d67ec67aea3e158c8a167d39329491e56e6fdeb5f52c941767624287d5cf6128

Analysis

max time kernel
1800s
max time network
1794s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

'.exe
Size

5.1MB
MD5

863fa58aa1fe8a88626625b191d4722e
SHA1

e7fb4bf69be5ac4583c0c02e26a17bd3cdef4c02
SHA256

45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220
SHA512

ffd3bf831e8f0dc605706075a9763c68552f6560aa8660d7993e5156f64032fbc4ff6134fd333822e3090fb863cecff9e463316a8d9c3150152b73f8377aa2bd
SSDEEP

98304:m73/fXBy7vaQfw2Tx9ygyzn00+IQFikLo7ANSDkatVVoj9dU5UywL:AHXk7yQpxy0LEAADkahowULL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	'.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	'.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3748	'.exe
3748	'.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2024	'.exe
2024	'.exe
2024	'.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2024	'.exe
2024	'.exe
2024	'.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4032 wrote to memory of 3748	4032	'.exe	88
PID 4032 wrote to memory of 3748	4032	'.exe	88
PID 4032 wrote to memory of 3748	4032	'.exe	88
PID 4032 wrote to memory of 2024	4032	'.exe	89
PID 4032 wrote to memory of 2024	4032	'.exe	89
PID 4032 wrote to memory of 2024	4032	'.exe	89

C:\Users\Admin\AppData\Local\Temp\'.exe
"C:\Users\Admin\AppData\Local\Temp\'.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4032
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748
- C:\Users\Admin\AppData\Local\Temp\'.exe
  "C:\Users\Admin\AppData\Local\Temp\'.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
c8f8e89b8870c43c52b4560ceeb35918

SHA1
926c90e0deb28455619510379d86cd3ed9e9a7f4

SHA256
8355a72e4e52cd1c7817b162077a1c1f4bc25cb07a851e39661471a6cb677ee1

SHA512
a89df10f4052dd82b0db948ced4596c188481b4f67ee70b938ed1cfef0a78c67971b84f78efdf2632081214651097d15d37d9ca4b94eb5e1d01d35dcfbe6bd7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
415816aae208227eb796cc7dbf9791c1

SHA1
199bebb022ae611725509083e45024b378f58ac4

SHA256
32961dc86bac5b48a30767c109d718a6a987ec2d78da306401cab5a3c1defc1d

SHA512
8ba314896f527d0608f39c1f77cb471f118078aeb87fe875c3a33e594d0c1433b4beda88e281f7d54652aafd924531a55b7bb542451883d97150eccb3710be88

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7f83d2db23a22b719e7b7ed266f8994f

SHA1
784c6c3b269db189fd78f3306f46b7fd73a6da03

SHA256
ff7a5533db3e3c13027c6276b1edf0acfc4f3ca57a539e4c7423b69dcc7bce56

SHA512
970f3012f83e0b03c6503dc19b4f977b65a820a12910b0e68d177ddc583bf7328995982d5f5eb4f259f0734e8e65a9984a0dc6b7aae37fc293693c8b3011919b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
8c4c58b162b93a342ae19ff78d5d69fd

SHA1
04a88e819b3879a71e2847f4c281041e8702996c

SHA256
4128721500050307a51de0189b558796aa5e5a5eb0252f67883e5529f2102c06

SHA512
6af75668001649a5316b53b1dfa26ee0887a8d1e0896cddfab8f9fba65b1291ccdb3201bf6ef3fe3156fbdaf2518ed084923ffea89b5e1de5fd576f2537e4f2e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
1ff44226dbc66fc746a39500a1cd85ce

SHA1
d25317370c70a6ddcf039612ad6662a24e6343b6

SHA256
e112e50b99b814e8eea9ced511152bbd7bf5f6edfb0f4177bdc84eb5c8f6c6a4

SHA512
3e9233189fb33e7c9f2c381fd4aeaec1cd5b26c7d52ecd988397916606e6f6a69b8bac6e06fd123efc79bb3ef9926d1d3a70c4ce76bb7481fff8f80ffd4477d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
52da465b2e92b36f3dd222d2a165e6cb

SHA1
7eabedb70f5383e678f8997db39e063cc02eb52d

SHA256
d3aac189168733bb61e351f62373d5fd4e9460c9d60c2e37a2a603c73071b78e

SHA512
428ad28aed94e9fb45d7c848fd08724716a363a7ddd6df929f4b3c626d4d68791f6b395c2680c250c7f78df033c886ec64759fb4f8a04fdc31173c97ecf6fd44

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cd8e7d0354b84b959d6722ef3ce9f670

SHA1
00f416cd5c51c8a8fb8ee525597095e56eb73e96

SHA256
dc728867ad6a384c4aa0e38d8164fdfd88e450f0adcba2f7a4959f78806ffb61

SHA512
81e73e4cd9bd5f37ef7d05eb1f4e873342d185679ca4520bb0125c26f4b7aebb52bc7cc75df474d3a0211dfef2313f09f1217700c6d31dfe9193d829e8e064eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
69e885690ad7d03477f0b3165aea7f08

SHA1
2f2c5eef0f566362be5c4fdad610c6d9b2e0f217

SHA256
6ba7e4425c57c91e7b18cefba78e541052669deeffe12e1fdc875c56c0b7fa99

SHA512
5f2a73b86059be5544ad1fd71df8ae4383c1693102108a0fd7cd2130294d231c1d151d446e5443ebd0d63228e388c3c10078de4d405e3e2dc78e69018c788ef4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8f60a524285ea08162602b299baf262f

SHA1
5973e3301ab3eef02259cd53554b7d7e1f66ca3f

SHA256
97521a83a5dbe14f5975948f8e22e4fa651490bc0f9cf7edbf498f3de1bdd18d

SHA512
c676a35e2393f35e3aab09e231ea815c45fee2ab2fbe7833778046cdf041b958d0ec93e9d452ad920225962d86b9c95f7527b34e1e3bfccfd44355cff3485828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b1a57c6bf40f41a5cafba2495fad6f3e

SHA1
099abaaa1f2d0602348493dec0df39d77664484a

SHA256
d0f2cac5b806672308588376786a34a9e172c4a06c60504b2bce389cabf41a0a

SHA512
f74aa5cef339473986b3fb2190011aebfdad034b21c83350f64242a73b10e45ad563fa522e2df0422db186d86da433757c55bad2d415624d79525ff4f22c83d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
131e0212dc994e51605a1b92bec95e7e

SHA1
ce0f99b6fa23a2d378c2d9707283f25c423e0824

SHA256
13a01e97ab325f338c42b8ec55554b8d27333d72e01fac97646789498354b990

SHA512
a45f0701b12d21ddc1f107d488db38bc6c02d78fc15b40bb801a945e9b776dbe5bd5233d5a7670bd841b8ec80d5debe952cc2c5eab1e78f6f14120212cd0f33b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ca4e0229f211f51fa8a3e5736690c53f

SHA1
07ad2f8645341fc2fba0d47a26d0dd0708e247d5

SHA256
e21963f69a4f35bc340b48760213c2c433a9b1f2d4679cff50eca07f4bed9a27

SHA512
1d7cc8b6d4526666e9dc72c41d3d8be58b4974f97c6827fa33b081b64819ef49ec0ce7164fd14f6b63c6a966893b057c2df90c13d5ba7549a003785f0164b10e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
93369ad12104c452b24dc3f6217c8edc

SHA1
1f9b697df89cd0ed5a172305a8244211832593eb

SHA256
a224962758546cee5c9f456280e1d8e1da57360cf5a015eca5d38a1255d19bdb

SHA512
10f199c915debf9e361461da1389614f1fbb7868f625545b32f39ea438ea7cf94f848eabf3a6d205f55e6f1e46cdbc5d578cb693e620d5e4cec0c541919f7711

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
565a56f7bf43a293d396b7b6560fde02

SHA1
29b470826286a7885f8407a24938eb1284946ab8

SHA256
e11fb53bb1882641386015f792f8d1c321d13d1f9a4bf001cdef913cf25a387b

SHA512
df32210bca00205b4f3d6769a2be79d218e5018d5f56be323687ce7b58731130d0c33f4e42a958b3c7b45eba6fbd587cd05d9e43ebf8f1fee0cc7ced1006710a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
e04651fbc17cd558151ff4c5af34bfdd

SHA1
8c279619804d26c56ceaf788cfe7c26a81a5277d

SHA256
1c851670bf60b5e236e7fea8ac1b67a3a86987405be639045f67eab2c8f4d727

SHA512
2739885ad8d05ec5644d8a0d30dcceb46b383a2297985e57b24738eae102484aca34d085cf93fa14a79a5f9f50d3bbaadb265bde0642cecc6623f46e38541e20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8a59f1d35694853252ab25bd1e9a1b67

SHA1
0344539f850c00764780778adb7999b0141db17d

SHA256
3da2777105d91ccaf388b25c74142e46a9a67203f8577fc5003c522b0ddc93d6

SHA512
8fcd87668d6d3fc978e6c419599b47a41f5e9828c917d319c4175b09a4d2c82f926957e5204ad28d77ffcf1e54f26275ba27c27f0cc143170b8f7c91a2ced47f

Download Submit
memory/2024-280-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/2024-259-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/2024-238-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/2024-25-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/2024-179-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/2024-10-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/3748-178-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/3748-237-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/3748-31-0x00000000038F0000-0x00000000038F1000-memory.dmp

Filesize
4KB

Download
memory/3748-279-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/3748-258-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/3748-11-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/4032-236-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/4032-189-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/4032-1-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/4032-28-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/4032-30-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/4032-84-0x00000000070F0000-0x00000000070F1000-memory.dmp

Filesize
4KB

Download
memory/4032-190-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/4032-0-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/4032-4-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/4032-239-0x0000000007100000-0x0000000007101000-memory.dmp

Filesize
4KB

Download
memory/4032-83-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/4032-80-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/4032-177-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download
memory/4032-176-0x0000000000120000-0x0000000001865000-memory.dmp

Filesize
23.3MB

Download