1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05-07-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aee6801792d67607f228be8cec8291f9.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aee6801792d67607f228be8cec8291f9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aee6801792d67607f228be8cec8291f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aee6801792d67607f228be8cec8291f9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

pid process

2920 aee6801792d67607f228be8cec8291f9.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

pid process

2904 aee6801792d67607f228be8cec8291f9.exe
2904 aee6801792d67607f228be8cec8291f9.exe
2904 aee6801792d67607f228be8cec8291f9.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

pid process

2904 aee6801792d67607f228be8cec8291f9.exe
2904 aee6801792d67607f228be8cec8291f9.exe
2904 aee6801792d67607f228be8cec8291f9.exe

pid	process
2920	aee6801792d67607f228be8cec8291f9.exe

pid	process
2904	aee6801792d67607f228be8cec8291f9.exe
2904	aee6801792d67607f228be8cec8291f9.exe
2904	aee6801792d67607f228be8cec8291f9.exe

pid	process
2904	aee6801792d67607f228be8cec8291f9.exe
2904	aee6801792d67607f228be8cec8291f9.exe
2904	aee6801792d67607f228be8cec8291f9.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

description	pid	process	target process
PID 1512 wrote to memory of 2920	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2920	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2920	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2920	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2904	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2904	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2904	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 1512 wrote to memory of 2904	1512	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe

C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe
"C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe
  "C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe
  "C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
f1f00b0b38f803d38907587948de51ee

SHA1
91378ccfc406e6b68ba8077810c79701a0d7c8cb

SHA256
2538a3d7a739db98ce4d152f6cc7671285e4dbb15265fb0ac699e02311eee41d

SHA512
9a20106892b1ae2ff28cd3f754e72c79e800733ce5362efd9bf73b4eb9c3e34eeca7665c97668260c7d5afc012a131de6c2b8fc329e28a47d6be4bb2e4b64690

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
25f6d7818166ef67a2ea4b988c3f0dbd

SHA1
82ae195fb865e02fb0ae5c3847fe0f3fe08dc9dd

SHA256
cacd2de81d7cdc7b0726eeb6b4a8caaa79dee06b6e044637385280d2f3a53f51

SHA512
acf7f8e50b0b859e3ab536e5febb5ed8fa53204bef0f19e7cb0e85f882233bfb9e319082aaf819432503a6eed9c5468bf987913b606904558b44ef8dd57e560e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d5131cfe744ad88706f1b4170438c9e8

SHA1
e387e276a93476641d1cd1d30036a953270abc28

SHA256
738c2adf1ff04c3faf681b7c02210cb0fa361ce7549679e9b87b3f4639670bae

SHA512
449e15076d1f5f09506c21cfa44f9d432ac41a09b65b34d26d5cf734a849df382289e2c8077d12ce10937c834f4b32db69148739680caac10c31793433a70ecf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
15d9147ae5de11850c57257cedac70a9

SHA1
1507f49d66cd344fc35f1c72a389e166b805df6a

SHA256
9f48f055ba8037d3d07fcfc26fac396e0b25c969ee5f19e9d666b97d22701fab

SHA512
98db968d248faca1a8226d1378e42c344f0f11f9f6b91a46b8a7073a7fbd54c98255663b6eec73c4ea7df632ae12b7cc5ef137d8c76eaa74c3ef6ad8a2e246eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
c77bc4f31db00ab4091c19c4d8076d66

SHA1
b4cc8a564156ba6862c5f20bef0fd9d32685097d

SHA256
f5486377633626ce4e9ddcc7d14f35a7bc756d0146f429897750126ef2ff39c0

SHA512
6e2dc37cac9ddda1e882f38611646f0f97c95a599c92fc4906f45093739cd38162ff2eb80b12cffbb8c10142d56fa99bb9ccb039ad531264bdce40d1dd5fffda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bea966e6483a8db35bb506f0ce214d1a

SHA1
7eaa359a77c3c1501dc8af1aa8976360331c8f03

SHA256
e1a3713af323b3ba0cd41c910aa15a9bf567d1f8b0e508d4a519ee07aaf2c719

SHA512
ee0b9b0bc31996efffb2ff0e89460ffde2747d4e368d43db39cf9b63e69e8105ec4e21c6cef12e2fac6b7a8aa22ce469de5b07c997a5d9be9b9b1fa60b6fa921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bc4336b4a1d73e5d5583101609cf1cf9

SHA1
f30cf4859a9e4038d1f7eadaababd500741bd01a

SHA256
72d200cd2a680a78a77d9fcb3102c3556769dd776b79fc5ad061327320e2f0be

SHA512
0dfd236c8233bce703e3199a596b1ff85b0d84496ead1b4660a021732aa8495ddfcbd6cb90ac4c6369d10884f497b31f8cf47fdc96ade9ae0858c92dba9b6865

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cdaacd542c0e61efd22e91c2688f872f

SHA1
cf8ebbabf9c11b756552ef4a7b093db149f3c624

SHA256
c595804c41382a646b9bcefa9a2d87991bdc6dfb15d1f9626fcc1f35e433b97c

SHA512
f6136bc8577a553d1613f4aff5877611fc9c880ff0b9471d8c9d19d50b229597421059eae8e0c4188eac7656dc06b0ef170a8314be236828e43376ef9de6af0b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3d7fd6e81ecdd6c916a2296e1cce6f53

SHA1
b4757f77601c747f96b3eb123e853583cdd3141a

SHA256
05e6bfffe5ce0075c8e153910aa4dc881f67c13c7c0884d6c50b66471eed8f9f

SHA512
d274bd04dd30a6dd2a2862400d179ec7db972d63cfcb70adc37a280322ad1ac730601cf776536426b511b0490485b47304277c9ad609a2809ec383c8dc818803

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
592b39ec74957dd9c26479ae11ebf94e

SHA1
24635294c59a7242c63c3d4e5c297c1a85348f16

SHA256
8f7734590018120b5e80aab436dc0c155637f0074ee6468f5f69b877563748b3

SHA512
7aed8c3af6634741f057fcc813f53790a187987f684b3111c1b905514e97a89b9b004411d0a9c379e14f8c9ce1e14a4d8725047ac1b841b63f4ac98e843951e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dc886fcbab6f3553934f0a6b8cbda34e

SHA1
7f5da4211e9c958ab6f50c0663a29e7db3d11f05

SHA256
2ba2b66f68d426e97c7ef360fc4502ded548b91c6e0e586966b4e6368c757141

SHA512
a13cdfcfc2d2d90a810317066a867dc58993a454f04bb798073e0d59b7ff83965c18fb7fd811c3974b4840b74c3875d4544697bb8003bdc3e941ac1086af0ec7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
be2238d53587b34b921adea79452a243

SHA1
922d8e808b68708bdd3a0a9c2f34c1d552acbe61

SHA256
7993a3be9e637caf97d80ffd27aed4b811242873a25cc2850182f41b76835a1c

SHA512
684e36236f55f319332de79269aa64d5951c5a3ce2d2badd7d35bf4696f686d97654276289c2ffe17523edb63586f53f05553f823016b7f6fe63341eda597dda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e32aaf95a0d026a942a03aaf8082f90d

SHA1
49dda1f1b0aefefd6b989299248e24856a68dbb6

SHA256
b4b33ef746c190e3500c063de2f056be9d544a5927b93c96f6e17301a49c17c6

SHA512
f7da313b4124676dd1ed7ea7ac3dd22cbe821d81588926f2a4597ec58ada033bcecc0786f2a8918fe1594f13dd1090a9316e1a3ef57fc2a843d1cc50a24b6ca0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
955965b256fa20c7a5eac989ce1eb8f2

SHA1
e13a281f090064878c97801ac8a07c9ff2c98b3c

SHA256
4049c1d1d21785bcc411987ca04cb00bcdad337a6cce2ed41e78dd48767e8c8e

SHA512
95b7bc0d28b1d471d30a2758327748173cc7746a3e3826328d829095b21c2e26feecd66c14c14a484aa4c9dcb6d1eb6fb746a1816982afa3c60d9dc941f2567c

Download Submit
memory/1512-2-0x00000000002B4000-0x00000000014EA000-memory.dmp

Filesize
18.2MB

Download
memory/1512-134-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/1512-9-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/1512-0-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/1512-254-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/1512-257-0x00000000002B4000-0x00000000014EA000-memory.dmp

Filesize
18.2MB

Download
memory/2904-17-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/2904-253-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/2920-19-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download
memory/2920-252-0x00000000002B0000-0x00000000019F9000-memory.dmp

Filesize
23.3MB

Download