4fa163a7021256ac59e7c5ae1fea21bbfa8f00e20452aa8f8fb250ddcb22924b

Analysis

max time kernel
143s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume3/Users/kusha/AppData/Local/Microsoft/Edge/User Data/Default/Cache/Cache_Data/f_00015b.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	f_00015b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	f_00015b.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	f_00015b.exe
2556	f_00015b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f_00015b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f_00015b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f_00015b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f_00015b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f_00015b.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2424	f_00015b.exe
2424	f_00015b.exe
2424	f_00015b.exe
2424	f_00015b.exe
2424	f_00015b.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2424	f_00015b.exe
2424	f_00015b.exe
2424	f_00015b.exe
2424	f_00015b.exe
2424	f_00015b.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2556	2412	f_00015b.exe	29
PID 2412 wrote to memory of 2556	2412	f_00015b.exe	29
PID 2412 wrote to memory of 2556	2412	f_00015b.exe	29
PID 2412 wrote to memory of 2556	2412	f_00015b.exe	29
PID 2412 wrote to memory of 2424	2412	f_00015b.exe	30
PID 2412 wrote to memory of 2424	2412	f_00015b.exe	30
PID 2412 wrote to memory of 2424	2412	f_00015b.exe	30
PID 2412 wrote to memory of 2424	2412	f_00015b.exe	30

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
cff461e44cf1abba057ae84830e3387a

SHA1
3aac90757b846403a538217be668ec6239102660

SHA256
b83c2f5a28a60cc7ac174617a6990c05a97dd748150ff640e3b8761c868a066c

SHA512
f5dc3a2555c52723d72857e80461212b8a20bb81d6b568024082c35a9f08cdc3e67bbb722167c8d8e609c0659c93fc13bd9a98048c7f2d6ffe461cd1dcf1ddc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
57908397dfdbf36c29398e5db5dc0bd8

SHA1
d848464801caeb90beaca1418ad056743f121db9

SHA256
837d2073774eda5d24fd891f59748ff387dc80cdcc6a01378c5e32f5646a131f

SHA512
307b2f388e32b20e61b785a1a694e7e76adcb1a00fa3daba10d22fe3d4198264a228a12da5ce5a6fbec0d6a884fd786f901dc7b659633a9e1c5350a9a5144696

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6abb8efdd9362736316b3a4167d57f42

SHA1
1fd3da84389a87379488ba2761db359af742385e

SHA256
a229419164f87b986c2ee93043b9369e0e3a677ee959fbb212c063b2c02850b2

SHA512
fcde3ff9357631ef2fb8c29a8c62eabfa9956b3d30b1c18011b17355b747e65b0124b6f5b0eb2f47ef612a3ec576bc6b123369a2bd68bdd5c57456f76cf977e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
5c6ba8e32c9c2dcd86c10cd3b22dbe65

SHA1
c6e5d4e035cb708b612d3a3715a9d26ea8740e15

SHA256
d1c88c534f07ddbde4529f23eb22686212ec45416af84c536db7761472ce2c4a

SHA512
21d5f383389f7330676d7f32f6b883b7856ece667a1c09241314a11fd86342fd19b7a7ea5174f8f90fd379d97c6bd61e5b7b5e98c47285bd5969d3f4b3e1e9ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
e69d72eb4de7f7397b6fc237d4eebe3b

SHA1
592aaba1471c625963804ce05c902227dbd916df

SHA256
984ca1993811c6627127ac900132aa2ded2cf79b2ea4d080e7896e05278ccd48

SHA512
c54a9cdee180a6a12fb19e4adfd7d5822ac144727bb8a4a2597ca1d7f995d40ef4bf1fc01f9327dc5d062d8b273746f487438441f9c15d9771b4b859e460cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
46309ffccb1658bb61fcc653c3e36f78

SHA1
b826f9a5c4d87d74d2a700374fcb532995124c47

SHA256
ffed7f1e794037341d5894fc515e787723f9de6c6bf1f4283caaf2206856d452

SHA512
cec40f697630398016d90551f94dfabc2535fe3434ce752d30d0d4485b282ed3fc8157c2f0f2c284edf8a9a833187858a07d6565658792af5bda0bf273a7cb9e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
9889732234c31dd064797689a554d543

SHA1
e29245a5212ee8b77beecd1cd043a91711918330

SHA256
f1fc9096316e20b167c9d85615a8971370078a2d89e8dc0db2562b966a7bbbf0

SHA512
91ea162b8c8590defccda141358f7d71aa8f29aba1e0e7dfdd60f61674e2b34ec5361d5f7b6104fb961f63cbd1e258e66bc36737d7ec1c28e4c46d449bbebc09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
16a021a5fe2af6f980208e937758c9a9

SHA1
4138748f3df732f3634d9c0fa86e3c7366336872

SHA256
0a9602adb5f665709d7d04d977cbb852c0252c99fe73daa5c4ecac73b0761daf

SHA512
7a7baca1facbfa09aea887460eb34d0a79ee3e6303ee5c4bff1dda2353d4c43c4069e9f2e9099fc7c193c80e73b300221f0a13093785d450b13d6a6065b0f5c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
58c637117a0205ea949de7cb08eef484

SHA1
3b20073a779e8166e1d03ba6b1de85a8ddcb18b3

SHA256
9421f8198f711f22c0f9034c91dc66b11d62a5906a6fdfe9a2cc4d2fd75fb47f

SHA512
a524bdcbeb3953280ffb11b7a5aec23c0f0f70e69484218b03b402dc69da7ce01a80c37271287e63eca1ce32d36313c2135463fccb5a5d0037cca04f23d05534

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
416cbac61b58bc21cfb7d5cd8291dfae

SHA1
52578ebde6f841fe3d35237cfa856208626a0e0a

SHA256
6375e48889b8e0b756a7ee96e8a17bfd7d0f90deff203e763a8e132421b01055

SHA512
3d57187b0bb5cb8301cb76aa61349a7095064d2a50e7da204f1e2346fac085a9e73dbb7d47eb17571e1c4cd2227f92afb0a70d0e3a4e01f0966ed5d8ab29382c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fcc7448cc7c8547ae9a4cfb5197f8fed

SHA1
4ae552f884ea00f0e3cae8376290704c35cb3f05

SHA256
869d2e01ed594ecd5b408700c974a2f6654343827085c4cc32c2a2ed84a7008d

SHA512
280063c8d765eb43fcac26a66b6a10e6140ee64c225c6b68a4248c2cc596f072f3addc3770251daa4fb6380488f122df90ebe3e366f80cea611414e910841a6d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
87d6b0c3197fd560381228f61d990836

SHA1
75ceda6d26e5c4a9812807adbe0206b46468b2dd

SHA256
accfffbd8f0a5667fc1574ddcc66bfc106c5168cc67900f51a07cf738409df24

SHA512
dc5bbb96a93f426cee7855481330c435bf77c3ba9a2eaa0fb01417782cb655232d1a3785989dbd7b720df56dd40d7851f9c41484d07f04d370c47710168d1ed3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e34927d8ee32b31ec0a34c88a29aee95

SHA1
9c7eed549b8190351207c98aec24a57b4e5cceee

SHA256
2bd829287039e06105e6be0e4035f1040465d20183e93df85102ec934adcf052

SHA512
7746cf0d38f731e1446096326a40d74c7807ec66b0699b65a86c6df40b0dcb9372e9f2353302879b254cc6435ee058cc78204d90b65f989f25dfb5099220de7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
04f63928adf53bdc157fdfbde01e164e

SHA1
c3c82e937f0e4f5fecc35f4ac703e470e9eec650

SHA256
1a505ae9284ed1d5ff072bdac614e91671aab69986310184b44aac80f9ea47ba

SHA512
24d25654df5f6873eb7fa3ef5db2910d4ed02bc2d0fb0ef99d485216142e699124a97ea9ac3c1b2f42e4b429d13ed22120b37597f6c907f6d1130c256d1ed543

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
a2d32aec97a1273a66898f9acd51566e

SHA1
e0452e253deaf25aabd7c27e73c3117efe80962c

SHA256
bfcb5288f4e5c9b9919c48e4c7c982a82aa35c39bd6f672f3f49a4617d98b64c

SHA512
22e3f01a3e1a0f5f11f24476572d7426962bde93f5eff06c988a79ff222139b94cba7e5b7bb64274a202dab35ae9347c04ae32f0616c1f45cfdfd0183e3c0333

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
abd874bf5b65141ade22cc6ec2458a30

SHA1
895a1a3615d201599297234b3a462ba4a5344719

SHA256
40d8100922daab48514366286cbe94a90a93ff2b5e299534b0de2218defd79df

SHA512
0611e735ebbcdf29da0bec2d2fec791bd41e41979ef54b046ffe8d3f6a718807a29dfbbc33e7cb80f759a91e6d4084f00b2abf20952c7bcbf1cc5f949c9b0b7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b13c7f99cfe40288c90dd32d742dd936

SHA1
af1ac8b45b10104a43f8a621c8770d4e99d73c72

SHA256
bf5fb52b091c1b174d19c0af309326a6c7c8ba1c7ac991774c81072f42998c85

SHA512
123aadd6d59650f0e4470ecc85e92fe3b6761189bbce8a9b71c8d9647b6ea1b95cf65ca3ae555009bde284f337562b41d4500582fcff65fa92e99d8291feebc1

Download Submit
memory/2412-260-0x0000000001084000-0x0000000002186000-memory.dmp

Filesize
17.0MB

Download
memory/2412-0-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download
memory/2412-2-0x0000000001084000-0x0000000002186000-memory.dmp

Filesize
17.0MB

Download
memory/2412-5-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download
memory/2412-259-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download
memory/2424-15-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download
memory/2424-262-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download
memory/2556-17-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download
memory/2556-261-0x0000000001080000-0x00000000026C2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads