c7e08a1387ca0de53b3df7f03494c34eacbdd651ca1056f4abf8fd4c87cadb10

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	'.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	'.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	'.exe
5080	'.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1532	'.exe
1532	'.exe
1532	'.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1532	'.exe
1532	'.exe
1532	'.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 5080	2440	'.exe	97
PID 2440 wrote to memory of 5080	2440	'.exe	97
PID 2440 wrote to memory of 5080	2440	'.exe	97
PID 2440 wrote to memory of 1532	2440	'.exe	98
PID 2440 wrote to memory of 1532	2440	'.exe	98
PID 2440 wrote to memory of 1532	2440	'.exe	98
PID 2440 wrote to memory of 4740	2440	'.exe	108
PID 2440 wrote to memory of 4740	2440	'.exe	108
PID 2440 wrote to memory of 4740	2440	'.exe	108

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1532
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  PID:4740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4332 --field-trial-handle=3084,i,14217130992253490921,11543335378077656547,262144 --variations-seed-version /prefetch:8
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
45b349e584f4b9d0c233a0ef5069498c

SHA1
743128a03309da5f10506fe7a7a41e2686b9fda0

SHA256
7ccb9863664ed9096107041e66f1e55f3e657576d98445bbff058e46c51b5b0c

SHA512
380bf6973e4fae04a21242729dcff21c97e62fd2a16a1784581e175d20859335d450a6b52ab367e35b0c884671546c1bbe5fcdf45d1140428a3dfb719be27d4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
1f9c6ba6836d93d3ca5da1be983dd436

SHA1
25d70afd5dfc6a2ecc2057e2e78eda481305245f

SHA256
11128a1d2fa44a57f4f78ff600900b18f147846f0e70771ea1ef5b614a8b60e7

SHA512
99e325ea54a27385b776999f816439b017d0233fbf732b558692f78b31ea2dcb2fd6d80468c87b1aeb6d6f64f473ec9b872ab4e0533b3aa678f18a645bbc1f96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
29KB

MD5
f9b89e70d5570176e766b35ae8f0b8ae

SHA1
ef34965b64d189af2acd3d0ffe628566b74b4dc2

SHA256
57522551ff52b548946ee4acc504dcb7720cf2ea66f15b1da80c07bf71aff7a7

SHA512
f85b6bd227a47ec9fff5a0e0b4ccdce782f8d5d5043f9bb8357b9990b23d4dd807d8233cf60586d9a165a982e7575a13c714b03c972190d84db22646435dc29e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c6fa24b3165c2c11624e1a4e3012f69a

SHA1
842ea3af89bfa90a02682ff58c61bdc78435fa3a

SHA256
b86a02e6fd7f7988e4c1bc60d555c23c91827c45cb44508de3d97cc5ba85ac98

SHA512
29385539fd0eb09e28dd76d2e534f435cd72d1be227cfb9f54f9194b2ae8b78879bef47a0ffbf5ecabefbd8b257a8dd8f193b9911de0d28e7a0e42f1f3de67ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
afb83672ab2fecfdeea6df46a85c2ece

SHA1
2209fd038580572dc7180395854ad09dd45e8598

SHA256
ee92555bee4cf7480977a2972980d53a42d941d5fdfa1366b3b9bd514f5b422a

SHA512
26ba5ce51b42b52947e5c1d1f526b17f8b7bca733aa5c8199c18784a29e1be4fcd4e13ccfdb159911e6ce5059eaf5f15c0495833b3af74a09cd9e1c93035b5a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
f80ab4308d488922d9bf8e6f25915c1e

SHA1
33d2f19b8f4e0641944a82c46aef35fd8fdfdbcf

SHA256
37dfaa059120e2e2aa9cc265a096a72d47c5c63977090c6816a65a6ed9e9c527

SHA512
4930f4f019db48b9610559d6330ee61c114693c1fa41bce766aed1423e2d78109c0cfface31837398b4391d6ace04219aa3c3aa5f9ac73184f7845ae68f07b47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
38e60578f2b2a5e220f788db1843b5b7

SHA1
ad2a8551589de90f11db7f762357ae72a6320676

SHA256
044bf4f298c8f24e476012d501677322daba7d3a93c773ebcf9f14e7dacfaa95

SHA512
47152b19e375092f31d3e3fc0ab364d17e583df180572c7cf1d82f44edb94d21255808dcbc4d1960dfd0743aae416d726d2c814690d4889dd33d19a0bf58b78b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
056425076f5609082f4fa4f98c90bae3

SHA1
08597d77b95b4662da72f9952bfe4336fa7395c8

SHA256
805d906c2df047c882ea4e9712ea43e5b266053753a40ac9b9b11ccd87e0114d

SHA512
290b5a84ec31cf77b1a3bae89eb01825fea90dec82023bfd47a7ec63147dd8494f3d930265036aae4718a99fa885d0550d2860df4601826b6df6b978d7f13e58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f3d58a280c68f6f2551d231f04e457ed

SHA1
46aa248320033a7b82162af6d902e3e71329a438

SHA256
f7c058afd493dffbb0232a5c3647dc00749b0628b5c91dde95aa42d65f01c8dd

SHA512
c89505cf890f15e866db08af08a3a00d8875b4a1b8e5fc9f10642fd4a5b4383b26b305a9be3f2984df234d02a4c80e48520cc241d608de2716bca1b963f35723

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
65e0b1c53ca3f5921bcc0a63683ac235

SHA1
c25bb677b7a41d7c4bae489f7dae498607db1d38

SHA256
da7dda0eca5fa81b3d32f68a69311df2d438b1b01b278da92e6bd19410c08430

SHA512
d9470fc3c2fe81f3834ebb17db9d7517990af79de235fa3ca52f463918d678c188ad824afecebe9a2821b96dc19c1a89ecbf797172d9086f1503eafe1df6d377

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c4b794c2700afdcfca484492c7ed5576

SHA1
30cc8e1f6830d6f53bf695bf59e638161ad36727

SHA256
309b514e3d637a904266e01c950b638c50231f4b40647b494232a1fef693019a

SHA512
1d6e65c80acf10b495c2fb95779d4924f27db2e230592aceae882225315c8e9ab7ac0346909353ebd888d365dfb3ca6a4e488aa36d4b9f0f3ea3422b3129eeb3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5aa0f107ec8c4a3c87997085878d3db4

SHA1
670587dbb85e588a553e226b285f86b3e65bd1c2

SHA256
a966444ae06a91fb3929bddda2b3161f82a3834ed32c22b5ac1e2ed5f34e9689

SHA512
b2f5e79ef4b4e17201c8e125935e000e698369dfc1cfd833b8b477b469388497ca8586684af375f212a68a4e7bf784c2e36e8c044e6c052bc8a1efe42ac2dde6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
201bda2531a8aba115117d7e18e9ddb8

SHA1
b0cd303431378da4bf80212d2f0e20721efdbc9e

SHA256
7c025dea1449c87849034d24953488d77cfcc7ea131989b79dcf39f2a3e0debc

SHA512
b8597b5192659c285f4f134aa4d5d1169e0baf9d266eae4e6e893acebbeff0696327d1ce18865d140e063b999984a6624db1082f29dd37dbacb58a7144f1feaa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
743ac866d6e84d4a2ec2d01a9cd820d5

SHA1
3d24c714b23ad0fa534226e7da2979fd06c2b847

SHA256
29544aef88f4cc1cac209e3dcd3f12fd95642c0c68c364ad1cfca02a640c6102

SHA512
e2b06efb90b87f5b85d00ec0963d68ad056c0ff12306c44fefc24df96e6b09df50aae5b0521be7acc5551a34a224bb8f14c7bfb3321fd2352aa418aec16eeba7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bc703d0231f2fe098effa20c5e6b5e04

SHA1
38e84b4adfa3e5ca53722b476ae6e25be1778ef7

SHA256
b88fdd9623d359c1b6c0377e7009e70a80ad565e1f52bd26bbcd48bc82f635ec

SHA512
fb5bb380954310cabf4c59480a49f91c63517a4bb0f1c0a3c16f4411b0f572cb7d54d94e281c4acee97233c4d15e1be4abf95c9fa66a1d7ce90d1548e16b91cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
0c9308688a1b85ba960b63664e896149

SHA1
31fd7a071a3c4f4ed878ee73ed2489e2ceaf1766

SHA256
32527d4906187b9a5ab4bd3683c2811fc97307d1bd1be6568f5f98d5ac2449a0

SHA512
d3b9859aa21a2e731f48077ba128ddd5c97e2642cb6fac3c279d3be276a0539b084329279185ae447fee4c50a7bc2d168d6ec70926969343a76d8cf044822c2b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
78fc2900c38067644c90f22959dc6144

SHA1
3e8c8900545fec58d71f48e3d370e3eb9ed037da

SHA256
28cd7700d42fe62a43fbb67fb3a82cbe9760a58080a595fa28f463022a35505d

SHA512
7f8c1484c473e4739930a1451442d7d14bca5064e14c22880fb8d66465d8dc57f94f5468dbd85db0fa14ba2699916da7da25f518f14c666b323422ee4b1e03cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
225e918755532a3af3137d7abb6ad035

SHA1
b93f3f6410ceed08fa57146b4502205765f0dd58

SHA256
01e83bccab8478bf216f2555237ccdcc2060bc11df3d87f1d153a1dbe5f90f58

SHA512
653962f32a84297a067ac34a3305ae2a0f1cd6ee05095bca676995dd7a0f4b939213115a6cb3ba04959f9d18d845c4ed0516a3bde0e24c3a8d13cb7fa7c1661b

Download Submit
memory/1532-26-0x00000000023C0000-0x00000000023C1000-memory.dmp

Filesize
4KB

Download
memory/1532-12-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1532-20-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1532-240-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/2440-22-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/2440-283-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2440-83-0x0000000008280000-0x0000000008281000-memory.dmp

Filesize
4KB

Download
memory/2440-1-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/2440-28-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/2440-0-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/2440-237-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/2440-238-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/2440-104-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/2440-4-0x0000000002060000-0x0000000002061000-memory.dmp

Filesize
4KB

Download
memory/2440-284-0x0000000001F60000-0x0000000001F61000-memory.dmp

Filesize
4KB

Download
memory/4740-290-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4740-291-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4740-294-0x0000000003B60000-0x0000000003B61000-memory.dmp

Filesize
4KB

Download
memory/5080-11-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-239-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-30-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download