4fa163a7021256ac59e7c5ae1fea21bbfa8f00e20452aa8f8fb250ddcb22924b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-12-2024 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume3/Users/kusha/AppData/Local/Microsoft/Edge/User Data/Default/Cache/Cache_Data/f_00015b.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	f_00015b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	f_00015b.exe

Loads dropped DLL 2 IoCs

pid	Process
3604	f_00015b.exe
2408	f_00015b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f_00015b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f_00015b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f_00015b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	f_00015b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	f_00015b.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3604	f_00015b.exe
3604	f_00015b.exe
3604	f_00015b.exe
3604	f_00015b.exe
3604	f_00015b.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3604	f_00015b.exe
3604	f_00015b.exe
3604	f_00015b.exe
3604	f_00015b.exe
3604	f_00015b.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2408	1044	f_00015b.exe	82
PID 1044 wrote to memory of 2408	1044	f_00015b.exe	82
PID 1044 wrote to memory of 2408	1044	f_00015b.exe	82
PID 1044 wrote to memory of 3604	1044	f_00015b.exe	83
PID 1044 wrote to memory of 3604	1044	f_00015b.exe	83
PID 1044 wrote to memory of 3604	1044	f_00015b.exe	83

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2408
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00015b.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\kusha\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
9472316a28612c904429af9ad83896e9

SHA1
be7509e0e30b927565351d63c7395c1383971bc5

SHA256
7d3053294bf99cb6b203d1c2d8b9ef1ad04de5589adb59a1717d050a2af2c296

SHA512
8d8ae2ac4ecac048924874f1e678e7dfb09d0e24a4f4ec14ce0de816b688fdfb381158bd6a388323d2c274a8289433f86ab766399a1a9bfe409605a05c8832ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4218bce4c6042b4d7d2ea04724310a73

SHA1
b98722c934a85e8381d45e874c20e3506d880ba2

SHA256
36a8c5d3767dba8111653fff1765d8aebf2981fecd9eb75eec9fef970e2f4d9b

SHA512
ee32255186b0a2eee711b2e1f117111055cbb8ba99f424caacdf63eb55ed289079a6f4ba297b58a965d9954798db2cc65159120e237d01cddcc1ee51df75404e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
677447640e3dff6e0d98e42fb7c13c9a

SHA1
1f072b2d4636856c3bfab1fe0266df07a87e248f

SHA256
03f34af5a39d89a2ceaa19522e8bb86b9767b83e3b27076298c4fca2c978880c

SHA512
703181524baac23c84f83a22552a8581408f48d9fd90df6fb1ddc0a5261deea3191cc3a81a98fe3ffb6c74f1b8dfeb3cadd9c4d64734bf6db9922da3faa72b7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
068a83e675de9ad3924c650c7dd7de71

SHA1
591c40224b69ab83b76cc27f4ad8d28dc40cf239

SHA256
bdf3eef46f6fcd7b91b1f4ca0c9def4139b9bbb1392fcd5c1e44097ff75a0b11

SHA512
2ad7ad97e49dfec04afd2d57dafa717c5080a7649b54ddcfb88fd2a022a5eb648b63804ee1d6096a8703d46609dd7bc6451af9df2039da0d99c12bc5d50aa59c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
0ef5a2a3cd76bc9287335512fe8da26d

SHA1
b55fa0989f0091c66c3b8d84dac7be85c522dea1

SHA256
32dce63fb34a0ea337bff824d59ac70625f446c045943caa54c7809b5cb23b10

SHA512
a3ee76ea99727fdd31a615d8aa32d20b49324cbef1ad64decc2e6e6e47a4bc968b960762e89c41ee4f32e57929b8112b8d0c097443e20fcc2de67e7a0c7554cd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
ab6e5f229fdaf3ab9c98c99579762e2c

SHA1
99bbf01aa41999a49e271e71d11410d339aa88fc

SHA256
5d71d13c8ea9adff3a06b9d5240a59bae03e5ed0a1192a1b8c1158a24d0e9b71

SHA512
96306b8b46b916f2415eec4e1f839489cd379f808f4aee3e4230a712188297b9e7d9a3b3e85938b5c06957e9748a50d5e444603bda7f993303d0342d9c4f5cd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
630d2095cd5692c1b9e64acb123a40be

SHA1
708f5a915a55f7f158b9ca701b05c84166e27680

SHA256
9efe63f317dc110705c634116dfb8050d736a9e6085f47a6b960fba890c0350e

SHA512
b0dd398b5a88293a7aa680115b61707b482b7ac542e5a9e13855a7f4df1c518279e0e0202c4fc2c0fdcc0a8bd9beb037459305b07a905edfb1125e3512969115

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
e402eb925c78a67f36f8675e3c96334a

SHA1
df2192e33ef28aa3fa918d6d944db49cef4f9fa3

SHA256
e8d82d6a6092b948592398a3a2c429610a5b922e8df68b87c2832bb0034349b7

SHA512
d8a4ea4389d0c39c285e26d3f73e66820d54d18b766addb00b601bee7aa147a6b9f1755c74470671451c836232d6e39a1cedbcd51e900b03f3b5425036e6db8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
d2805e2efb53ad89cdcea1c747648c05

SHA1
91471fb1ee349f81fcfa21c7981b0eadd93368e3

SHA256
74c348b00964a9c8e7666bb69de009172962f63ad7899c45fffce3e669aa691a

SHA512
01984c41aa26a30b484a73b29c0343e9f221f00563e9bccebb4b47a8eb86e032f6df16da96f14c122c20d99b1c84828d52e069c31b4659a09b2786de4297459c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fce58063c4174b703851fe8becf49cff

SHA1
0cd4f8acf8cca42d8437ecf62959ae98cf0a9836

SHA256
14d2f68b9011224b9087f5e536774e877ccc31fb600b0f071a7ad34134c7445e

SHA512
74e555000e1e8246453245eeb132f6c8d2a57246f72291bb22eddb33db0e1e582f1e9717c7d2d8b037c3a22e9bcb07889decf35f1a00e1f315505c0f07197180

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2597e911ae183ecf7ef4f5eaca444f0d

SHA1
d600852fc73985b784e33e2b1ecb819a311ffb41

SHA256
8fa85a75bb5d39b86657c1379b705fc70346a17dbbd7399df1c4358493d9a2d7

SHA512
57e799f6e1ec29bdb8b194952caa7d444dc99705615ca0bb7e442fdb4b0f1ff6e59e00152e37d20c648baa07267b170bb7a057becdbfb55fe6ecdcaf17160c9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
48e055577cbb7790e2f4420a0931dc87

SHA1
9e76440eff85f482aa283028ceb4cc01a4eb3c58

SHA256
8db5ee3e20f9c1fc80309df2c9a1709527beb94e78d4e781f128ff3abaf36b78

SHA512
1659fddabe49420bae9ba125ba93dc19e96ecd5174b6e38b71146a861cabe2adcd91d8dde3d24f055568a34b49745aa64f50ae197ed40885d41f21249f44ea8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
62120e289d9394f591176270d092b59d

SHA1
e245cd03c4bac80d8073e8e3faa8479e3aa7db70

SHA256
fd14b6eb6761b11687b57f119bf5428e5c926b94aab7afa32642391f84f382ea

SHA512
be7788499cf67f885db06ea5027ce1d0bb84cc79e16b4875312aca4ed1daf08e958ad266657bf84823980ab10706967fd2a39f67e40797e81f94e8fd29df1c5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
57ad274992de55743ef3042bb28ec115

SHA1
7d4ee0538efd06a0c1f33ddd5f2dc9b99ca9ac37

SHA256
7e8641f79958c0a5ba1e6bdaeb164be533362408d00c75c84f1e188796e50a18

SHA512
b3f80524038aa6cd3586732df0ed74f5ceecfb634526fc9435ab585f1d2fed7840f96cd13ef13064e278da96e6be0d8f62514fa90cfc2654c76a0ea629323110

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0a87b91b95c686cb97a4fd716a02efdb

SHA1
9fd9e0385232a3800e06ea1fefb5e7733ef00280

SHA256
71178debce3cbc2a572267059ea9600201152a2e0cb9114e7a9187065fb80356

SHA512
d52b868efe31917395e7da6e5928127d2af08a781ba9de7d51fae16ac55148f6a3544e27712d40d3452111498b8e38251369c7a0ed7b67bb9556dc991f980852

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
1f88a2dbf61281b4f06fa3c114d91c2e

SHA1
68ca2bc22087113f2d07dcd2811b90ee27196630

SHA256
15f41dc06bfc46c43c8ec23bd2ab93e2489bf71ef56a47b9be0ef79ae0d5acde

SHA512
38ed9e3e3b79f00fb00106632b6e02354990417d5730a3645773ffae11e251b7dffbad82d835e74211e0a53c2d4dce868094946a4d7d5d7b083257ca5fd68f9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
c34a6416581ff8c7864f38c087bab6b0

SHA1
755a2fe09ffd0a72755d033bf6ede620b5659366

SHA256
56029aad7eb7d1fc37ae84d6b966ec61a538b75b9253c9c0e1a9e009bb1177a2

SHA512
b0a2d77d03266a77fb45c4d4058cb75d67d1b4289ec8878d0a958f61de9e626e914322d9dd3d7f76dc6b7437ac53e1c45cb4009d69a428174336f21c99301564

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d4edc9d97b71212270add436872cca21

SHA1
7e3e733310950690bed7acabfb7a65826870fd58

SHA256
1669e89eee116e2525996382e1ec2b60479cf8835c6d3f335b50e511e827a257

SHA512
16d921bcd94589b2a53dd09f782e407bfc92166d9639e304cf008aae7db2a555b1096ce3fef2775b18b011ae62b878d69e3abcb9f9ad846c4cea4f785e015858

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0508b5c42eefff613dca8e7c6596ee6e

SHA1
1595819960cdc2186867ce0cbd62f6f9a6715ff2

SHA256
7c4db61cfe1b41346a545b4fb5d00369ea0ca15ce0acf432b5ee02d66a1477ed

SHA512
87ee02986278c337534bb8e37ac8e960c91173fd6553a64792620ae85fefc023f3454863680ca808e77849108bef173100d8497ffe8dffd7b4d62c4a78c5c642

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
611de2c11948980c49da3cc95acd51b5

SHA1
d62dbe5496a1bc1401a5efe7051ba5a96887a7ca

SHA256
1436c7d2767377c3d93fe0a7a82513781737c3d2d0ed1fe401dad597c3f9536c

SHA512
bfd6fa2a483f74446b5ceee37b1f642b9a8ca884c8113290dbf8e896f52bb6c3acabe3f71afa059778e903ec90d586c500524562b8ec92c34866788467ea0afa

Download Submit
memory/1044-0-0x0000000000D94000-0x0000000001E96000-memory.dmp

Filesize
17.0MB

Download
memory/1044-7-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download
memory/1044-1-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download
memory/1044-237-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download
memory/1044-240-0x0000000000D94000-0x0000000001E96000-memory.dmp

Filesize
17.0MB

Download
memory/2408-12-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-38-0x0000000005B90000-0x0000000005BAB000-memory.dmp

Filesize
108KB

Download
memory/2408-41-0x0000000005B90000-0x0000000005BAB000-memory.dmp

Filesize
108KB

Download
memory/2408-42-0x0000000005B90000-0x0000000005BAB000-memory.dmp

Filesize
108KB

Download
memory/2408-238-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download
memory/3604-10-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download
memory/3604-239-0x0000000000D90000-0x00000000023D2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads