55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4572	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4572	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4036	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4036	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4036	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4036	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4036	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4036	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 4572	3956	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	85
PID 3956 wrote to memory of 4572	3956	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	85
PID 3956 wrote to memory of 4572	3956	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	85
PID 3956 wrote to memory of 4036	3956	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	86
PID 3956 wrote to memory of 4036	3956	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	86
PID 3956 wrote to memory of 4036	3956	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	86

C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
"C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
  "C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
  "C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e30e47be9ecacc5e354e0d0965149d3e

SHA1
4631d6c5933fce5ed5bc829f7177d8d8bd284fb6

SHA256
9f34520c21d22393d69e011af943ec623d557bcc73cc6edceffab559eb8d14f8

SHA512
3b85c820046a1a5fbf3193f3091a2701aa94195df37abeb352a35568cd40a0e408ca3a4b33e907d4cae188421475feaf0f8e25d68885f7b4abb962d9d20f3e08

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0cbd1b499c62f1609a38608a1ab9b26a

SHA1
11d09840448b02a86c88721638ba0942f8d04371

SHA256
f30e28dc63ec6cbad312d5c5a73a81298710a01c9682147bef90ff604aa95a36

SHA512
507a636e8e0a8108999e6cecc24c39de5f940d25077c76f77521dbb9374fe8bfa7478ea4590a51b3b7c664886615e2a2540fc71935977a000fbdd2276e0f7c8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
64e111e30079f46ab39e19e614b6f1cb

SHA1
268688962dbcdbb85e873c39f5d39a48a5f61023

SHA256
b184e475dee41d1d3e861ef92ca47d8ca730a93bebb3e68180db400cf8eda5ed

SHA512
bccc4f11f86db7ca649f3af7c071df76d11ddcbb2fa98dfa7eebdf042db978b70010d53848596aabafa0ec0701dacae4778821029524942ebc05c4fb1ba8fcf0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
00069e19c9f67871421ac34eb5a8550e

SHA1
7090dcdac83969a3f792e1c9b0000d67f15c0787

SHA256
cf516127cd6f870fc0f140ac1730fa367dd9cee1c0b1ecdd8d27492a5f34d239

SHA512
a1fa8b5fdd249efd90fe34f66dcb16438b465fb1aa2334d1b30f1555b9dd5cbfa0a28a67db8f9bde0e9d85ea1b86e6d6f856604bfa8a641a979ef37614f71c87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
737B

MD5
f346cc8ca7c8bc642b10a05bd0edeb61

SHA1
b2bae575119745a569140767dffd14f70e13c52f

SHA256
2d5fe56ac8aa58fa383c993a050356e473198b5c8015393eefc453120563bdc4

SHA512
723536b7b3d74739efe27a7e16989777efd5e492227edbc052d979fccc3a009a7d6b0956be46ad717dd9cb72bd1ee94d47411bf9c2694bb5d3650725c7d9f130

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
72b0587d3028775b8dff4c9e43f09d41

SHA1
7f1a0d2be6877ecff0e0f71764a4bd4b8440d353

SHA256
74b4d2344c18afbc70027f232df9577b92205008fb07e5787010c0aa6b0abfeb

SHA512
5ae1653f6758f5362f647521340ed38a49cf9b1f5f4b05527a27a5a6d6bce319ba0b40c534803ce0cedf59e3903bae92c4b458c2c5502f87bca0e72eef955000

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1853735275ad483fceb3ce93cfe7949e

SHA1
bbe047844f6f5c423fff9b3384aa455eff0d5fdd

SHA256
d605af8009e8030fcaceedd79f834d7e432e23369160bfaf75ff835823c1c7e6

SHA512
7b1884d534396bdf17a971ef1aabaf04178928da05e3b4c4146b2dbf2bfc851c2a4d784e0a4fd016d3c1cd8b55fb8cf35b1e81361c2c2e31376ba705bb73a2d6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
19ad7697c09f2174472bc30153b47b6e

SHA1
39929d292706b23da1eef81893f20380fcd86be5

SHA256
56e2fec5909401dbd0c3f2dfd9fe35df5b446717fdd81a607561a7f323642ed4

SHA512
94dcfd2c17fd53dd0673035ae2d3cf1dc346d81446825f27442f773f83129aaa7ededb85455f7a8bad3f85f82b20213ce0a5e0113b8d18110417b697fd2211ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d13c13318846a62ae4253783d2fdcec8

SHA1
483720d0b942c1118fc6687c5baf599dc9e8473e

SHA256
e9bf3ac959a4e8282ddbf0708ae03d4131a04978a718f79db394fb2b0ed1b28f

SHA512
3aca6b7d407a666aa5507b7e33b4498439535616496613bfcefaf3f74086d31d26cffd589e101db383e7c84e6f38d9ef888349d676f7bc579eadfd7ef7cb8e9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
227e9f37ba4a1a24ba2dcf5b31e0488d

SHA1
94eda04a70639809ba521924f114d62501b7f9c9

SHA256
fc22aa73c9236c186fc61df1a2d33d345688b2aec7c6b82cc6babec194dd8b9a

SHA512
c2509c46fd409d9480c775925362af4e6f12a56a4b06792f2f270f4a54f6eb0d0953ef27b116a15242fad5b72446b8143f31e7710aa56374e44e8c9995975476

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b2c138a324f848fcd5bd618e9d746156

SHA1
8c68365276338355fcd11a454676425e3d41d696

SHA256
20b562e6ea4d1195c9ca3471e7df3a7a7189c49de9086fa57a359c289604a6d4

SHA512
fa81aa19a2b79e5a8f73b6526a44ac8855dc682cc00a32126dde656217a66ca735dcf407a297c739180bf2e2219b9e80b18219d7116dd0fdc58da2652694f395

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
c085134457ff1dd01838baaebb7016e9

SHA1
3e6f0366ffbcd5b8195281810dad7e8935729ed7

SHA256
ab6414245adfed807d63f084daa9b6653951f4e2712de348432421f936b22215

SHA512
7fdd1a081c332e58a4cc5058921df389d241abedb216741808270ee2796d3fd698d3abfff036d5b1e948c10fca4f8000888a6217a56d47db26da3caed4fda020

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
32f14198c2688eeb591e53d547001409

SHA1
e21654419ebcb6588380b3df3792311344c8b1d6

SHA256
ce4299679bc050d68d35f925438238d8a436122cb5144774c28278bdd62a9efd

SHA512
300aa77bce8c188be6838a7c64cd7fdd1a1b3a3a97800ff0b90deeac93d0234407846ff12f8bb1f512e92be4661ddf0a6cc0e829714eb339a6b1639c96756043

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
07cd65e79c63b442e44b6477725cb1af

SHA1
2b68daa8895d7929267feb5435f1f2d4c8a29d68

SHA256
2694702bb89eb94667534f90a94a5117292d23db1d636f60e1834c438a7023b6

SHA512
999586a133628e5a8bc58d537c18281f3720704cfa5b5de969895d05e89bfeafb53a6a1300f1de38528889f0de49a1ddb0f0c3341a9b700b45e343166b105f05

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f80693cb3a5cb4250b5d8b628c48747f

SHA1
6974f46df4f21cff8a40f230999ee35420419fd1

SHA256
42c5d78a6af2c48f4680b22e9515dfdebc02e0b75e1e827eda80591e164a0709

SHA512
cf18c2eb23c4133de69134bcc31f08ba53b50adb62689c28fd8748f14d6f27b3bd1a7649bb2b2c33589a5957605cc7a7f70fa7f800799ee656b7edfe60e5b00b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
041d1c9139e116e6b59880f288b8c67b

SHA1
4d99a60def55d2fe0647eb26b584bdbcc937ca6c

SHA256
a638e98fc539b6567b98cb44c0c498a837ab09b401c4fb03fdc30640aa7ad577

SHA512
493c735bc3109ed4a876320a366706f3cdf35330327c0dc1cd726d0e2013c5261a3b959e7a41bead7ad6e3f6ce3428c1af80524a0be916a83163bff45e1125b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
be27c07de9b814d7e77ccfa108c68a1f

SHA1
4b012e044053c1cbff58616aabe34c0bec80669a

SHA256
ba157a3a2db66ae84164fec1376a89a10c30c6c0ae46cbea6c428062fbe33bd3

SHA512
21169a6e996927f58351899525989f59db7741a35b4d0b731d3f19180cc632b4f9d83d0de48252c53cd11a56133011485d4858687f731f23f9beda5c55280678

Download Submit
memory/3956-2-0x0000000000914000-0x0000000001B53000-memory.dmp

Filesize
18.2MB

Download
memory/3956-0-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3956-8-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3956-234-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3956-240-0x0000000000914000-0x0000000001B53000-memory.dmp

Filesize
18.2MB

Download
memory/4036-13-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/4036-15-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/4036-236-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/4572-11-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/4572-235-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download