55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a21768190f3b9feae33aaef660cb7a83.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a21768190f3b9feae33aaef660cb7a83.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	a21768190f3b9feae33aaef660cb7a83.exe
5036	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1656	a21768190f3b9feae33aaef660cb7a83.exe
1656	a21768190f3b9feae33aaef660cb7a83.exe
1656	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1656	a21768190f3b9feae33aaef660cb7a83.exe
1656	a21768190f3b9feae33aaef660cb7a83.exe
1656	a21768190f3b9feae33aaef660cb7a83.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 5036	3824	a21768190f3b9feae33aaef660cb7a83.exe	89
PID 3824 wrote to memory of 5036	3824	a21768190f3b9feae33aaef660cb7a83.exe	89
PID 3824 wrote to memory of 5036	3824	a21768190f3b9feae33aaef660cb7a83.exe	89
PID 3824 wrote to memory of 1656	3824	a21768190f3b9feae33aaef660cb7a83.exe	88
PID 3824 wrote to memory of 1656	3824	a21768190f3b9feae33aaef660cb7a83.exe	88
PID 3824 wrote to memory of 1656	3824	a21768190f3b9feae33aaef660cb7a83.exe	88

C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe
"C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe
  "C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe
  "C:\Users\Admin\AppData\Local\Temp\a21768190f3b9feae33aaef660cb7a83.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
0465fe0ff890b2f68a71d1ef9e230789

SHA1
ac6f1111ac55e07a81f1e9781ab45c21d7bf9d67

SHA256
830a4db631ab24554aa3904deac370723f64433d639031329514f097c13fc533

SHA512
86ca2ad87e028978214b740d0bfe5671cb4ca767f24331fa1e753d5b638b21d0c1ba7a682f8e596ac16ba64f842117f5f064a90aa11789c1155c1ae72585e6a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2eb4df8e40d5d9d2584a0ee95ccbc88d

SHA1
ef0828e1c0b826c3b04633d2002975fcb4ea395d

SHA256
1eeeb33b1813568facfdc92556de6b270bf83d01a3b0d59423dbfbf216eed607

SHA512
f59f7cb1ce382e3e45080c5840cbe8cfd4cd45eb1b3412d568266d5773bf12de5427e8bf9e1d6efae4687eebd7ce732f33655cc7d632d81bc39f73108b70b481

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
67d9b38766ba02ecf7f7f9b48a93ae88

SHA1
8729e159765a27988039eba7021b4422639b247d

SHA256
2e7304582614b3e7bafd48c5eeac58527bf33a01185b110cf3bb350e373064ef

SHA512
d6222220d552f4d8157c2ecf5acde4ce097a530f9821bcbb0e9ca4ee83f00b3a0e243b829696f94b0b45d08c6a24336fdb95ec5a56174f2c0ffea9364930d0df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
552c3cb13ac6d3e82a1ad74cd76c4485

SHA1
c3852f9de8a4b6696413da2f7199afa7bbaa87b9

SHA256
0369b63238a14eb9370530b928ce0da73503e1f27a4e1ae9b9164f4ce9f6734d

SHA512
75b6d8a1fe3f36b819b30544eab7db3cbcbd3f6139b38de98e631d6e8d099de5bbf6f63e346212ad4d7f1ae3fd6b2e8c39b6163dcc7f88a9720979b017d98675

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
5acb8cd5e21c62349f5d824f63e9d445

SHA1
5eef0fd5ded891515daf7b7719a3a491360d8f8e

SHA256
c70f2fe04907f41d484fdc4ec5df3c527e65e77bc2f578af3fa07b847ba0a817

SHA512
847e903840e1ad56268e60a2de2ca098fe28b71cadc42d47c05e4b23970492b633e1f2cea27bcebbfd3ecccc7be66cb85502ffe27b8e5ee54ab99519245b01f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
5953b19e3576c89f0c060587e22206ff

SHA1
00037525cd35a3705fda8b8f9b016bf015ae4b4e

SHA256
8e9e8b7fa4a89ee17083caf1db28b875546a4a5b343cb5fd098020983ad7849d

SHA512
46ddf175c2e8298903fe1807f4e06cc78af370dbfa089d303420bb2a566d2a694dda41c0c271ad503d13bc54391f8c4df359145a47c1620a207db8de23191c94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4c2dc429ade24c1d4413e54641d8e2af

SHA1
89741ee773c039ba9ab9eecd240f36d5883dbb5e

SHA256
1b6c00a262219ce09126390cfff9d3209017749fe494a3376e333a9b94f8ec28

SHA512
b762ed79663d8b1b325ea0e591d4c685664fc51e610488a604ae7141ca865e21299cf7dfced0cad83f85ab4081c70d33bb69369bd30057838ab779178e1397e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7ac869011b8dc2f26daa3060e2eb0c2f

SHA1
ba5fdea564897e020478f56c5d85ea2ca0bce20d

SHA256
f133e02934acce60a0d90ec2d4865bbd52d606b99cb34f3828ef7133daa25793

SHA512
44b5315f0eaf0213633a55a7e5603da574dbc7d5aee22a6c85cbae7a5a784e26623ddd63c817ab3b52c5afb54e6cd7e077851fc4ecadb9e5bf27691578371650

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
901fd29b70acbeefac11fd3ceb12b801

SHA1
cc975abd1051786d0b5cdb16c5ecfeef1f20ec78

SHA256
5c34f093eeb1e58ffb45f1e0d59e86c6f1aeba4a6e6f37ab69cc821a1abf89a9

SHA512
5a0d794a28657e60d312431c8665e7833f4529c729c91b32e9c28013f21a4bc50a08c849d14e67d362ef3b8ce51b192f2ddf7d5f93c1a755e538cc89d4cec1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f4dee2a106ec25b761237219c80d49b8

SHA1
219915ae784788e48e3a6b763e1b6a5c7b4b07a8

SHA256
bba685ea4806928bade099fbe38564ea4cd9392c54c29eeaffd7996c1df97dd9

SHA512
2c0e953a00a2163c8fa4173bf04c85fa1c2018cb88fd2fdd5f6720a07aea257c6f53ffeccf49a3b68dfdb05e149428d363843c4d37990ae36ad9a28af2f86b60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
759a665588ff9ac568ac2a9ee6c0fc97

SHA1
6ed49ba46972f2525d284cf7bff0adee35e006ae

SHA256
e92a800619e1abf8b6f9050c47fe1fc823fc20198a5f3050db4ad42ec4aeed1f

SHA512
bf55f8694bd4ab75b8acd1465a93f7275dcee8de018bbb0c12f5627aff84e80b933897f47dc3b120875b5c03468e1ff6645cb01ea49e608c719fcaa8e7bb9ff0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ee253cc9c72b06a0b15f0e94cc74f0e3

SHA1
31cddd18cc328854cad4185ac1a8595bd2d978f5

SHA256
68c162c870cbf7af288e6d3166856de14c6849c041a76e093250106a725658e2

SHA512
7446b9654e45a89c68a8d6159a2f866940d58579d089960242c4586e653df980597120175d451d7cb5527ad72e67530ab19cc45435fb0dd45eaeab6c6f21a5ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5cd1bc7e2aae5b4ec334078c0f306117

SHA1
c9b2543bd44d97f3c4c5d60efdc67bd8782255b7

SHA256
12b4dae970050152a50d055e292f0a5a5756f49fe00f51ca675de5697b057bf9

SHA512
f79d699da51a43a1a7061f70d44452e9a98ab041c7b972157208cb9331b5fe4bfa84ba9bdc512110e981de320dc2fd1fec236e43c8c4c1a8f0767b64621b58f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1e0ce580b71f48d3837a3112b10b0b9b

SHA1
ef16ad7c379cb0534c7cb601d5c6c000af59fe2a

SHA256
ca4d4bfe69ca9f4ee1b71451da55a6cfc6188947de04477f4f5206f6ef9aaa42

SHA512
cc5c8ab16fc1d807f60e5e2a5a4758689e0746b32315d677521624dad8342f10e77f6ecc3a6de245bf9e1404c1944cda058212211fff860105bae11332162a0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5156e5d053f5c8116fc47ec6be4fe0ce

SHA1
1f6a3b86c324f47af9b01814ebcfd5d3e48a1dcf

SHA256
a404e2b9813991d2870eeb3e5c9f5556c74a2e739131eede5324c565d50d869c

SHA512
924d5a070ba5c4b0a0b01bf96cfbcf617ec2496efa38c2b410114e7ca8c62de3aaaeb85b96cffb908f5f5fe300c550f807228afa19acfe7f3d7a20cd8f3601cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
505759043265da646ae11681017ff1d5

SHA1
22689bb23037a3395dec03ae09115a22c6e3267b

SHA256
9674b78bfa879c893470649a4b42a636eddba724b8971bad83b3244c34314ca3

SHA512
a7e946b22315d76dc588b190a78503f4a308b09b74f5ad63cdbaae77a7b6e215aba1648eb36daf578f15adeb9243afc1aa1d66b178866921a91c8107a11388c9

Download Submit
memory/1656-32-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/1656-12-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download
memory/1656-263-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download
memory/3824-31-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/3824-88-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/3824-85-0x00000000082E0000-0x00000000082E1000-memory.dmp

Filesize
4KB

Download
memory/3824-33-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/3824-1-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download
memory/3824-4-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3824-260-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download
memory/3824-261-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download
memory/3824-0-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download
memory/5036-30-0x0000000004220000-0x0000000004221000-memory.dmp

Filesize
4KB

Download
memory/5036-13-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download
memory/5036-262-0x00000000008E0000-0x0000000002017000-memory.dmp

Filesize
23.2MB

Download