55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

09/10/2024, 15:25

241009-stzcmaxhjl 3

09/10/2024, 15:16

241009-snjd8axfrl 5

Analysis

max time kernel
291s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 15:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unknown.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unknown.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	unknown.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	unknown.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.conf\ = "conf_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\뻐礍ǚ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\.conf	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ef\ = "conf_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ise闧򀰀退韀礍ǚ\ = "conf_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\뻐礍ǚ\ = "conf_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell\edit	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ef	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\ise闧򀰀退韀礍ǚ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\conf_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
4696	NOTEPAD.EXE
2400	NOTEPAD.EXE
4940	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2388	unknown.exe
2388	unknown.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3964	OpenWith.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1768	unknown.exe
1768	unknown.exe
1768	unknown.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1768	unknown.exe
1768	unknown.exe
1768	unknown.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
752	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe
3964	OpenWith.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2388	3292	unknown.exe	86
PID 3292 wrote to memory of 2388	3292	unknown.exe	86
PID 3292 wrote to memory of 2388	3292	unknown.exe	86
PID 3292 wrote to memory of 1768	3292	unknown.exe	87
PID 3292 wrote to memory of 1768	3292	unknown.exe	87
PID 3292 wrote to memory of 1768	3292	unknown.exe	87
PID 752 wrote to memory of 4696	752	OpenWith.exe	95
PID 752 wrote to memory of 4696	752	OpenWith.exe	95
PID 3964 wrote to memory of 2400	3964	OpenWith.exe	97
PID 3964 wrote to memory of 2400	3964	OpenWith.exe	97

C:\Users\Admin\AppData\Local\Temp\unknown.exe
"C:\Users\Admin\AppData\Local\Temp\unknown.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\unknown.exe
  "C:\Users\Admin\AppData\Local\Temp\unknown.exe" --local-service
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Users\Admin\AppData\Local\Temp\unknown.exe
  "C:\Users\Admin\AppData\Local\Temp\unknown.exe" --local-control
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:752
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4696

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2400

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
1⤵
- Opens file in notepad (likely ransom note)
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
9d17b57e095f9c1f9c53bca9bf4c530f

SHA1
23037d35445bc82d08ba9019924c96fad8f9890a

SHA256
830f182ffaa306abb565bd2c472835b223cf0c90fdebd3629e775683ea6ba333

SHA512
10dfc272bee3a1ce64ef8ccfce7c1d67ee1d4689601ac6dd2fd94b7aa1a19a45e8650c757cbc1ecfa36a92687e5b3c1fcad25765a572ca8c8ea84415579a2f16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
063b18204c87b139ee411c4ec0ffabf9

SHA1
f57a9ffe539e61941a46c6ebe80de48a42ebf066

SHA256
514cdecb89d9cd8bd9e80fbe09f91e71928e66693cd6e704079fa2a17b1eb94f

SHA512
66eff4fd54ab794af4f2e9a0babf746a5825db7fae495adeba75a6db19d7cc3f9265936344fc8fc7d6f93d15813f3af4d297b235ce04c85004e765a3b6eace02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5188b72912773d5291e23e58ecb2eefa

SHA1
bd59f59ab79e73d451d9447ea33930c985aedb87

SHA256
523c6902290bc0bd2769447fb0273860f171dc1b494495e17529fe1a68f97ef1

SHA512
869b0f24769b78073f0e37e92dbc9e43a08a8df63ea2446fd94c2e49868a464cdacdb6ab8bfd82b9f7c75b49cb91754f27943ffb675dec61a923aad2f5c33828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
f44160055e33602e4b8f8b617ae8dc3d

SHA1
96513e8ded46e21d972f285ef38a5ac0078e4863

SHA256
ba842a1a33cc70493e4efaf09b4605e704ce440f7eeede26964ed88641b5d76d

SHA512
a9105d8c471266e819dd6303db404208669331b6b31037f8599541f14e87e1b82bd18db8bece381771b65ba6c95fb562cd895d412f6381a20e3c78dde9f660d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
caa0387f96fb06db8e83c5b6e70ae19d

SHA1
2072d3c517ce035e37c78fdd932b11cf5a53c1a3

SHA256
7603c5ed9a8b014fce50d8523416716f298f711162aa18d23f1d433e0312ee34

SHA512
77e4a2f1c35f956a9f5cfe02ffb9ec55454a422fbc7d8d36b070c3043c987608d9957a0d8a1301a965e923aa736b9b5b0763a43da0723c4560339ece060c06e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
738B

MD5
56bd5473ea6132c5c0373ab8877148df

SHA1
f5bb8a69e45fdd27d1217290150b416d00085974

SHA256
d0b6fd4d72fdfcc3f79d852fc79107c8ed679a4aff309b46c5dfc095f3a52539

SHA512
86aee88564c81153ced74fdd3a14bb2070f8a9214ccf155a45d8c1507ec5e6aee5548997fec6d8006d74fdbc1806723c7749a3919e8d49c869a14eecb9c1ab46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
d622208bb3fe60fa1377511b6b63a95f

SHA1
2e44fdae2f717510e8f545679dfdba99c490aad4

SHA256
e5d857d6a77b848d3e34a035d497ca59985b5386280fe91b843058c60a15591f

SHA512
ce0a2cef0f8128b041c13b72dac9a4c269ca7de1a3ae8b8071f872c731acbb1b1b58d26eb048b1fa43731d731c957e34088647005eeb9fe0d51a0d7c0dddc112

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4d4fe0d117fc33ff43a927750b66f562

SHA1
2bc4d93ae429df91ce9892f835e4a78dc714d8a3

SHA256
1f717d7f8c7984cfe86ff0ead10dc6942517a387babe03e1afa1250e3c41c296

SHA512
95f0f72ec4449ddcda7cea8db3809ce8fce3bb59830a5691a2481a34281a1b892c12e26b8076216b80ea5f0b81c7bd990e6eacdcde3bfa28c16371f4b0149731

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d8fd02bbd7323bf65bdbf4a0d4febbe8

SHA1
e88a659f346872ae3ca1ce211aa5d320049b30fd

SHA256
8281414641befd3ccb7532582403368bd6744d3b5090a86d0445ef1d403ada29

SHA512
53e988d01629528bd022ddd93600a8b795fffdeccd332d084b640895e231873af5f0f726e7798cde5f2a2b0fc95ba56e5add102394f973573208dadb1a0b9754

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
5bef8f9107f58f2707a81af346966293

SHA1
1e81fed259ff3bcc29af1e8a865bb5ee57aac722

SHA256
03c0c05f6b16fbde297da34b22f44dfc24fdd2bf4af493804955cc35e2767248

SHA512
95b6ab4a48688c34f7102041b8e64cfbbfffd455e40cc6c7981fb0e301017a0de72095324fb1405665a919635f0e2031edf9fe0ff6ec49683b67b25378687d6a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dfbf97790d3770aaec6f9ae2244c3181

SHA1
d3c7e26cdcc43ea9e64b856dd497d31d73e296a0

SHA256
c50a34daa5160b378f732aedc2d5c654d58413bb444fca97b9aa59d10d240983

SHA512
6411c99198f0c25086422f619c1fa15f634efcf0752c99e09440f90e4cdd87152e41d269bc5b86557ac2cd97cb1c51f8ccfbc0c0bda047bf79e4eb7190552fc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
befe633947f7249575ed714a568862a1

SHA1
c29db54807516766f3a27ad0b0e9c7a54ee6ca06

SHA256
affeeb265b3fac514309af7e916f9a00c1c16ceb26b7d457028fc407b39bc3f8

SHA512
9cd50bbcc5ef0c82416983b2d14c38180571e916761a8206bed561b50c5ef391a80678879f80b7d79c7e214b1b26fec2f7f84b094de6e015f8dcd0e51a126453

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eecf128a8ca30d69d34a6eb666957bac

SHA1
03c57b054502a7884106a822f7cfa3ec43340217

SHA256
f275281a20557066b00bb1b8ad8d7894cbd0bc81bdc1407976a18b81ec327686

SHA512
f01cda5edd13c756501e4ebbf37fb1eeebdca2c77db1eb372734ba417f062d27c90efc02fba4c3fd468b09144d27b7fc81deb638f93edf33b5a5274c0b42d2b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a82cfcb031ef8ba6fc5359bc6c5086f7

SHA1
ee6b18e4a53fc4c8f53ae801e75abc1f0f288180

SHA256
f46843e5cb9e02d6d1cc5d986b9ab5aedf6a11918377698cda231dc0335854fa

SHA512
6e687ddea05b377fc3f3f06b297c6207feda4979b774c35b015a64a03a3ecf67b9ffc7cf0b935cf88ecb7f9f87722b8acc18b0857e36e350df09065eb77127a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e9d3194b257082fee6c1813bf1dce3ad

SHA1
63f9bce91ef783d1719a41fa410ba1f5207fcc7b

SHA256
fd353ea55adf4df6d8720f9b48e13482c92dca67625b04390ae4625c19ca5510

SHA512
60274becc7501e47e17d41b82e9441edf98a74b8cf57facb396ffb5641cbbf4ea020a2a541dcd483d6dfea05e7094e04d668534593316b5cc97928aabfe39005

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
715b0eee7008e15eb193adb74ca3c2c5

SHA1
13176d0804c20f533c8e9926a47fa43d6e5fb252

SHA256
e19eb7928a7ab5e40e958d38f0c234aa84e4e4ab625eb8610759b7bd365ba08a

SHA512
4d2555bb6a73df50ef718bc8885d9fa530b773edb3c80fae41d78b9b8b941bfc2fc5331f26721ea7b288bf88276b8ccc98c9533bdea5a1804177b5c458ef7dae

Download Submit
memory/1768-15-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/1768-11-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/1768-246-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/1768-234-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/2388-13-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/2388-233-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/3292-8-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/3292-231-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/3292-232-0x0000000000744000-0x0000000001983000-memory.dmp

Filesize
18.2MB

Download
memory/3292-1-0x0000000000740000-0x0000000001E77000-memory.dmp

Filesize
23.2MB

Download
memory/3292-0-0x0000000000744000-0x0000000001983000-memory.dmp

Filesize
18.2MB

Download