55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

09-10-2024 15:25

241009-stzcmaxhjl 3

09-10-2024 15:16

241009-snjd8axfrl 5

Analysis

max time kernel
163s
max time network
159s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unknown.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	unknown.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	unknown.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
976	unknown.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2168	unknown.exe
2168	unknown.exe
2168	unknown.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2168	unknown.exe
2168	unknown.exe
2168	unknown.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 976	3036	unknown.exe	31
PID 3036 wrote to memory of 976	3036	unknown.exe	31
PID 3036 wrote to memory of 976	3036	unknown.exe	31
PID 3036 wrote to memory of 976	3036	unknown.exe	31
PID 3036 wrote to memory of 2168	3036	unknown.exe	32
PID 3036 wrote to memory of 2168	3036	unknown.exe	32
PID 3036 wrote to memory of 2168	3036	unknown.exe	32
PID 3036 wrote to memory of 2168	3036	unknown.exe	32

C:\Users\Admin\AppData\Local\Temp\unknown.exe
"C:\Users\Admin\AppData\Local\Temp\unknown.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Users\Admin\AppData\Local\Temp\unknown.exe
  "C:\Users\Admin\AppData\Local\Temp\unknown.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:976
- C:\Users\Admin\AppData\Local\Temp\unknown.exe
  "C:\Users\Admin\AppData\Local\Temp\unknown.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
2498f5004b8fd326b0732826881d0a74

SHA1
7aabce23a76166442312f8601801ea32bfa8dca0

SHA256
ae0f5dc7df19985f7bf57d6aac3acfbafd51c5f6e38c93e541ccbdc4d093ecf2

SHA512
ef732ff4fd4deeee178061227cf2bf68faa5677230b2692a5a6347021bbf00d9b81e84d961adf844cca5ba2f71d7ff7161490ed87805ea842ed113722730bd8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4b5e5a6feb5ed5c0070e69f488d5803a

SHA1
ac7547d8b1ae8e69153c6a64895f514dba6ea273

SHA256
591341a0ccadd083dd17b50a0960cfc2dba56c310538c7d29a0f194a0b8bcbfc

SHA512
9b4e9ef84bb744c7eae95027dd30cd128f2f36ec2cd66099112262f0d85a8552cedb9d90816bb309ff96d7ecbc81390b5974838036b5fb63776431a76f7a95f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f08f5f7adedc3ad474b2d17b5bc284c1

SHA1
390f5dd09223abbc295deba24b1e7943940380c0

SHA256
fad57b1898bd208c8e6a58d512454e8acd3acf0864aa3da96095ae4e57e564fe

SHA512
d0a4a9caff2b41c208ecacc81af09bdb6de5323a966db15af040bbbc8f7b17e00fe4d0c2a5bef266533204ec1f22f6ab08a13af8b4169fee9fc4128bc5c33b2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
ff3b40290ed121c52a8d46e4c50abecf

SHA1
5eeab0638143eaec52badbe28e5cb67f44463918

SHA256
40fddbd1c6d49da33d7fd1004597ddb5872c1e101200f09f1a4f53ba865a4adb

SHA512
b1abef959846db77f83876ed02e2e884b9723a9438b288db4facea2db8ca38a6506eea346a752cfed44f983b8e19485a8fdfd80d52058e64548bfff83dff21b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cb895f579f33652776c7d9dd8668660b

SHA1
950ba541ddc618328b5e123e9a73086c193b0be9

SHA256
532b2323f09616357a2fe9d442fe469843d8135f5b92acf7c3dfd4349e4cb419

SHA512
ccb7dd0a57b97772626e7b176eb0e8c8f8a0dd8b387cdd3a4767cbcd6279e5a2f611da14d594952ad8ec23a55224159e4eaa277be2169801e9ba839424cf8cf5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
352d31e4c6d241a0f4031f7d28db6f66

SHA1
3be77d21de68990315aa76695d11c7d095f552c9

SHA256
f4629f3ba4ba194223d6111e1c79780b9cf8e0da8ee270956325befc9b978443

SHA512
37f228dbe1cc0e4fc2b7491d0fb8ccf774e3b91843edb3c3e44d0a6f58d7a124f5360e07c24aedb88f23d29824fecb98f3564f103dd432f687c17761e668bff3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
29892953328305a945101470e9173e57

SHA1
6fe738c01478e19c7008d115a54da1caea7410fd

SHA256
25a4ee5ccfdaf2952cc34b090cf715d7ae94b8ca891959f2fe1035f1daa0b0fa

SHA512
046b5087d7c4ae69023a74ed21b25d39dbb1a19e695978fdc12a8caf7adf431a51d8e89dadf1e98543f505a35432df8175111f83fa0f2bb6168a1c4572cc368e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
44a0cbf991eacb613ee0b138592849db

SHA1
c219766b8fc9e07dba828c3ceefe48b062f51116

SHA256
da975f519499e551167b62ec2320930ec5c037bf397667476e39768cb8678337

SHA512
bb1fbbc2b226fb3a784ce076818514192b9497fc0c09d70d857f1135404f23c0fb4275d29bc789d23db5f857052a3b908a587b543307f4744aec79c4defeae8b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
001f3a8fe7e880e5b47709b3a737fcb1

SHA1
26f98c9e7ea6b4556c4bb1d123626baefc6ed80e

SHA256
418731389a4479d78a885a3aea3307b77af2fdc7906bb0073a66e3c2890df808

SHA512
53c88685626f3cd406edc278c9a9886b962413a124032ddff8f581ff28de1c879ed375d52b537aff3f2d53950f2a58208ae9b0afd66c61168434eee86abdfeea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
578abb4c6684906584874147fd4cf342

SHA1
8663901c5b3428affaa44af52f54b112f8fc567d

SHA256
87ccddde0e6a7e17ac3d50962f465a3788ff2decfe809d773191c6ae5b843187

SHA512
f10f6a377bbaecdd8664b82b4d5649cfc8cd1c71a2cc7bef4c59a8122365e1e539561e8fe2ed968013ce900086adc27cea817ea16e85b4bbcf1ead238b57cc91

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e053e58f3e1b9ab35acef80938162fc7

SHA1
dcd5758f64d3313411646153d87aadf970b31e39

SHA256
4efc7126ec054331334ea7b24e7f7056ec2efd2f0c050e8b47ed26597f60f9be

SHA512
3361379872367a88998edcf7b57fa3b16ac66fa6478d11adb7fd772a5c7d7e14db7e07799b197fd0da22258aa77656240796a74aa5c03baf2d10d808c5ce7234

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4863b28a43d1404ceca27f2a419c3a9c

SHA1
d62449d03682b083c408bc94bc7ced16b5e89f21

SHA256
640abb76db47434bd73ea0d7aad2f9f5c636876044cba6817956522169cfa86f

SHA512
e042fcb545c9d22f9a56baa8fe53dbf03bb6a4c01062ebb2ad1b87b1f2d7ee6596b12d029c703772c5bd2922b28f212d8d091a804bb74f9760c0414a26a581ae

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
1ed69e9e12f4f90f57a3a4c295958a22

SHA1
9364b7d1f716363850abe3a9dedc6079dc1e7d55

SHA256
6478cd85665c3a262c8910e9d8e8b1b321598dc9f523725926e27ac5d41f0399

SHA512
daf62ce1cd92f7707b0616aa8a003ef1de2808574f0e0ac15d333d80f1ccd1556718b4c8c938a66a0e891113259597e5ff69a7897c88f5595cf0be250364c6c6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
22666c7cb0f89fda75466e9a67d815c3

SHA1
e6d29c8de6d797ac1b50622f2367bd50f36c4401

SHA256
85cad96104fb823d8e927d9044d83e69412f1c152316f4d1e1d4e4b79f11a4cd

SHA512
620579b2f1e4dd022a466155f617b1b393c50a845cc0f77d5049b740a81ae41b7b47b7c2ce7f560726313d2ada6d7612d3af6793812f659edd1cd5bf9baf53bd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
b2cf5b09f1fa53cbd6d943ba18d05122

SHA1
3dee5849b9a2c72643fe5ca99ab82c8d2facf048

SHA256
2e4c125bb4ad62a7ef070eac379d1d17f62a39f6bf0da61504b1a79fb02fabb5

SHA512
c73129edff2a293621c3230a36662694992936a96c7a1e52ad82f2017a527b6d4d2a3670b5133742ba54ab82b1aeb012830409015437dad45a6dd687dce33d9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8ec82bfabe322be5c8b2bebd4edb9252

SHA1
4942f03d6e792793a5884a0fc9dd1963b07e56f2

SHA256
9f6243c6c18880c4811cb080f32d9617cffd1740a1a0b7c8ca0fc971f284b432

SHA512
032a31f34c639b76b92162d2b5696d260ac350bf4ba533fe4a8b8a067bdbf7f78554e4928b38d5ce2b48c3f99aaeb680eb4d02ae11d855f8910a0b6ce2e599d6

Download Submit
memory/976-11-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/976-108-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/976-306-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/976-154-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/2168-307-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/2168-109-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/2168-13-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3036-0-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3036-107-0x0000000000914000-0x0000000001B53000-memory.dmp

Filesize
18.2MB

Download
memory/3036-6-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3036-2-0x0000000000914000-0x0000000001B53000-memory.dmp

Filesize
18.2MB

Download
memory/3036-305-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3036-106-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download
memory/3036-124-0x0000000000910000-0x0000000002047000-memory.dmp

Filesize
23.2MB

Download