1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

pid	process
1196	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
1196	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

pid	process
1208	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
1208	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
1208	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

pid	process
1208	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
1208	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
1208	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

description	pid	process	target process
PID 4684 wrote to memory of 1196	4684	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
PID 4684 wrote to memory of 1196	4684	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
PID 4684 wrote to memory of 1196	4684	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
PID 4684 wrote to memory of 1208	4684	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
PID 4684 wrote to memory of 1208	4684	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
PID 4684 wrote to memory of 1208	4684	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe	1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe

C:\Users\Admin\AppData\Local\Temp\1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
"C:\Users\Admin\AppData\Local\Temp\1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4684
- C:\Users\Admin\AppData\Local\Temp\1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
  "C:\Users\Admin\AppData\Local\Temp\1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\Users\Admin\AppData\Local\Temp\1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe
  "C:\Users\Admin\AppData\Local\Temp\1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
880712beca502a12b1f67811ec9f1127

SHA1
06c89ffa7385211b747185e99fa1cc17974e2e13

SHA256
1f4427b3b742c84ade3c81a8cda90786f9fb20af1e5e0053d780a0cbfc9b37d1

SHA512
3c2e309a8cb04a50b3c08d52f5252092bd2044b859ff4ec896395926fc8d21f4636e1bae94beaf7ab10f736af5dc201a0a07765eb31fe3328a8a358288c82503

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
5a8848211c4754ced6bd01c949759c0a

SHA1
d5d18cad4ee556d46560d42ce04f3f25d77bf5a3

SHA256
49e0b570999b17714abb8af071e043e8a0d58bbad3cd064ade1d891a3d741de4

SHA512
aa5b28ba1b90e1052e27cb695e53227540ad9b29d7dc70d782f4732004dde51f5c2a1acc4452f6573a91528e0a3dfb138644f19cb0995b5345c144f54be8868a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0ab845d0d4cc74402e81091fce050f28

SHA1
d19d67ae7a44f97303869281023e213d0a002c54

SHA256
3fc9ae57fa933454072d366267c0f7ad821e006b7585ea5aebc0429782b94af7

SHA512
75e81ad53a794aa87a036e7c5d7cec7ffa3f95aafbcca585a5f793b50687781b5fbd54f8502ccab475a191b93e7648811d284987564c32587561c34a809e06d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2db491ab105a68168aa9160a26fcdb74

SHA1
8bec4a315f91cc658a3c02ea6ca685a1bcfb62d4

SHA256
701f51dfb0c357bac13b275a0a9114d4d009c6c07d999573f548a9a6a6b0b769

SHA512
5ad990e623824f9ec9ae15bc94c3337225a62e239f073960193217c1c2ed344a84b01a41de2f6ab3e5334115a3f317275c69b1636b874b1853c8a37f5da73877

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
637cf25d416586bc335b071ce7cfbbab

SHA1
732a209c624b13804baf5d55a7a3b46166f3cdef

SHA256
d3161672d2ab9c46630e1ec17dee866f754ad21917a035eb18dbc58ae95c57bf

SHA512
3e16a4c165300ac15ea4c1f04817afd580bfa7399e98d8bc141e6a6cfbd940196c935f2cbbb67f4b07dac90d062dea8df93387f9fcd1d975c108b6616d71d734

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
64985b0749bae01ceae9c07c4593bbce

SHA1
c0f519c0434553b3a4cdad2926bc8f8e7c5a582f

SHA256
dc7ded62b1849d1f57cb7dc6c2a1ae64da3d508996a98a7bd84c86f735a2f495

SHA512
a79517b7dc79f01c1d99b82b06471596591a2a26500f5767307fe884923e5480b7d490ce2f0336ef51d2c238bf98b58e8f9c58265487f49b0e11984cb2c42a8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2e04bdfe090efb23966526ce3ec75448

SHA1
0eb58f835356a5c67fdd4aedcfd29a5ad5650058

SHA256
e00ce82d0de2d71090ecb3727b432e15383967c602b2b7aa0e14f3c80eb2d61a

SHA512
fad73982e67b63e2e6f1599a5f584bce4bdd18fe248a2808aa3d1b0ad965e6e4f785d5e7ef53fa2056196114157e0d45dc53dfb3d5cf3259208295cf3bd1e9d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d579348b23e8b3ee4d9c2456e0b864b3

SHA1
34b31fcdfaa43fa1d076ec88da89c7c0c9dec329

SHA256
b35b3f817e22cbfda847817de5285d24017079648e92030c3a60f3d4a5e73330

SHA512
68fbc6ea05ec6050845aa3548128cbdeecb73e95ac1eb66224e648ab92d8101de4ad219984ba00d6e86e5542b11ea7961bea4905ec31232e4005aee0d39b668d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
68c3f7a59d38f4190542a5dadf0d6110

SHA1
8cfa1cfd68749eddd31851e7a11a6b0ad8eb6e38

SHA256
b3d5f6e722887c21cacabb1122b763afff20f8f82be943c8e4736ffb9e2b2da1

SHA512
802d044ff98e86f3a604f940db2a04b853d0ef23bb09b69bc2948146cded0f692eaf9baa609c832b4d01768b7cf151ae316cc29daf15d2ebfb2c8b0da5167c1a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
2ea3dccaf320b6836658a17293404504

SHA1
6ea555b6ddd360efc4ee5f1135dba49acbf8ae86

SHA256
26bae0f3f7da227a65872bd47866d87296a375b6cb37966c0c6db33c73aba903

SHA512
8a86614833d694a780dfc98cb9793dbd47502cb2bfa8e7f3b858f121f6b48002b054f7afa59242b5f523e934feae60c7920813d3f562097084473dc2931dd641

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1a69c25ab171a0286550143e6df55b20

SHA1
2952f9ca82957fb32b695edf201c226eb9c371dd

SHA256
f8801ea04007e65f931db80b2a586d7ce6ae93a15448bc20480bceb01be3e55d

SHA512
67ec9c7063109e551d47d1fc6d17e831afc6cbc125f28bcb1a2b41a30a468a7e85158d26fadb33aeab909de7ebe4031854c7608fe3c408cc807d4b02b893cd94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9530104354848dd6928890645510d55d

SHA1
261839b6304c6071a99c13d0dbd55aef9654c1b2

SHA256
7fa1bd69b39643d55b096cf4e30ecb89a1124d019215184367e8a199393e8be3

SHA512
0623f55abff099d04e4dd9a92c678d0039bbf9c444a495c56cbd94e235b1bf4c6744970b6c21f2cd72b74fd6d1bfb600c80d98871213da5a5d35b1b81835643b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7773e3d9bd41251a736c62b95db42eaa

SHA1
1ef1a02ca8d059d4e3a26b6dc4a3d7a8b1c1490e

SHA256
6da2bba1dfcc7a01d97068d740763e9bc339b5d84ef077dba5a0c9ddbd449995

SHA512
6220fa53df719bffdfcbe0f0aea22951954ab6684e67d8377683614c116d56b065f1bf1abedc5236f14f847a35e11f02c2ea523acd5f2aa3693d9bafacd6bacf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0bd514533c5d2ab80dbccdd95c9f6d60

SHA1
e43ef656806429546cf7c02a14d5e4146bb617b2

SHA256
046b4e46eed5fadbc10732e017fae692aa1cb36b8de3e4c5a1558e773833fa16

SHA512
ace81024a2b1deff88f790b8bdfd3a0e9bc3dac4805001fd30eb814988e5ce205a8ca45006ce96cfae8332bf4b6ce1e8a0f88788dac113243ecadb5ac09aa75f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5f13d217e3bba02baaa33b8c1f014cd1

SHA1
7da01d9615aec0f6563ee86c584f3a89ea765815

SHA256
1037307229caf12696ec51ff8074ca87d2b6f6d064dc2941eb7fc7fb5c170495

SHA512
03349ac6bca1f0c7daa7dede879fd26273596c3d95de897bb10dce56ddbcdd3dfcbf0607b7c4b3746a99e83a9ebddaa31fda7d147b6e3701695cd7f17a3b7d85

Download Submit
memory/1196-12-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/1196-221-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/1208-13-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/1208-11-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/1208-222-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/4684-2-0x0000000000F54000-0x000000000218A000-memory.dmp

Filesize
18.2MB

Download
memory/4684-5-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/4684-0-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/4684-220-0x0000000000F50000-0x0000000002699000-memory.dmp

Filesize
23.3MB

Download
memory/4684-226-0x0000000000F54000-0x000000000218A000-memory.dmp

Filesize
18.2MB

Download