55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
476	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
476	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4452	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4452	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4452	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4452	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4452	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
4452	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 476	4088	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	78
PID 4088 wrote to memory of 476	4088	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	78
PID 4088 wrote to memory of 476	4088	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	78
PID 4088 wrote to memory of 4452	4088	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	79
PID 4088 wrote to memory of 4452	4088	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	79
PID 4088 wrote to memory of 4452	4088	55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe	79

C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
"C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
  "C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:476
- C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe
  "C:\Users\Admin\AppData\Local\Temp\55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
ed301c431b9b3e17d99222a44bf9d05f

SHA1
26f0e0063c8dc59edda63df32684eb659c8ff6e0

SHA256
19474061f5b7572bbeac630d08192777abc8abb05ff1cfb613bf3037966db2b3

SHA512
f26f640b436037d617302c45b756ebe51b5aaab29d606b84f0065f53831ec9c090e7ef57938d9e5fd47e0c63fe4b8bfdf89f6fe3a811a67238dd81983e659558

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
62a236f86531f78fc897608897d404f2

SHA1
2e547e28537cfd0d92d0894323d05aad841a8f55

SHA256
74ef8773998fb3300902e92353b48cf86afe216f195f2f6595e3688268a85ff4

SHA512
400da2b3350ded5438c605fdf163743c0710bbbd5285fb197b742817edeccf888b99f375c338849a26448d954a788f8f9d01773d23386991a49b3e0c6d2ea76f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
b77d78e8e8a4dd59e4d15e3a46d13c5f

SHA1
c6e5824e11569d0dd4cb5b41c601587041f7b9a5

SHA256
8cd6587861ee0f57a7dc640be2df96591299106cc4a13eb802219f73555eca06

SHA512
25351dbcdc213bbabc43d184df55fcbc514810af58ca82ce7d127548df8905493161094cab8726d62d6103e7bc8144106a5b6acec689f26510710e95a67e16c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
07f963551c30efeadb9716c85bb44005

SHA1
9c5a9833db2a3af2e9197ccad988fe2f323cb1f2

SHA256
a777c0974c5341ba99c0360e0d285293285ef1bcd2531c4f07693e7dc619ee2b

SHA512
8ee6cf188b73979b7f720f7f4d03124d5528a7f8c1c886bd122bac57878c3aeb3c469999971f09f39b2855122a2c3e5156da1bea7c696f9129e8f877431f0f28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
11d23548d4b92ebc0fdd74a21f452ba6

SHA1
ed1658d35f9eea39e2a5204ed4d71f73b6863733

SHA256
053534e7b5b0d3e1b1e063fc124853a45f5f096525de8b292086812fb1110bc6

SHA512
495a80f80998edb33b77069e62e11fe020bec649d929ce4ecdbb16e0858011f26b076a0f989130058577289cf726a8865f8fb48fb575f6245bd221f1c0e175a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
510205b09259d79c58d435cf5d6dab44

SHA1
737afe853d8371a06465a9f5a78ac29060ad3108

SHA256
e7a7d0101ad3e32e2715d1f5baa32df0f7220240e99400e250d5f98dac7da449

SHA512
cf77738cf9f07117fd6e12a342877e4281f4fbb307a07d495dd81e8bf55671eab031bec13524d7698e5ebd50f6e97103e87f0d1da3bee47d3aef8aacafac519b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6e267e5f7bbd99858f751ae04fb7904a

SHA1
9363ce76a555b969fd296755baca2fa14bf48921

SHA256
297ef985bab8397df786cb4f067781dc7aa35b4af2ece0e60a565beb8d6fa724

SHA512
70aafdd38e7990accc8b28ad3fd4d367aaff678280b7abb99ccf44d737db3ce63f9a17b118b1493435a3ea03e3c7280b7306005993126a718c31077a8ce72011

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1f9a06036971f6c581d576b41d1116d7

SHA1
d97c4409f6efdbe25e515aef0cd61bb12bc03c2c

SHA256
126c0aaddf6599abdfbd71cf8f97e53fd6d8d789ede3b0148fdcba152341b158

SHA512
5453336f67cf2d40dbc485820e3802bc515eb7c8041511a9af1aee27adb6918eadd5d6b5ad59a84b6aec5d650bae2b4530a341d4b4d514cbf942c51fdf377de2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1be0e0dea3a29832c3be4ec9c6c7cc39

SHA1
cf30adfe2c13e8a2a06789b69686bf5bb715bc1d

SHA256
5849349099d08b3b756f99cc117c7ec8f874038e31a021199218895ea15ae791

SHA512
f57715b77006a4289f89ac2c3dba275a733a8e05fabebbf7a37b5cb6cbaca831e9580f343f344f44cbe62d88f3b42b85bdc97ab53bd7e7e762e9f042af7ead25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5fa5d5b490ee514b7aeb59e94a2c89e7

SHA1
ad404f15636cc29b14d16df48ccbdd5e3c4b9664

SHA256
64b7201d7cfce5124d1dd628498fe7c7c6756801d0a42bda7c047f6a96773e9a

SHA512
d1823e900501f75dd70e801c2a210fc240d11e2b239ca9e8db25bbead660577468528fc7b073f48cedb1c81d81e7c64c948028684221af70027df6ef424e5e01

Download Submit
memory/476-145-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-127-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-326-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-230-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-208-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-205-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-83-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-194-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-90-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-14-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/476-98-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4088-92-0x0000000000164000-0x00000000013A3000-memory.dmp

Filesize
18.2MB

Download
memory/4088-144-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4088-2-0x0000000000164000-0x00000000013A3000-memory.dmp

Filesize
18.2MB

Download
memory/4088-82-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4088-0-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4088-8-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4452-84-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4452-195-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4452-11-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download
memory/4452-327-0x0000000000160000-0x0000000001897000-memory.dmp

Filesize
23.2MB

Download