55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
593s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

asd.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	asd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	asd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1420	asd.exe
1420	asd.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2848	asd.exe
2848	asd.exe
2848	asd.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2848	asd.exe
2848	asd.exe
2848	asd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 1420	2740	asd.exe	80
PID 2740 wrote to memory of 1420	2740	asd.exe	80
PID 2740 wrote to memory of 1420	2740	asd.exe	80
PID 2740 wrote to memory of 2848	2740	asd.exe	81
PID 2740 wrote to memory of 2848	2740	asd.exe	81
PID 2740 wrote to memory of 2848	2740	asd.exe	81

C:\Users\Admin\AppData\Local\Temp\asd.exe
"C:\Users\Admin\AppData\Local\Temp\asd.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\asd.exe
  "C:\Users\Admin\AppData\Local\Temp\asd.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Users\Admin\AppData\Local\Temp\asd.exe
  "C:\Users\Admin\AppData\Local\Temp\asd.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
730c095d611809e10b2cd7ba299a63e1

SHA1
e8817079e7134709851ca8993ce72d641e9c2b7a

SHA256
fd6673aaec2d5da7d29ea15175fb2d3decea610c47a66aaef58ec2e47199e603

SHA512
2ee0ebcbe90f827c05c19c719cf4c543a28fde9fdb01c73f2df2c4d13d6435f6d39f268f5808f1fee7b7b85144fb5119e9f42e98659b0eb2d18a4462aa8240e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
716f95797f49925ab36c26a5f5888e25

SHA1
baae4c7ba6afb0bb7d838cd45a4f2043f1d6ad1c

SHA256
7ed72576833104964c7d230a0be71e24f03a0bc20ebb14074a60efc72135fcc9

SHA512
6ce96de5bdf2babdf9cea9b000a5e3b24728ca1e67f28d825e4561d30217b50c3b77bd21647dc1065311f5174f0362cddc60c137e07e5ffbfb7c4b07e28ce47a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cae87b323b5bb254151b829e6a2ef64b

SHA1
54a336fc4e32a7764b6729c8b9d42ee222e2306c

SHA256
f89d60948998b8dbadcc17858eefe3a166ad3f1e1e1f02157cbcc4375a71f013

SHA512
40e2e5128368689446aecd380f994f7dbb9253dae4956b2f5de1c4ca0dd288a0bc9d1cfbf8cc960c7ac7bdba6b1b8312e24928a5f3f53202a3ed931eb5604ba6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
24d4527a62bf3873273559db1542190a

SHA1
ace80f7ec2f03530963882ca340f1823960f4af5

SHA256
fc4c8e0a015fb253c5df5de9b1b904f00d17a845d397563228c1eb42deb61f05

SHA512
5226a7a59792882227ce33974d34119f9eb579391518e166d493df0b7da4f35fe7732d83f2b18acc8222c084f1cfe7654387a316a5162735a6b402d298dc0435

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
4453effc640d296f72a5c58829e4046f

SHA1
f004a3011bc8ce2fbe5ed55e26417d100d68f040

SHA256
3fb5af0fd1684ba61a8b0c3706859b5f88438d34b4bb343a3ac762dbc0bf1577

SHA512
7d7daa3b471a603b76a728eefe824aeddff5b9bd1d09c6f367df876638360972c8622559ae0d82a2a207a791100addb2ec2c1f17cff3492ba98034cf029a9b92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
669B

MD5
ce37184b42210a60887f61c338eb80f7

SHA1
3b6feaed491391da778cef1131ab5904a29918c1

SHA256
2208f81b5d285aa2016df6f3e81a12ef1327fa5482a6449c85218e04cf3f2413

SHA512
6f1a33a9dfe4b61eead8e945029aebabe7790cec9a5eac53f0a76d84a7c72379b761e4138f984ceee43be76fcbd6cc3e0e9618dbf86c306d7b35fefa7446f3ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
a6d7e685340d1d9b7eef00b521c736cb

SHA1
a1f0fa8ae5bc43103a92e77ab22a54cbe4ee4a8c

SHA256
a1c7bf3bacb2b771c7ee565ee2709c58be2314c3a46d499d6f9f80655a0fbd04

SHA512
4686535696f9c21f207524dd6e9bab5e4c2babdfd902ed85c3ccfc4f41950ca3f538e6d6f3ad462955feba0c0c575778720a7ca6963ca39b49ca34ab50cff556

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1c208b52f84db486717bd51d69d513cb

SHA1
254fb5869ccc5e24b1a2b02902b2d9f462537814

SHA256
69d7be0572a2d095c83a4cccf22b360ffcb79e04cef51ee89a0e2b570274f02f

SHA512
c86ba8c5f423ee07054028f41b2d0323acb6a567bd87a998fbea48a80ba312b7bab342564e061e78b4f9e781db7f69c7169822f16379a4d1667708874ba486b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f36f5d12d41c75d5a85362f0025c08fd

SHA1
e2ed2214402097123ea22b15209a142981b07d77

SHA256
10c7c49be0a5c483c37450936502d85c1ad702637048719bbf5b39f265b2e8f1

SHA512
66c00cc2c3d18e8c0766452b707c4e70c46be6ae6ac8cc92a7028d4537cfd9edacaadffb81e52fd7d9fd97bb8cd4946851c80b696fade74bdbd809fa58e6d611

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0b735b4655e6b7d7399ec1282a8141d6

SHA1
28d849b7e43089f44c1b44c73922f71836a4ece8

SHA256
35355ac7ceb6afe8d9f5122f78648f4b750237e623653c065533a3f42e703444

SHA512
2ff36da1f41df6897e1b29dd8da14868fcacbe4af6aa8a5b02d19f2b7f2edb60f335c7f33e76023fbee59de688c6efca6afb5b8ddc2df66f8f21721f5487132b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
146bd20cb5671d1c1fb77157587cccc2

SHA1
301a74ab1d1215ee8e185ccca81810a6b47346fd

SHA256
7535f572c0a3c5dde8782027b4b1c92c5796472a2ca44c9c8aaf36f780980207

SHA512
975d422e83de79c9cc827535c82e5baa60addfdc8ae5661075940f08dd8a7e5ba9c7034e4c3e6dba014c124c778f0942491f74d6e313403139bcb05025941867

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
8090deafe14a999c5c8db0324a9f040e

SHA1
9085fdd33bd0f517e43c82c74ce40db64a3f6210

SHA256
931bbda8bceac7f663a47846f7122fece93e40ae5aaf5f8b51f62abe1e9d2748

SHA512
02e888d5fd1456c55af52b1e0443d1d4952ec8bddb64b7d672db2dd5b1c29832a6b905087734ec93287e7ff0f360b039958484eac54df1a2d250b7ab5f8eb519

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e2e9b4527e52fd3c6957007e5aa3c32c

SHA1
291670d0b815be6a5524dcd3c340c358088530a4

SHA256
93c32f9d7cc1191a99e0b022c0d9a2e25dbb0ca83df0c0b28f28f0bfb7352ed5

SHA512
f5fc8728e3c015c645949ff62d91cc700ea7a98065476295c7ccba16e95afb4cc19b79e5d394cc71861546a53b825196d921876f2b035e3979d2f91f3ff03ade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1590223af96d033a5abc352e4a6735f2

SHA1
d7f72a3b654d3796f84299f552772ac8b3973e6d

SHA256
7f347a8c34141b1ae4fba5b98e4d351268eb99c47fd153e4f5f132587df11bb0

SHA512
0f65c98e0b34fb70c01ed0e7edd698222a26345dcd14256e12ba34211d06ed4cc8395c267da5f94981b9ce980b3174c9ffc9f6d85b2a37fb422e4f17e8a44f4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3fd1dd88ca1887cd3497bfd1507e0a03

SHA1
adaf92a8fee35fdf8d83684a988093f0ebf82480

SHA256
8e0285041112b76feb0711474d61a653729a1758ca3058563e72a46d1ef30363

SHA512
d22a04915fe185d1e81e3553e320ad8fb1485b6d4e1b6035bd2054837923cd66f84279b34cfafae4c81cb164a643f466a623018f8f5537f329e83f7c5c0376a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0444791695949908c88dd7b7483b48bb

SHA1
6d4d933388ffe64fc586e08466daed828416ae7d

SHA256
7c8d17f0e709ca9f1ee73ba654d027d742288a6ea0b6498f96216308eb6e59ed

SHA512
2942370ba4159e7ef7c63425739c09cd2a5fa310d2507c2fedb88268685455f596d301429464fe4044bd8132eaf68d949639aed08b9dabc06f612e8355533a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fe2fb369097cb7acfe1d5f9783664046

SHA1
4a50b3ed76116e7a58e7c0e5e0e29e810f86babf

SHA256
06426c298b825359bcc2c70d71b5e214a58ad0b4d6d426a60bed7bb6c6753b6f

SHA512
00ec9ea26aef04ebfd035705dffcf597dc339aa0a9445452f1e1282a769a14ecaf34173aa67e11eaf50d65838574b2e0f323e492a3091742cf100a01d951db45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
33a51b3b0e5749fe5cfaedff55d5c0c1

SHA1
a3b80fb41557ae7181f20b89e024551b600908e2

SHA256
ccc41c0bc6e969307a5e5af9cf2f7bd4997899318d4ef6bfe070cb91c4def360

SHA512
03dc9fbce84356e0af796cb8b1b66e096a18f83fac7b8926d1a74700929d90b926bb9b06697fe6c7ef637a19807361a5b59d2703152dfb72c7b347d08e1b5aed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
95377c2b22bd01c002db6debbd7fbd2a

SHA1
a1b3999ad03fd11b5b77c68c11697574d5c0d1f0

SHA256
105b5865699be1569d412306a038c2e6b6a74c92f311d6e1e04a19f032ca0d65

SHA512
6a2875153c0765252ce4783271929a211b54c1a6377a33f07cfe62195331893c01bff8e5f16f8447fd584d655f7e3d9817ded212ece52ab910a23ade4e14e202

Download Submit
memory/1420-11-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/1420-227-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/2740-8-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/2740-2-0x0000000000A04000-0x0000000001C43000-memory.dmp

Filesize
18.2MB

Download
memory/2740-0-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/2740-226-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/2740-232-0x0000000000A04000-0x0000000001C43000-memory.dmp

Filesize
18.2MB

Download
memory/2848-13-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download
memory/2848-228-0x0000000000A00000-0x0000000002137000-memory.dmp

Filesize
23.2MB

Download