fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Loads dropped DLL 2 IoCs

pid	Process
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
5044	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
3632	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 5044	840	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	83
PID 840 wrote to memory of 5044	840	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	83
PID 840 wrote to memory of 5044	840	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	83
PID 840 wrote to memory of 3632	840	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	84
PID 840 wrote to memory of 3632	840	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	84
PID 840 wrote to memory of 3632	840	fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe	84

C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
"C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
  "C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe
  "C:\Users\Admin\AppData\Local\Temp\fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
353caa7274cd6227112a588eae1caae6

SHA1
5ce54ab7417ee2e40fd7344f59ee63aaf63bab0d

SHA256
47895236732f27c83dd7e651a58daf1b9fa20803bb5b8ceddf0b83b3eac7098e

SHA512
665a195b9fbb74f581f6e0e10f3d4e5f254b8abefa7884895add9d137a6b1bc2178c6f9830ee08f27dae7ecb7e6462c01313378a71e7856247a879123a8e9f7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b2e8afbfe2f98f5a5bf208371e827577

SHA1
e3085a417c4ac4fc44bfa6239597061eb926e3bf

SHA256
ec4bc9f4dccccd1edd955c6d38c1bf9341bc2de53025e2d1f07e19ce18b56f7e

SHA512
858dab56f58a5dd222522b95e7a1fbd8a446dc2927c78d95a75e6825cc98e85cb80fc2c4ae761f567df0bf4598c2ff83eff4e52cfae2d1dfc916ce55ce927b3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ca2199ea072d45b313273d94b6eb218d

SHA1
7243801ab1b0ea9b01a272d3eb522c5bed9b5de6

SHA256
457a16de784f77827521f38683de6e167307bc42503a761a3a40b226cfe5d6cc

SHA512
13a0a147580484881397654bfd3705d46d64f6bab4e6764b02c3b79119574fe98bcea9693811c1188c3f24156c590cf98fb9a14692f95a7be9c63184cff31fee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
92fbfa8d0175eddd7270f360f630b188

SHA1
e3633e55dfd6a4fe1a39c852df4bb7acd5e7b931

SHA256
4836943b2af04244fb37f778ab9f08b24b1f74d4ffe2c72736e54e345b389385

SHA512
d4bae2c65d753774eb5c52c32c5ce63ab6fcc0bfe90cf4560b3fd04e6a18f2743bf88b4351dd544a8b0b35984039a990334c1cc48d2c69c3b3235fed45282ca8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
6856de087bc29e503a955e59d8d88fe6

SHA1
a40a94b7ab06b8c0d7cf6c93ff48c7b0995c2e3a

SHA256
08b9971931d47968f24ea90730568ccaa20a43d477754eceace0b965dde67270

SHA512
016b5e51c96e93e904f844e6bc075223edb61ccf0569c290ad9fa383d51b403c90caf884b9a28b56f3cdb25177485a5a1b8ed1c1c16ee4fb351b83ba84edf106

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
5a02002b9f230948b3173de3f758b553

SHA1
69d025ef49c570df707cd5e91d17c59cb50731ec

SHA256
6e1ae1df084a34365f663e6c187f62220405846c0a0e923739333d34b24d7742

SHA512
d0e575744e0183140ee879440db7d673857fb26d36dc54ae30487103206988cfe1e1e99607ef9e92e809d5d5c4fe1da59b6b502de6b26c87b856110ae17b2a00

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
43a26444bf9e1568f89415d7ce0fd28d

SHA1
fcd18d7f4f4cb151398029d0431b2489029175a0

SHA256
716edb008947a86c0c7ebcde89c6ea7b19cf527cef5e1ce9dd82910bbc60036e

SHA512
64221d00b6b4b7059297c657e779e6c6d3d52370ccdc35fbe0eb64408443869baead5cddbffa375d0e3058a30b9fa2fad4beb31ef72dd25e6c786d1293d5fd92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
9657e6ea4a4d3808bd8111e25184df26

SHA1
fecca58ecaa1d46dda288ad13aca32abdd1d6cb7

SHA256
6222c772563cb25b125f6c23ec8c770041c3431289c604f1143b30b7f2e79bb4

SHA512
9b2eb5af615061a90d45664c496bb280a519f68877bab92c5a27cb5c73ca93d1450f5ff3ead05299c12224671a3ea25d8931513fce9b70cf1f3ac4e55c7a5594

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6ad873b70c32c3a91af4392ceb086727

SHA1
b8e51f159a9a2f088392a62036c04a6debcf86ef

SHA256
7aa671fb6f542c908022c95c9fcffb5e0a74c33a7fafc2864005a463250d41b0

SHA512
32e560d90c69a30524d232cb8eb6ef038e9cd9202b015aeb4d07f3cab4a8c2a0b1a317c9bcaf86db00faa0941c1f4e7bb1be0a37ed2835f6faf393670ba7a24d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
4b4b232f158cd85bd5ec9b5fa2fc4713

SHA1
92757aac8adc9a6230faf9203aab3467be14a57d

SHA256
56a78bf86c6b29c4a4a46a266185e1036d6eaf22f1b6e681a673819322c8bde6

SHA512
b57260a753cfde8b10a23b40609643113cbedd801de6b492c7570b19fdad60700a0a5b0423bfcd5682ede66e4d7b1ea71d32da31e28e27b11e0eeb79608c3531

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
c7eb1c44621f644dfd5cad40507d2794

SHA1
aa49cd0fca721449ff0c49c7c24cddfd1f1e2da5

SHA256
9282bcbab4f3ccaecbfebd5638480bb7ca2088ab53e84a6a404a7697b7a89923

SHA512
dce30b7a5e23d3d40d3266705da7610f3169a1cde9ee67cbba23da31d537cafb6d8062293550efd31ea4b99edfbc6acd2cb7283b609e5a56a4c532626548c80e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af7147d2f8670380b439e743ca0ac611

SHA1
b23533527570626daf0763a435d34f00272fbc68

SHA256
0e964d80251f6052333d881b620985ccbbac28919ddc75685b0618d5a174d7f8

SHA512
a00b8b6b932e078eda711c2da714c2cc806148cb18b9519bdb14da0ba07889c6cf738c6a8a9fd7b7669d374f4110d85c8b7992b8fc011c25626cbbf14c4154c0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9d047911269aa9e88dea8c0026f6776b

SHA1
991dc79dfeab1a02ea8c6c04c50d56696b9c0a92

SHA256
78964d13fa16410c7aab87c0d601f90259509dffa6b172cf674bc3eebaf3ef97

SHA512
d4d0ad642a354a7a218c62ab949a51386bb9c61576c7b5446f6048ac0d70c99374ccb7a3a38dbb7d368e89ec7bf235b24cd9a2438b3b47a32d65cf8dce9e2fd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3fb75447862a42bcefabae240dd6c865

SHA1
2e6cf0fba497a51e801ae245dc27f09c37c29b4e

SHA256
c614fd6f2226e517de01631e7aaf24978f4220eb23a63cbc506cf7f22aebb178

SHA512
9462c351cfb02aa7e33925d525294dad9b0f9c3561e130c5c595d0b6c1f1f08551686d7b7845a3bc70a2a9074d1bf465288582adc407ecfeddd80b77a836d023

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
abf93cb4f1a2fb282c0511776c3327cc

SHA1
fa4d49084183ce8366a05e22ba050dc6c22433b0

SHA256
db121c8f2105d08717d48fe6731ab1cc784534e111c2f5a83f25ad909e3143d2

SHA512
eb9f52a204af4816fff361314be9470f1b1bfeee5880f66ac06603c6705cdaeec7833f51e680ac62142c03cdd23d0da9d11fb7d56d29df8bee7813c538f6d411

Download Submit
memory/840-0-0x0000000000F64000-0x0000000002066000-memory.dmp

Filesize
17.0MB

Download
memory/840-222-0x0000000000F64000-0x0000000002066000-memory.dmp

Filesize
17.0MB

Download
memory/840-221-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/840-5-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/840-2-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/3632-16-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/3632-11-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/3632-225-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/5044-43-0x0000000005310000-0x000000000532B000-memory.dmp

Filesize
108KB

Download
memory/5044-42-0x0000000005310000-0x000000000532B000-memory.dmp

Filesize
108KB

Download
memory/5044-39-0x0000000005310000-0x000000000532B000-memory.dmp

Filesize
108KB

Download
memory/5044-12-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download
memory/5044-223-0x0000000000F60000-0x00000000025A2000-memory.dmp

Filesize
22.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads