55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

09-10-2024 15:25

241009-stzcmaxhjl 3

09-10-2024 15:16

241009-snjd8axfrl 5

Analysis

max time kernel
291s
max time network
295s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unknown.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	unknown.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	unknown.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2004	unknown.exe
2004	unknown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2260	unknown.exe
2260	unknown.exe
2260	unknown.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2260	unknown.exe
2260	unknown.exe
2260	unknown.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2004	2460	unknown.exe	86
PID 2460 wrote to memory of 2004	2460	unknown.exe	86
PID 2460 wrote to memory of 2004	2460	unknown.exe	86
PID 2460 wrote to memory of 2260	2460	unknown.exe	87
PID 2460 wrote to memory of 2260	2460	unknown.exe	87
PID 2460 wrote to memory of 2260	2460	unknown.exe	87

C:\Users\Admin\AppData\Local\Temp\unknown.exe
"C:\Users\Admin\AppData\Local\Temp\unknown.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\unknown.exe
  "C:\Users\Admin\AppData\Local\Temp\unknown.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\unknown.exe
  "C:\Users\Admin\AppData\Local\Temp\unknown.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d85bcc961b233593ddceddcc569a9e51

SHA1
ed9dbdf4ab7bbd95fb53600c7fa14997fd2d9930

SHA256
5d80fe3dd95a7e7d86a51e536cb625a5c989fe31321ae9c369f186c7798f4ac4

SHA512
b810019dfa4a34bedf46b7a5fe3ed54d392640805b7e3b7ac99dd6197919e24fbf9bf5ddf3267be3181ca966e50404e07032222e8bf944ca5efa42b07e6b23b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4022e5d3ab31a8d9354bbdb53a65028d

SHA1
b929c4200e28f405a22726a62ff7492b527256fa

SHA256
bb898f099fa98ee97cd2857bb7f0e505b552635ef18ce1417cc9516686f92654

SHA512
7582a033b3335db0264f9e171f7ac3823d869bb80a637c548cb7781306f49ce9716a5045c6aa1069a73ac430a9dc9215ee5187e6fcf2554471f70a14c6b48cce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
15fff17528d90f31defa01905460bb79

SHA1
99ee10bd08d3878c73ddebb39dac81e281703c9d

SHA256
7309560fb7befe03810ac509aa070960dfec0fdfc1d92c9346743a8e11d1edca

SHA512
73ec01660a68fe1e494594a6ca130263d0f14d18462e9f7bbf560d1e1d027469848cb117ed3d123e4337da2f4be6e58f104c106fcff93cfe962f1eaa826a1295

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
c055edb1d41ea6913b38e54c5fd29807

SHA1
99dc60968912b71e5e78568d62be4d26f3deb158

SHA256
41432ec86b71f1ab07044a8f2fa75050bd43c1bd2a8958ac6fac049e201acf67

SHA512
780bfd9eece9446156dd301640b29c453cb2317148c877757f39a2715c20de32ce99e8394cf61f36dcf5708be76721e25dc9870e262320ca00a9faf22d60020f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
a6d87b835869e8afe02215c648447c54

SHA1
f7d4abfbae559e66793e6adf84818a64c081ce1e

SHA256
dbce3d032bd6d1f286c2a293ef9026d5297bd1e481a0d5b761d02903bfe82db8

SHA512
65476fdd261e37a58e1e422df90ba9fa7592250c973e2f1874b27349697eebbe60deb43f5a3f74f47d0566688ac740acc5094dbcd417ca3bd8cfb23fd57efd43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
7dfb15db2c296b300001e56c91e64c3f

SHA1
43ea6f461296ad9156d4afe029cafa56eba33c90

SHA256
c3069f4ec2b4a4adddfb2b31567fd0a3c35694a374081c056584c6b7803b5d38

SHA512
db774c162c57e5f9adb3071c9ce1412bd6ff76ea452611dfcf500b1916c1cdc794cd29ac58f94e6326f40fb578f46ebadf10f30831e39f0c872755e4875552fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ce53e3eeb2b1a3762f8fa44f9f28bf30

SHA1
ca173e4bfc290f1194230ef289a04735e4a57ea3

SHA256
1a1ca504ad5d2cdd0be783113add41f25d73a437d6580b6e908e87c551a5c3c9

SHA512
4568f5e445639d5eb48957169b9956351bced4d1a9f54fe96cdb0ad0420610315f89d25b6633a7b25ec9b14120ef51225e7a1b9c1a40260b3ffaedbc7f207772

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce1564d449faaf91852451c3bf33ef38

SHA1
19064b347cfd29bf31645c4df9e99502d013d963

SHA256
025abdb5a6b1951bd74e12aecdb3e18fc0736bf900e9ca77c450a1171ec55783

SHA512
e65655d9fc8315d3995e451faf06bb300b156fc571f263b41bd56d60a3b2981c5f9976aea06e97b830b6be9d697db8816379afb345e1943d8f7b86ce532bbf13

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
2c34c1ca4deced11ac24890379e4c3f1

SHA1
6b71d6edc77450e5e5efc46223ff5915dc7afb25

SHA256
eb7318a95dd9dfe583192374f72aea80add0e14ff0dd71648fad5b2ba3db9d90

SHA512
a49d6c93dd2f471a50cf58c5a313d6a15fd0028fcffd854997b5c3e7f4d62efd0e10bbc9ae06e1d8e89450ea4d82b51499c77cbac4517735b0abb66f6ec02f06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7e4fc47653860eee79cf6d59bf9f750f

SHA1
5e64f986024abd9a2e93cc1a965a7f728334b1dd

SHA256
2d63d3f6514cb962ca343ca8d9ff73143f9a28e39da3b93f9a022c1b862929d5

SHA512
3c4910571e10d353539f85124f8376a0653fdf2b34549c32dff15e642fba8c327da29d7f47c878ac0a46091f89b7e8ba89b3c85c403516d8377bb6d0651d36e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
59d1760c9781f61b5977c6f720288466

SHA1
04739b28167c3d21db4c654879206808cc07e283

SHA256
c06ff362130c4f5874d4cbbb3b501531f114900f0251c37c2a23cbca9b2b3f99

SHA512
eb6f08b78f1f647399636f8d8ec723465da0d00b6501b7088f5950476974ce6096da8924b73cee284ec89bec28fac8700f4534bf678eef80a5bc889e94eecd6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
423f5d1def69b23388fbaf23d1b9886f

SHA1
c4147f62b417b31b7e59905bbb4edeabf9be3fd1

SHA256
61216b1e8a20471a6779d54817e245820cd1f1f1a30bad744fdde97c9295c36a

SHA512
c0224991d0d2469ec466ec2dba61c675ed3074cc4c3e862f5491a9271342d33d2da7cab717ad6ecdfe99d5d23457e3e8cb92dfcb1b02ff77ee6f2b1242050b51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
666eb6afd36d099689110036b7d395fa

SHA1
d24351c38c84c9807bc96a5269984022d24f2d8a

SHA256
5e79b0c9303f7a4526521a96d6d09db8c10ec3cd9966cec7d0cd996041f625b5

SHA512
749aa2d04e0a4e52195db318166f04d8ca4cc2c54e2727c1c4fdd0d5fdfb68945f1f6c3da65bdbec754fd7d960a9d787fb27f055a1f1091475af7fe2b011c744

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a75c120c8cd214e551ee5693c09b1cfc

SHA1
846d3df86fb73dcb72dcf2986e8db89576899bf1

SHA256
ddbd399531b16a7e53881c7a4ce99119d44f5b60b25601c06015800061dcff1f

SHA512
aa7bae608b80b759b3703e6af0b7c44c27cd6c8ccf4d07f323df4edecac6480cc6d8fb335164ec3615beb31cac92e612260c8fb373a20e6bc8923cb99b73b8c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
efcbb2748f10204306ae79b402c4a03c

SHA1
8fb68cd4d5f7eff71b0081838cb397a152cd76f8

SHA256
d5f3792206763000712f22e8ffb46a9723c394d42f3e8bce4093cba818c9c9da

SHA512
6c2b11fc32697a19d0afceafb06020e6d93a0ab3c52285de069cc78dab72da647a79f016ec4950721b73eea06db139c81ae3deb6df789f90fe602525279a9719

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
876f6d72745b3bc725f03abd75487aa6

SHA1
438568bfe1b1079d73bc4cba84f201af4948af11

SHA256
fa0131892591d3e32c59907b1ef65f3283cad3fc61bb447ad6a53cf37b371a18

SHA512
bb4adafc8f8379b0f3a02d694e53105f9283e10b9070f5b4cf7e7733fb104c47f35cbf2596955c8382bea2a19812355536d17bdc29a0b5f6b98a28596bfebc1f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e163168ce7f3fc711ad605941608eaa2

SHA1
59c8d1eb964c9da7165a12dccf16fa43b4ccec9f

SHA256
559bf18948db6570caf07054d217d9ba36af11163d8c6bc56b30815cd999ee34

SHA512
ecb459d1938c2eb48e9b7c6de5245fd9b70113d54ab8c440e8693eb7ec9cbfb7c22d0d50a84758e3e1978d6b17c8c45c9c15dcba0b5a90b59cb5e51dbf797a4e

Download Submit
memory/2004-180-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2004-245-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2004-322-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2004-19-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2260-21-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2260-181-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2260-246-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2260-17-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2260-323-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2460-179-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2460-244-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2460-2-0x00000000004A4000-0x00000000016E3000-memory.dmp

Filesize
18.2MB

Download
memory/2460-0-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2460-8-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2460-321-0x00000000004A0000-0x0000000001BD7000-memory.dmp

Filesize
23.2MB

Download
memory/2460-182-0x00000000004A4000-0x00000000016E3000-memory.dmp

Filesize
18.2MB

Download