d67ec67aea3e158c8a167d39329491e56e6fdeb5f52c941767624287d5cf6128

Analysis

max time kernel
1803s
max time network
1810s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
31-03-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.1MB
MD5

863fa58aa1fe8a88626625b191d4722e
SHA1

e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02
SHA256

45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
SHA512

ffd3bf831e8f0dc605706075a9763c68552f6560aa8660d7993e5156f64032fbc4ff6134fd333822e3090fb863cecff9e463316a8d9c3150152b73f8377aa2bd
SSDEEP

98304:m73/fXBy7vaQfw2Tx9ygyzn00+IQFikLo7ANSDkatVVoj9dU5UywL:AHXk7yQpxy0LEAADkahowULL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	'.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	'.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2548	'.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2064	'.exe
2064	'.exe
2064	'.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2064	'.exe
2064	'.exe
2064	'.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2548	2976	'.exe	28
PID 2976 wrote to memory of 2548	2976	'.exe	28
PID 2976 wrote to memory of 2548	2976	'.exe	28
PID 2976 wrote to memory of 2548	2976	'.exe	28
PID 2976 wrote to memory of 2064	2976	'.exe	29
PID 2976 wrote to memory of 2064	2976	'.exe	29
PID 2976 wrote to memory of 2064	2976	'.exe	29
PID 2976 wrote to memory of 2064	2976	'.exe	29

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
6a40d0ea9f0967dbe53103b352cb3f97

SHA1
f2fb18e5109c771018eaa501bcb10972a8072014

SHA256
0fd25b36545947145dcbc18dbd17c1444bb0b5eb7eeb41a8f229839f8f5e7f8b

SHA512
fe43595382e1334432f9e426709e482076f7987b9633c1bbaf7a5223a0ab5c9cf9d245aa777e91802657832383137e6bd2de980aec3d7ba889dc3e6f39d40252

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e3a2a076e2802c1340932e4e0a49eaa4

SHA1
e8229a1ce5663836b04e399d426d9d30fdbd146f

SHA256
c042e4fd933f5eef8e480f49819d4e44e0b9464abee33701b7f8e22897ab522b

SHA512
80a0399e4f3f4ddffa9eb3d3727706b76267d532f8653d5bf939a77a5efbe9653e6c60a67e0277a86d4579b890101433176a242dffc8a8ad4cf392084278f3f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
9efd12ab2b484f841353e981c65a3733

SHA1
55ab1cd0958139c04ce7e8141aa3b19ab46c8aae

SHA256
ae511b5cc4eb361d56ffdbe6bd146a0961d295861c2e2e5f9f794d08f874cd99

SHA512
bbc381affa707df43c21c5aee0c6865f2a2b0c31d443504f1885f4702909532ea349b3712f536987bae24cd01901248ab96a89facb8fe5982949e26375aea01c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
d72d175387388fcecb0a7d6f2adefa90

SHA1
6de12c0a300ee686296c68380a4a49b100549afa

SHA256
dadd176c77461566a7db23e13ae3e85e63b1df4b098f5d06d3d5b630b4f5ce10

SHA512
50f9300e32af1429fce7b6bfc6fd6eb4af2233d4099ec00c6854aae2267a443bc8ae83081388ba7e83c5bf5621d643dcbf4c2382f160f937308badd9fd99dd8e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
88bb98058e7511b99684eeddac045334

SHA1
852eee8f87115403d96e2794e496f2fb7718fc82

SHA256
79b049f74774de4c7ed6adb070964b04d6ae153f2a6beeadf4fa1cae0e9d24f7

SHA512
98c4091fac83835704925b6268aaf00c67c194ebca102b848f9306efae9069ca4b03cfd7f8c55a0826bce46297948243b0610346b0efc60058c9465f99c9ae69

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
828ed7f01bf5e4b8e2bf66624d4ff051

SHA1
b28916ed624db562c77ee4a8a13d854c37213463

SHA256
015329984423cf5fbbb891357a5ca50acf6f3acf01ae22c2a54179a1aa2c3672

SHA512
0a252c8b9b5ccdb4c7ff557b0efd5ae168886e1fe07a5a242681953a0bd36cc5b6d9f228f50d877767cbcdea93b1b8cde79d706f67d0eb4a9f415e1258d3f31e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2e6f1610f8b61aa7ab22af51dd2eac07

SHA1
c3a8ff1121d33f3e0e02206e4736f7a76e645843

SHA256
8da4a1b32476a176fb328efe6e6da6877cb5c488c55387187765988f909b279c

SHA512
7573a642739941cb0a5723d7df7cc510c5348e1c7d0e2ecd148873aa8ada62b9db2ff62b76cc6716cca97c5c81bbcd6630b35a93b29c87d59fdd90c9afcb7467

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
5eeea4e330ba1897b9a4a9028cb85371

SHA1
c365f97edf95b65d0d75caf32e1cda780dd79db3

SHA256
3ea078d46002cb6e0b4d239a6f4c9829dc5e2823860ad3e3cf4b029e0f8056d9

SHA512
58cda92035f0361658b20063631a1ede524e9075d35f99828cf2349acfeea978eee703d5dddc9814223777a95e761f303b771fd7bf0e0d059542375fabd536cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce025294897f4b0e5b9f7118a18fcc0d

SHA1
777adcaa0bdde3e3eecd35f2e465256eaa9ae8b0

SHA256
b9c015e401f0eef725a84dda1b28d4b1601aa38feef1808d2a26f984d6ddc9f4

SHA512
a0eacb89918e9edbb242a46606507f3826a2e9397908dafc095b6e78c98f8dcd32ff78bcfebc229261e7edc3fb83b1d05b23df311baf9c425efc9ad90cc1fd80

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b300d129ffce0e6e296d5d2656c3b781

SHA1
b3688b316abba3b5d03e4f8a882ae2b1f26d2352

SHA256
f50610a248c7fc69212b80f6807873c708970b254bbbf70fb831417479a92cf6

SHA512
9e19ba2413c99e7b77e45b43cf3c2c9541589d9d282d4248b2b15dc434f4797abc19a0a43045e1f87975941baee58ca06443fe6b304ac989637c4371a5223f4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
98dded1987fe147727dbeab3b07bdab9

SHA1
95e1e2af60b9d425975b9806e6ccf95840817f50

SHA256
11162a450bc9ba0ec57e33c5a066bfafc00c91836184d7797a34aa5228d2b5a4

SHA512
e9d4821c4c15f9db5ee87103dc70a3a922d57c41b28ba6aa05c9467babc8e167129dd36c1f1c0292931738836f0d1f399caaf06b4719675668b3e9288d882af1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bd287172232877af948dbc7e37f900f2

SHA1
055305fd7e8a0718ceecd61fac9e6544fa921a67

SHA256
453122654df4a5c9280ee162bf3242d0bbbb70233390a376b14cb3ab11f4af53

SHA512
bdab869798af3eb3ae2203c5820cdb118523d38a76989268aaef74ae1eac73a1338c8bfe059389e6b14867ec4c5960b2e2ef5391c484aafa9a4b1878a0bcfff2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7fb9f2d07e8eccc2df7e3245eeef6105

SHA1
e192ba8659c406a027c06f3a8c09f254d858a559

SHA256
9a9f798715141f8b110d59cb075d4d65fc085dcda2b975bb265e2fcd7c702e56

SHA512
3b303b100af7d3583ecc3a7bacfff9818fb0cd53ba9f8249b113f14659f2252c9fd4f0a875a8e1d1b53b75d1f0fb8f3f2b0256c55633278249351401f4d59932

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bad23a609ecdbdfc77c1433adeedee28

SHA1
3cfb5204948d622f3869b8b40980d0404b215884

SHA256
c88233bf4821943978f54696b1dbc33fa70b3f1efe3f056f9afdf2893208415c

SHA512
d34717936937fdd7f6313b10075a4c00da33c30496106149a21d530e7ed05f75986331a2bed2acb99f5863b097cfdd79f9d50f42b6781a594aa161d877aeb770

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2e3ebbdf876ae5b157b394bf52d30211

SHA1
ae483c2c4ddf2ccfce0c8e2093512e8ca0c67859

SHA256
95d7b1d75b4f2d5bdb62d44ba9c6b786944f5ad1f21d745dd471736e4b25ce9d

SHA512
cd259ae378c2f6850ad0558f068e08a3f6749dcfb1526201b9db150f2d88ab41a0cac9363dff916d936f62dee73c674d515bee7297dae4833121c277f61bac4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7b2172d07156e8b9a60113833774bd9a

SHA1
e041a148b413252dfde183e9ffccb943304adccb

SHA256
5c5ab46647e5d0ea9ada822f43e130cb3e46d0343088a8a06808c2fd2be7ba2a

SHA512
43384f816fb762d07e5a24f2b9cb4c70cba790f444e7112cc3f5911d99f1ac74b0ccfdd9c0efe36ead4515cda6c2dcdca077eef2ba89ec8848419574cab88c9a

Download Submit
memory/2064-244-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2064-39-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2064-124-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2064-320-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2064-12-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2064-30-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2064-302-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-47-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2548-243-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-319-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-38-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-301-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-122-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-11-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-240-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2548-144-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-241-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-0-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-21-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/2976-128-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-24-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2976-4-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2976-1-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-300-0x0000000004380000-0x0000000004381000-memory.dmp

Filesize
4KB

Download
memory/2976-32-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-203-0x0000000004370000-0x0000000004371000-memory.dmp

Filesize
4KB

Download
memory/2976-303-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download
memory/2976-114-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/2976-138-0x0000000000B70000-0x00000000022B5000-memory.dmp

Filesize
23.3MB

Download