fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2020	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
2160	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2020	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	30
PID 1736 wrote to memory of 2020	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	30
PID 1736 wrote to memory of 2020	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	30
PID 1736 wrote to memory of 2020	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	30
PID 1736 wrote to memory of 2160	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	31
PID 1736 wrote to memory of 2160	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	31
PID 1736 wrote to memory of 2160	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	31
PID 1736 wrote to memory of 2160	1736	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	31

C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
"C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
  "C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2020
- C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
  "C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
5f56302b24d5a132a733861803b079eb

SHA1
0e171bad47eaf99290e13e707fb689d350491252

SHA256
014958e79d21fe8b1981e60d7e134f4a668f0595ae25651c85f1b64160ceb577

SHA512
e78854fc92a43130b9f65302b678c666d903e18046ccf7502906e935263ed51b6b3cbb3f72be1a74c63d43682e2327e0c1ba5939b40c673235fefc7faf0da464

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
7426d9a7c4bccd9aa1ebc48958fb2b7e

SHA1
124b7ab84d66cc0a0f0c6fe6edbed382cbfd6b08

SHA256
86f60a8128b0dc692554baeb8459a1873f86c5b46e27eac9cb3038b7ad7b5c56

SHA512
de2912da2d4c75e3cb5e190db2b4ec4ced22c757e247a501230080a7686a0bea976fdc7bd1c70e9424cb1be2cdae25f3e92ae33614a86a01e0db3524061ba2e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
981002fe5d085456b5e99b0c165f5d2c

SHA1
d265024ac6df8425f5cc4b90d437b35971275282

SHA256
27d45ff5116c89dfb312ff2eb0edcce481c03c9b42575e9a7db5a321b2d89034

SHA512
1071487ba36786bcb4273b05975424be90b769618801f5c88af350a45a33d4d46bf7617c453031c6b0fa09623dcd3b2e91913f414f84cb9976c1df7bb812dfad

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4423fa6c3c68062638bdabee90624e04

SHA1
f7246004249419e40eb8838fb38e0efd7947edb9

SHA256
f514cf70dc43c1677e28c963152149d4bfc7f5e8932daed9c632a35be2a1adf0

SHA512
d4d9e482af244617b4e34e2eb2432b5de56667fd8030df6036f70af16f97352178209b26f7b3cce714c5fa7c0bb0dc215fe02dd8227b9cc454c967ee0047c4d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
4c8ee43dfb4f195d0b727b28f4949080

SHA1
ad8f62fb8b46f8dc13dd6fea58daaade74d30a92

SHA256
2e5bbf73fc6869b4d4ca2fa56ea25977bd3508cfb7ef98b10e2fc5b25c3062a8

SHA512
3e2384b442e2f69515f06b8515cef817096b52dcefcee2a8e69e0396a8d815cde31dae7065c61eb6b20f8363a672b3489cfedcdfd8a5a9ee0df8b8ef9ca63580

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
583f2f5a13ffa87918ecca64228da260

SHA1
878347d1bc48b9ae8084d64d91f4433c45329041

SHA256
a5507f3858a909bda42ef9730c6ecfef853d1e2444c999676b9adffe0ff040ac

SHA512
6b663c2773c98cd7c64f275fe60e58a3be2062e5f6279cdd92a36f126a9385d112491d8666ab2309e14cedb6dcc09f833f3c7368956a176a2006be43099680fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
a39b5f52eab7b3234d7a65c53199493b

SHA1
37bf241350d818f6a53464ed8efb8167e1774ff0

SHA256
cd342b023e71b8a77ee7a2579b7298cdd651d00bf2df03b368320ce86797d741

SHA512
fcd75fa0058675d85457e545fc9e45c79269bbd77e08b09970fa3e488273eb0eb69b5640a13575c5138e4816731a21a918244a5d5a16d5811d233406722ffa8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
658ac39df832f992a43c243596b8914c

SHA1
5f01dba2a8639acaa30fc3df7470863b233ba053

SHA256
7f7fd1611033e16425b0eafcfe1f5bd2b01ff8283a159a6b3a4e7a5448fe2d2b

SHA512
1182fab154f2b0ea19b2e8d1c1795ba39c939550a3287c55522cf4cb57e354ba099dc871267c5ff0dc83140c69a051a1b122c55f8cda8fca1fb3bb6e3b319031

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
fe2ed8b89df21b916ce85ca60ff48c21

SHA1
ae5d09116b0d44099d1c4427d111f1655444a84d

SHA256
caf49a7b617e64d88cf463e7ba0c5969259ab9906be59b02ad2a4dc297a87f05

SHA512
b675edef19c2213473c58f200c0e7cb67c912a7d931b9e958114da69b7ddc448e38c29d8132c81fc08ec779ada7e58136411cbd139732af0fcef156d8a74df17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
00d3c3410167f9d2b5535b8a8e6365c1

SHA1
eb497a6fd4611c75840f15d885ecdcef36c5f7a9

SHA256
7a8b1ec4ad7e8ca3abb8f76bf511d64a0008935344a94c7c9631d7b54c63feac

SHA512
818d96481f10b429d13ca853f9cd94b4ffab137fb19d587838618c1b8aa599018f1253ece763fd9e6908b93e2c68d74379985bea023afde0bb2319930fd841a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
512cf4603552d82d3cdc2ef5d1957cbc

SHA1
597358fb5571f4b03e4e90f3d989ca0d572573d5

SHA256
b307204528a786c9d24b25244e62f611d48a30ffcc5e783b357abd62c7b8e4d1

SHA512
ba7e54cec98972b230e4fcec8c47020f10e0abd55dfec52c73aa2c10a64205987c351fdd43abe86e3072e9467b1e9aba7de199a7818acd37ff7794b5e007161b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8bc7859c489990f95cd577979e253f28

SHA1
b02a48ab470cddd9b21f6a8980112b437c34c793

SHA256
1df5eb6917448bc36655723ff65eabce51b6ede8a1a567f0dceb061143b250af

SHA512
93727d52664d613672d6147923797a99b2a93b95ae039258484542f6f6d3c72d0f8b1394aea993181d8c312393aa5f39ca5377ca2fe322568de5075fc81e84cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
06bd0560bc414a4600dc88a4fbbf3c12

SHA1
0796a0237a010d97bffecb9196a863b05f0eb089

SHA256
5ff98265c4d6b5b5a7087e04aefa3c7be68f7b5ecd04d98886c7c74dd96694fd

SHA512
907e10fb109cab88f8934890add71647c3f54603e497a5d5b6c973362de8a3e09b663ef9f54838a40a0ebc4828814c8c9250d171495fcb0c528dc8d1dd465fee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9bf75c32ba2ddfb40665e76ab6e9f84d

SHA1
7ae12fc53d6a6192189050e81714de202ef3185b

SHA256
9fed26a06805f33e3ed5157c548996898bb30e4cf7f22611584efc1d3598fa78

SHA512
cb01bcee62fc8c73926b3edb5e84fa91dddd128473a06d1355293759f216429648c8eea7f4beee6fb1ece24bda27515e10e82d7d6cb57297ced3002634973c1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9d2d94c42e89b855eb79a3134cfc272a

SHA1
e81f090516517cc4b4cb5e8bff47cd1770a0aa40

SHA256
39cec74440424d9cd59d1b922aab25011be921eff37e104f8c52f0906baa0a7c

SHA512
ae609bdf922f1bf2a4a35c10ec3f27d3680c8058afb321077e81848cd10cbefabfd81cfdd7acbeaed156c4d419dfc4d52a777880ec044459960485c769b9609b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
0c661e30e038b1563ddf8bb8af55c04e

SHA1
54146a10bc8cce4870e7b172f75697297a0896c7

SHA256
5226c8be2d167570aecb8618fa12f2d110d940ca7cfae91b7b654db142545b57

SHA512
f4190fa7ba22708ac464b293d5c5fca5dcfaf9cb5c80370a89bfbeed21859561cfc3c79ec62fba3505dbeea01d2a301aa1ec97824e8dc2433f2c443b4464802d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
53e98ab8b59499661c2cf7e1d50bbfbc

SHA1
62ea1a64b424e85090c6fabaad0e1cb20d8be92d

SHA256
f348ca9f88626df3ab436124c6c7bed29aa3d662e1a2cc71836288e78b7449b2

SHA512
f0b13719ea12e9b17d42fcef2b067d2d9abac0d736bce48617ece80a16151042caa0226c6346213bc6043c43eca64f8baac0597a1a49b85f0208929aec0463ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a103f4d3beb63e2fa97a136fc2ba6bd8

SHA1
42bb4b3ae0fba1f080b4b618af72a005e21f1d79

SHA256
15b009135b64525b21125853075fe199a84b3e3b0c9d2d43fb6c58fdab2c2d03

SHA512
701457090f0dc48583987bc2d9562ed2d13211c90f0490646f478c072e770a274a8d5a7108476c7a586fb04ae6baf10014af3d665e329e91e0ebadffa807b512

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c949fcfd43b4f1d4422956a9a1e5a723

SHA1
a73523486746016f1017cc4526ec08bb3628d851

SHA256
0c8116cee6ae5a55d4ab54cd4dd33bbc7a6bdf7f8d81c729d3e2048d1a948a45

SHA512
215e0fcd3dbb7b21c20e82d4769610389bbe07cdfe3cd06a5f40aaff8ef02eaf4f1dfe3c4ab3d32c6f2b52dcf08937d79090a5cfb14a40c549c3cbf18c507818

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4750a6b3fa1f6d3e4067eb553cb18008

SHA1
97ad5d94b64cbfb033a64626f578d3bff96390b2

SHA256
63e80bb257bc9872a9a57e76a8ecce865878774d72f9660d96c75fc85c701ac8

SHA512
958b51385a99fcb288e89f0333df63f9f496b67b56dc95cee7cb1965e616a5d5521bd1423b8402a651555b650b3c02f691e3fa8ebbd72786c383670477dfcaed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
06eb5f6a80ff155119db08486433e853

SHA1
e805143d824756eae73fdbc59e8b9a86c417870a

SHA256
f941c227473cfdbcb01b64cce6632d9f606431551f60d96eadd9c76973ed8b59

SHA512
c062bb84578ef311fe1e117c36b3415d32af66301808ea33a04ae654a28cf459e0fb3692299ea1c19482dc897a84382334bb55d765a45cefe868899f1693dfb7

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/1736-244-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download
memory/1736-2-0x0000000001274000-0x0000000002376000-memory.dmp

Filesize
17.0MB

Download
memory/1736-245-0x0000000001274000-0x0000000002376000-memory.dmp

Filesize
17.0MB

Download
memory/1736-4-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download
memory/1736-0-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download
memory/2020-10-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download
memory/2020-246-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download
memory/2160-16-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download
memory/2160-247-0x0000000001270000-0x00000000028B2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads