

SHA512
9ac4c7c29b2020b48c3235a94cfbcec09d3ef1fbda866481a01b0427e485033ac919c10f3356bcc4e9a8a0be35522873c1c390346c00180f98bc049b3ed8ba53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
60684ef68f1246a11e591e4e1e294fb3

SHA1
223533a00ffc3ae91b04d84071a3cfe46a64ca6e

SHA256
0073011a8cc0d2e1ca98658c6894b543b09e8624562a50a24fb322a249f6ba09

SHA512
7cbfa07336204addf957c55d7432cb725955c8180402d93cddae176cdd5a0e1e165e85ff4f5c31fb0b35046e31315a93363266ab47b1872663a7b5487fc139b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f883c03a83bbcf227a13ae968b519d03

SHA1
df002a0ae9a9b94c2969a5c5307d2f6457ced16c

SHA256
208d95ec836934b633a47032d81402f1fc5d863e3f06432cd401302130cc990d

SHA512
53e2ac076d5d14f3a0a6b882effe512a0aec44e95c409bc99fa74e0948e777e7ab0856d1f4e5d90b77b8adfe0c274841d131bedf9542e2b4ead27f1410ffe883

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9ae15fc070c6da9ee77b5c8999f5aaaf

SHA1
276000217c89563a1b522f038cfc348936751049

SHA256
1b218759731d84755f6ac2b1e1796334bdbc5b8165c9bbd28d879b98ff2f1e91

SHA512
b3d8f737e21fcb82dab0dcd93d38216343073dd5ed438735d370d64262fb92197c2184f08481693f08521aaa3b3d1630ffec1f98053e167af1ee85cbf35a1644

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
61937935297ba4cc040471e667d15f88

SHA1
6854a5232e8b33713892bfe396f4f47567e6f02e

SHA256
81b11622190b59bff1940d2adc81333ac73255144eb911b26711f47b26ee0dcd

SHA512
760235e7f76aa40af8405e147ef0a018f4e31dd39ab20d2feb4d416e34827a1d088e29b254f93d38c1e8674a4a0f48b2778df84c4c4ffe19f1d8240ce5f735d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
56e2665d69bf02156293da9898b7e285

SHA1
396f348052bae036b8f3ed54586d47917936466b

SHA256
064ca48669d07f48b6c1852154fa43722df1c74866c1668e898fd1ba02ea8c1c

SHA512
8dd56fbfbf78a1c5268cccef0e6ffbe42a4f545146fbce820c17ef91962cd23e449029571e3efbc9df0a3e33f3b5b905054a3780a4058128626d8571d0c8d9e7

Download Submit
memory/2300-0-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2300-33-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2300-266-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/2300-267-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/2300-265-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/2300-272-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2300-18-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2300-17-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2300-4-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2300-137-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2300-1-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2528-225-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2528-91-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2528-268-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2528-20-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2528-273-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2532-264-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2532-96-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download
memory/2532-32-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2532-22-0x0000000000350000-0x0000000001A87000-memory.dmp

Filesize
23.2MB

Download