55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
328s
max time network
325s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	7.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3036	7.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2496	7.exe
2496	7.exe
2496	7.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2496	7.exe
2496	7.exe
2496	7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3036	2180	7.exe	28
PID 2180 wrote to memory of 3036	2180	7.exe	28
PID 2180 wrote to memory of 3036	2180	7.exe	28
PID 2180 wrote to memory of 3036	2180	7.exe	28
PID 2180 wrote to memory of 2496	2180	7.exe	29
PID 2180 wrote to memory of 2496	2180	7.exe	29
PID 2180 wrote to memory of 2496	2180	7.exe	29
PID 2180 wrote to memory of 2496	2180	7.exe	29

C:\Users\Admin\AppData\Local\Temp\7.exe
"C:\Users\Admin\AppData\Local\Temp\7.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\7.exe
  "C:\Users\Admin\AppData\Local\Temp\7.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
4f0d8464c4789cbb72a88e05b1f71f3c

SHA1
e121feb5e93cfc70d8e0c6c126edde9983aebea1

SHA256
5d6be6afe1c619ee267d7bb56e3f062556b2defd5fb3e6094d37c11d6403e550

SHA512
75b406070f504e5c96c088973d12fb61e05e922c1f8728d246f0449ef025c69acab2cdbe3d797cb271152414988aeedb5d04a24c294e71c5bef22613d4925d9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
51a7d796f71a0065e5891df9e928c6b5

SHA1
e4a3a25ea86b70d789dc5cb70d3b47fcbbe6493c

SHA256
6df0253816b84dbc75578fe4b1c0cd3a44e606ddf0c08d5262b0094b1cdd5794

SHA512
d4aff6abb88b7caf36cc54c29a11f162ea040f2db5fd3ae13c17ca3f5cd95a63175d23dc427939743fdad33178564cea30810c9d3b64e6f93c783b4a02685970

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
96417ef20dcc49a84db3851e80fe8410

SHA1
0fef7e8f9c79eb79d43bdadbd88d4005f2dae389

SHA256
ade764c8e2604e3cb83dfb4f74fe430098e957ca72373323cc337a6d95574d43

SHA512
12ca5e4b3730e9d56cb9ec83622c589a107f6c46cf50e23fdb49e9a9abccc0f70de24232004903f8fa06f1a8f79337a0be7f26200e6f1bbd1286030e92c51016

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
74cd591a45a3a71e4cdbdbd13acc0948

SHA1
46e3749ce2db8644cb964feb8469165d1a6c4c28

SHA256
d88e0cf1379f698e4fa211d92242da59f962f4482b12bfba0fdcd1fd6a41cd7c

SHA512
390980e1497383fc9aa086da748866da6ed0d0d9ffba1113c82b7c7f67e4362af24198bb956eabd179d7c805cb870b75a82c1dd4591a07c2f39fb701abd5e6c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1ccfd51b6a5b65f4991a07edcec233be

SHA1
9b2af64d4aa7346dda71eaa04999a5265c0971a7

SHA256
d081b1a3d3ec7d3276daa7c86e561b420a981fd65b48e9f17d67e2464707fc22

SHA512
4bbd2a5bd01855ec6bfef7b4f35157099f1c311c0dabcb02d00882264c8f622cdc752c5840f05a997450f3ffba95bd1f5eed1f03c169660eb4548508bd2454dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
73997ff7e70ff4ea2256e4fcc33d7fe5

SHA1
25662cdc756268f75523049313a033c5e132183a

SHA256
d6549a0161ad8c0e7d8c56d0a026f7381d770d3c32b5bf31efebfd76b7745487

SHA512
b3ad190c6ce2eae63b9759c15ae4eba174dc3645b5f01116035d2e01359677816bd63d73f0d094c21107f0dbab5e2c4f81c64f0b96e1973a8576ff6923186f7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
4f3fb7c202b911064a47f898f7fdf37b

SHA1
8e02abcfa8217db3ded4e42bffb2552a72f3af14

SHA256
ac923c6b930a57da4e447a1ddee3c6e25b146c2a2153a20c1899dfbbea0b55c9

SHA512
2a223e73ec22fd68845e6e4ba57e2f695ef1242af6c95c2c5c06a9c038e4559f15155fe82ad03d1bc28e9a3cbd1aa315bf0a78c9dd88566672042f9fc765f0cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7583e0c68ed30ec952a2b0544c0326b1

SHA1
45d872e158c1a92dd6f5640df06d1fdc93c5e15d

SHA256
4b24c8a77301538713018bb94eb5a7a64c01164bc3aaa501481f83bd5a861f55

SHA512
bb256a1aacf026c573353becce3798de52d70e2f711cacb8977726445ea5de0c52c79b22c5d1e8aafd0d02b27ee528501fbca24d088220eba00bfed757a1bd76

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0da8f876f887504d1ab89c4a1ef8f7e0

SHA1
76e5044edc1052602291a39d5d1318b9e8eb5e1f

SHA256
ce580b3158eba432588c618dfedc11717e38cf2e20c90410fd55a112fd389269

SHA512
9c127986c1c69a80db3a6fe8ccc46365514afbc534a28d8cb02e01c5bb08ede0ab5f421ca8f1a3d7596535e0f9ff0453c3a04aacc528ae91accc03adbdbcad78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
28734ee1afbaec3d02eb8756465a7751

SHA1
5b05ad5b79fba0334a44eacfcdc9e40a18e494e1

SHA256
d3e3ab349bd033a2db585071198e53968a5fc56c5b46c370d1ef0aaebb04afbf

SHA512
671be5ac363931932565ea0c9c4bfdc7f781a603796a36e0c4a374d5c74ef2a342b6329eae5081d668e8cbedb0d6864862a733c78d04ade172564fda2226ddf3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
16be27865b2cba11a037ee9b58a902c3

SHA1
50c4fd6e41563aee69f68bc49d3162dd7e5646e6

SHA256
630e55a9386c36680c15a758e15c29e201b69bfe4c0346a7c7a91b5ab586cf92

SHA512
5b93033bcfb1e78c3859c99c812bb1604d0b28405979701a4f3e31fee54704c108de7d83c8b0c1fc0f08082013f45ddf4ae72b90a471a0342d3a87aba3ea2ea0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
72960674866c343738b9c67c0c46e3c6

SHA1
77943fbaffc03a7bee48efdd39a07daa59181a7b

SHA256
0f58ca4982f7dccd24df4d23f87de78c51ae1625a2612bc9cf45d464b0c1fde2

SHA512
81625a9f7e1d1c2f1625ebd4c99e52892809a13ef8b05f0ab2a16b42c1052c0d057a808319696ae11c05c058421857084c36feb4de27983329bf7de755b88dfa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
3b10491942cc3c3cd72e4136d7ace0fd

SHA1
b4875f4cb8d6e01e0863de80a7393d00299456e0

SHA256
a65213be2dc5b8b5214de1c5367456f8fe28ae4aaf92465895e5e4f7f2661768

SHA512
a0fa70107d2d04a219b6e4d9b6ccad1caaeb7a137c33ef3a9e9efe41eb7c70e87a19c0681e146bb51f5fcef266d50904c083c12459204b788c7a718052246ec1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
59fbb2d8ecf69e70ef76b26d04648d42

SHA1
fa975ec93f00375c95b13b2e237ffefd96d05fd5

SHA256
f044c9a0978a9f4a4f0def1608b91c71c4655625db25839e6cc5cb1bda0a9a26

SHA512
3e1d6407e23a0a2f70b1abd5fb9bfb46cc4a3352ce485a7be7a0286dcd290a0b585bdcc35952f705e90ea74cfa36cdc0e8188499ad0b9a6ead5e32359c411e10

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1224e28e5b9e8fa640b3b89919c3ac39

SHA1
ec886e762e88dd684e3e0e1785e0a2ee7db019bf

SHA256
85e6b08b3f801a929bbd5340a28edf309b2bc11fd3f4cc64cef283659c8f13d2

SHA512
01f2d3cf33655e0103bc18d51a0975884a56f0cb8710095e4e9f65e81012536b4d34c74d71e7f1688473b852baba079c8e50f3ede278ca60b7c84de047141645

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
31c1aba3fe68810409c3ee0f04ed5d11

SHA1
d88e7565e07a7fec6c0b53ddfc7e6e7cf63a9e56

SHA256
c4422a653fedb76a5395d172359ba9d19394b3ec5e19e657bf32b69008ce7591

SHA512
9e1894185cae27dd654b31f15435af8fec6812b9355900821241a28e67771a1e82f8804c712b98a8e9dd0af061deab286f9f026a5bfa307ca2795e30a8126bbb

Download Submit
memory/2180-147-0x0000000004390000-0x0000000004391000-memory.dmp

Filesize
4KB

Download
memory/2180-23-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2180-310-0x00000000043E0000-0x00000000043E1000-memory.dmp

Filesize
4KB

Download
memory/2180-145-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/2180-300-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/2180-0-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/2180-22-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/2180-4-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2180-1-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/2180-50-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/2496-52-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/2496-38-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2496-11-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/2496-312-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/3036-51-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/3036-12-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/3036-29-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3036-13-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download
memory/3036-311-0x0000000001260000-0x0000000002997000-memory.dmp

Filesize
23.2MB

Download