55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

General

Target

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2960	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1904	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
1904	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1904	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
1904	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2960	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	28
PID 2212 wrote to memory of 2960	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	28
PID 2212 wrote to memory of 2960	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	28
PID 2212 wrote to memory of 2960	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	28
PID 2212 wrote to memory of 1904	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	29
PID 2212 wrote to memory of 1904	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	29
PID 2212 wrote to memory of 1904	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	29
PID 2212 wrote to memory of 1904	2212	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	29

C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
"C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
  "C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
  "C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
9d007011891f8ecae8df09f367324507

SHA1
a7701407370d3dcf2ba103a6a7abda8c7058bc9e

SHA256
e1dff2bd65064411c1fb5b279c22ff0a83aebb8780e6990f5a5d104b96492bd5

SHA512
f652ac037683b832c03752981938c7f8a19ac8e695bbe3348b6c68b4e58634ea0925dca0d215a9c540405ec74e0d3314594951967a6df8f20794d758dcbbbf01

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
919d083ebe5a47ee5b53ebd0f12afb4f

SHA1
5d12de72e422e4fc80c43a7b1feb695a85585292

SHA256
61ce8e9caf0fcca94a726714885f2810bee1502d77d4639da888ab417dab9f3e

SHA512
230dffa0140f56af8ef1f85991627ab627d524eb78f86c6792e1725a54d3910f94bf8e8c765876803c6c38ff8c6099f811b4064e01cb4b57ce98eae55462629e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
367B

MD5
19cf46b29f53ccbabdbee76f6e77b24a

SHA1
d60ec8f74c1e3059d4ec2d0a2698a6c5b492831a

SHA256
8a1e247fc060e6e160e9054208aec43f60e3d3d040f43513bf3b37289619ff93

SHA512
a441db980b8ee3e893b025662fd6b7d57d77504dd1e3455cdd8076bdaa1fa3df7dacf50611fac52c3d8f44d31909cc5ebb72ad3fcf663db064d8e895c3911491

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9ea86f2026fec8a8a3634485fafb57ec

SHA1
68867972919c958d72a34aff55f426ed36d3e139

SHA256
210d5a1c5c222a8820e513ae9ee0f7ddd286724e492ae393adc41f9ba49a9587

SHA512
2ac5f209cc0e1540baf6e9ed5a18134fe27d51d267692e6907b71fc2b7a131c27206cba2d0d893b6236c02b372e23e98bfd19e571998429dd090c33dd4d7d2fb

Download Submit
memory/1904-35-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1904-12-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download
memory/1904-52-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download
memory/2212-1-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download
memory/2212-4-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2212-0-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download
memory/2212-23-0x0000000003590000-0x0000000003591000-memory.dmp

Filesize
4KB

Download
memory/2212-50-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download
memory/2212-22-0x00000000037D0000-0x00000000037D1000-memory.dmp

Filesize
4KB

Download
memory/2960-26-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2960-13-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download
memory/2960-51-0x00000000000E0000-0x0000000001817000-memory.dmp

Filesize
23.2MB

Download

Analysis

Sharing