1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
149s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aee6801792d67607f228be8cec8291f9.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aee6801792d67607f228be8cec8291f9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aee6801792d67607f228be8cec8291f9.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	aee6801792d67607f228be8cec8291f9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

pid process

1840 aee6801792d67607f228be8cec8291f9.exe
1840 aee6801792d67607f228be8cec8291f9.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

pid process

4904 aee6801792d67607f228be8cec8291f9.exe
4904 aee6801792d67607f228be8cec8291f9.exe
4904 aee6801792d67607f228be8cec8291f9.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

pid process

4904 aee6801792d67607f228be8cec8291f9.exe
4904 aee6801792d67607f228be8cec8291f9.exe
4904 aee6801792d67607f228be8cec8291f9.exe

pid	process
1840	aee6801792d67607f228be8cec8291f9.exe
1840	aee6801792d67607f228be8cec8291f9.exe

pid	process
4904	aee6801792d67607f228be8cec8291f9.exe
4904	aee6801792d67607f228be8cec8291f9.exe
4904	aee6801792d67607f228be8cec8291f9.exe

pid	process
4904	aee6801792d67607f228be8cec8291f9.exe
4904	aee6801792d67607f228be8cec8291f9.exe
4904	aee6801792d67607f228be8cec8291f9.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

aee6801792d67607f228be8cec8291f9.exe

description	pid	process	target process
PID 3584 wrote to memory of 1840	3584	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 3584 wrote to memory of 1840	3584	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 3584 wrote to memory of 1840	3584	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 3584 wrote to memory of 4904	3584	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 3584 wrote to memory of 4904	3584	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe
PID 3584 wrote to memory of 4904	3584	aee6801792d67607f228be8cec8291f9.exe	aee6801792d67607f228be8cec8291f9.exe

C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe
"C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe
  "C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe
  "C:\Users\Admin\AppData\Local\Temp\aee6801792d67607f228be8cec8291f9.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
8aae4cea00ab0ad15cd32d6964834580

SHA1
c2d3f6c701fc7a0f3b9ed910dc1d0096a1c7cc63

SHA256
644726d9eba1d6fa5a9427182432ae1d42d833624039e1840636aad62b7c8a9b

SHA512
c5433653e4d9de8fe1bc93feab52984eb637b89a179a8bb75a36b0a988f45ca0dc799851005b486a18bfe3155b2524536eebee532277a91773534d206dc341df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
abfc9dce0b6688d6769f95929bd16f30

SHA1
6a94df7522487597f4e837265645278088cfccf6

SHA256
aa5b762ad56970f1f1a22578c647785e891b712ff6ae4b4a6702fbcb87ed3d60

SHA512
c8011e64fa2fd241b8cd6e73f03ffed925eefaa691378ee819411705a4132b5434deb552a2b3a0ebe65112d9d39a47c3f2f21e8460b989e0b26b1d90860ab837

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
57f695421b13511686d4d5288e354470

SHA1
e7ed8533f00f28ab8524c7a616256a7e3413de38

SHA256
9854a32716cd40643a640dd4b45b5d062a41e9871e56218f139b5552b9a53372

SHA512
5590bf12951d139fe047f27e5f9289f9f33e13536e727ab4667f65e26e7620803393a0195cf5a3ca60a5b11b1009876c95789094d4dc38cbd8938224a9a3aaa0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c86fb76c1d800933517266dd8faf6bad

SHA1
5378892f89c83bfeb43f5e3268c2bd247bb78e6b

SHA256
584a15cf29d33adf999c32db50f47e0c5b42b752e3736372b98f184f44874623

SHA512
5a17f84c61eb3ec7060e205940fad2a4e134f491c586b22dd206b48a0447dd0935a209878a982b3cafa397353bd30afabcc14387fd1ee20f1ff32411ff9330b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
d38081999c2913ed59bc90d6e8b419e1

SHA1
cf2274ba02168ccc1a8350697a5477efe9d7dd14

SHA256
708642199344a68b57c2eaae7adbe9f8ef7d5a331ea967e9b549ea3f4d2d893e

SHA512
ead67d067c68fa9147016261111a4475c9a735fa87992b1e5034a1bcac2473d68afcbb503d703f9655d2865e02e61f3d5bb602238d1251d9878188a68ae31d30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
0cc2c815ed9bde0fd7ce9832f610ff5e

SHA1
71b982b1623bfe1eb06284921cd1bab35898d023

SHA256
145ab80039343a5f12b1b8ed11227ea56bf1d29364aadaa1d7790fd03069a4fd

SHA512
2a339b395c2dcaa9f8f6e881a95c37c6f035a59a1667277e28935c6ca11c46993d0c1d15ac396516ad0a789ab67954466b3146768f4537a9843ae4a4a0e8e4bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d06c46ddcb8d6f0726ddc9b231787609

SHA1
6807f6fcfacdca0e8e50f5cee2f11405a8998333

SHA256
68fc430da43f908881c86fb7af85033de5546280b371978f1cbc45bb611f60cb

SHA512
a067626f705bb97bf4d04b6c33f124732e8069cadfa1b3ea7eacba17dc7caf0de7c079bd61142e3e30088d8794a4002aabdd96ae16c6a176a612be5f18e94ae9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
589e1175ee3ddcba5ba1ccd0552bcc1a

SHA1
15156af02e01a1fc0aa0d1822f162ddbd67a4996

SHA256
09fb8b1b1023f013a0e00f4b7913075735a371e924ebd856f10a2282225c0152

SHA512
f8e88b040a015649ef2ecbe5434ecbc73e130a9114eb295e643f119f35e1c117f7f48995df0f830f34caa7f2a7f7e233e6eceee48dcc6356d3d1c4c8ac163cd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f2eabc6b4b2f2e9bd3dfe4c48637864f

SHA1
6387738ffe876fc6ffb3f24b19115e8077e4d1ff

SHA256
dd9bcc74ac0387906ac43e8310208b1378d1ff2edb4378c99bea37d24baf67c9

SHA512
b26ae0827a123ed53f0e6128571d85ab084c7f463a071c151cb6c9315fd8234e6b0f38d237673316c575e0a8a69a91cd6bd1262d8963c56d706cc6d4284627eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
aed653689e0947d3a9b3e5f93ea0860f

SHA1
4ee10b649bb60526075540281b2335da34530cd7

SHA256
5fe56bc7dc75133d758dba4676564d21e0b4ee1856be90d46bfd6a992c3ede48

SHA512
73935a102f46dcd3efcd0a75cbccadfb7f0ebc302a2bbc1f3f0069d5d0c614aec6b9b7e9fbef74bb468880381779c68c1878edeb7d552213e7cdac4e88b6b80b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
21bced5146f528d5fed4a8574dc8a0c7

SHA1
169928198db7fbffab969f9b53aca3f65e57f3cd

SHA256
3539d72da1312dbb4e058cc11fee2a2409a29bb49e1431f790e0242727dd7a25

SHA512
d8fbfe01b5b0b36d137dc1d3b11a5298656bf824da969c702ce0a2dbf8833483febaecee5c5bb2193d087f9b58e3dc215dd4f4b0f87f97e472ddf5841b7b6498

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
c2d742b1d2431cf10c6fbbe715b55261

SHA1
9f8ecda6be79542c43273d81690cb387d9307155

SHA256
d050c049139d1f45f9eaeb4a807257bf6dd7a92ad4d4a79a6a990901cc813b6c

SHA512
8553df4d63cc33e66a7dc861e48a8612a4074853b4aea281385825bd0d844d8aa2c10a1831701cbfe05c7b5b2ff2ee8e98628ee5a4bab01cdb12a54981edace4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fde1cc6a35e69a6b7a7f0d139bc33b85

SHA1
9ee37ad018c53f3055491394c1e4ee4d8a8a069e

SHA256
57398534524cb35a71025d452c0c57332e9c67735749fa6da52a48b32f092205

SHA512
8cb1be9d59f6638c06db911df28291b8d5de50e114cf63eec739cfc3fb8be9cde3049b21f9ac35f0231e1d73bef3eb3b2e4dbcd592b8d562dc674d039e8df459

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8dba6f248f4bd8dbc28bbe1d42faedda

SHA1
a929bb98425bb67022ee48e58bbb225f3e5fb4b2

SHA256
fe94e777a08842ab3f23ec1e317427cf74dc77d7911fe9184d4288798fae6593

SHA512
3945e4c6f50685e8177196c106bbcea9ebed794d16a1290bb4ceb8c0c1a2bce3f55ec336786ece3dac3621e1c71f75cb697bb14dab3282a729127c4778a4679a

Download Submit
memory/1840-167-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/1840-12-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/1840-281-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3584-0-0x00000000004E4000-0x000000000171A000-memory.dmp

Filesize
18.2MB

Download
memory/3584-7-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3584-166-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3584-172-0x00000000004E4000-0x000000000171A000-memory.dmp

Filesize
18.2MB

Download
memory/3584-1-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/3584-280-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/4904-168-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/4904-10-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download
memory/4904-282-0x00000000004E0000-0x0000000001C29000-memory.dmp

Filesize
23.3MB

Download