AnyDesk.exe

General
Target

AnyDesk.exe

Filesize

262KB

Completed

05-01-2021 05:10

Score
10 /10
MD5

53e7b9e873404afdd22cdeba41b4e1c9

SHA1

18b1a19f826e9d48d5776f6e3c279547f3ff517d

SHA256

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
Family makop
Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: moloch_helpdesk@tutanota.com or moloch_helpdesk@protonmail.ch .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

moloch_helpdesk@tutanota.com

moloch_helpdesk@protonmail.ch

Signatures 16

Filter: none

Collection
Credential Access
Defense Evasion
Execution
Impact
Persistence
  • Makop

    Description

    Ransomware family discovered by @VK_Intel in early 2020.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Deletes backup catalog
    wbadmin.exe

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line InterfaceFile DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    900wbadmin.exe
  • Modifies extensions of user files
    AnyDesk.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\RestartProtect.tiffAnyDesk.exe
  • Loads dropped DLL
    AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

    Reported IOCs

    pidprocess
    1640AnyDesk.exe
    1412AnyDesk.exe
    840AnyDesk.exe
    1592AnyDesk.exe
    1928AnyDesk.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    AnyDesk.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AnyDesk.exe\""AnyDesk.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of SetThreadContext
    AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1640 set thread context of 14201640AnyDesk.exeAnyDesk.exe
    PID 1412 set thread context of 9641412AnyDesk.exeAnyDesk.exe
    PID 840 set thread context of 948840AnyDesk.exeAnyDesk.exe
    PID 1592 set thread context of 10361592AnyDesk.exeAnyDesk.exe
  • Drops file in Program Files directory
    AnyDesk.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPGAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSSAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAMAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmpAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Etc\GMT+6AnyDesk.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAVAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.jsAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMPAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotxAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIFAnyDesk.exe
    File opened for modificationC:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMFAnyDesk.exe
    File createdC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.cssAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdtAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNGAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gifAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\classlistAnyDesk.exe
    File createdC:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gifAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotxAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PPTIRM.XMLAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POCAnyDesk.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\pl.txtAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gifAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00242_.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.htmlAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.pngAnyDesk.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.pngAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jarAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jarAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmlAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jarAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10266_.GIFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpgAnyDesk.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.pngAnyDesk.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.cssAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmpAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMFAnyDesk.exe
    File createdC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XMLAnyDesk.exe
    File opened for modificationC:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMFAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htmAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPGAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\KerguelenAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jre7\lib\zi\Pacific\KosraeAnyDesk.exe
    File opened for modificationC:\Program Files\SwitchSync.movAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIFAnyDesk.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1532vssadmin.exe
  • Modifies system certificate store
    AnyDesk.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986eAnyDesk.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349AnyDesk.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986eAnyDesk.exe
  • Suspicious behavior: EnumeratesProcesses
    AnyDesk.exe

    Reported IOCs

    pidprocess
    1420AnyDesk.exe
  • Suspicious behavior: MapViewOfSection
    AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

    Reported IOCs

    pidprocess
    1640AnyDesk.exe
    1412AnyDesk.exe
    840AnyDesk.exe
    1592AnyDesk.exe
  • Suspicious use of AdjustPrivilegeToken
    vssvc.exewbengine.exeWMIC.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeBackupPrivilege1080vssvc.exe
    Token: SeRestorePrivilege1080vssvc.exe
    Token: SeAuditPrivilege1080vssvc.exe
    Token: SeBackupPrivilege1820wbengine.exe
    Token: SeRestorePrivilege1820wbengine.exe
    Token: SeSecurityPrivilege1820wbengine.exe
    Token: SeIncreaseQuotaPrivilege1592WMIC.exe
    Token: SeSecurityPrivilege1592WMIC.exe
    Token: SeTakeOwnershipPrivilege1592WMIC.exe
    Token: SeLoadDriverPrivilege1592WMIC.exe
    Token: SeSystemProfilePrivilege1592WMIC.exe
    Token: SeSystemtimePrivilege1592WMIC.exe
    Token: SeProfSingleProcessPrivilege1592WMIC.exe
    Token: SeIncBasePriorityPrivilege1592WMIC.exe
    Token: SeCreatePagefilePrivilege1592WMIC.exe
    Token: SeBackupPrivilege1592WMIC.exe
    Token: SeRestorePrivilege1592WMIC.exe
    Token: SeShutdownPrivilege1592WMIC.exe
    Token: SeDebugPrivilege1592WMIC.exe
    Token: SeSystemEnvironmentPrivilege1592WMIC.exe
    Token: SeRemoteShutdownPrivilege1592WMIC.exe
    Token: SeUndockPrivilege1592WMIC.exe
    Token: SeManageVolumePrivilege1592WMIC.exe
    Token: 331592WMIC.exe
    Token: 341592WMIC.exe
    Token: 351592WMIC.exe
    Token: SeIncreaseQuotaPrivilege1592WMIC.exe
    Token: SeSecurityPrivilege1592WMIC.exe
    Token: SeTakeOwnershipPrivilege1592WMIC.exe
    Token: SeLoadDriverPrivilege1592WMIC.exe
    Token: SeSystemProfilePrivilege1592WMIC.exe
    Token: SeSystemtimePrivilege1592WMIC.exe
    Token: SeProfSingleProcessPrivilege1592WMIC.exe
    Token: SeIncBasePriorityPrivilege1592WMIC.exe
    Token: SeCreatePagefilePrivilege1592WMIC.exe
    Token: SeBackupPrivilege1592WMIC.exe
    Token: SeRestorePrivilege1592WMIC.exe
    Token: SeShutdownPrivilege1592WMIC.exe
    Token: SeDebugPrivilege1592WMIC.exe
    Token: SeSystemEnvironmentPrivilege1592WMIC.exe
    Token: SeRemoteShutdownPrivilege1592WMIC.exe
    Token: SeUndockPrivilege1592WMIC.exe
    Token: SeManageVolumePrivilege1592WMIC.exe
    Token: 331592WMIC.exe
    Token: 341592WMIC.exe
    Token: 351592WMIC.exe
  • Suspicious use of WriteProcessMemory
    AnyDesk.exeAnyDesk.execmd.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1640 wrote to memory of 14201640AnyDesk.exeAnyDesk.exe
    PID 1640 wrote to memory of 14201640AnyDesk.exeAnyDesk.exe
    PID 1640 wrote to memory of 14201640AnyDesk.exeAnyDesk.exe
    PID 1640 wrote to memory of 14201640AnyDesk.exeAnyDesk.exe
    PID 1640 wrote to memory of 14201640AnyDesk.exeAnyDesk.exe
    PID 1420 wrote to memory of 15281420AnyDesk.execmd.exe
    PID 1420 wrote to memory of 15281420AnyDesk.execmd.exe
    PID 1420 wrote to memory of 15281420AnyDesk.execmd.exe
    PID 1420 wrote to memory of 15281420AnyDesk.execmd.exe
    PID 1528 wrote to memory of 15321528cmd.exevssadmin.exe
    PID 1528 wrote to memory of 15321528cmd.exevssadmin.exe
    PID 1528 wrote to memory of 15321528cmd.exevssadmin.exe
    PID 1528 wrote to memory of 9001528cmd.exewbadmin.exe
    PID 1528 wrote to memory of 9001528cmd.exewbadmin.exe
    PID 1528 wrote to memory of 9001528cmd.exewbadmin.exe
    PID 1528 wrote to memory of 15921528cmd.exeWMIC.exe
    PID 1528 wrote to memory of 15921528cmd.exeWMIC.exe
    PID 1528 wrote to memory of 15921528cmd.exeWMIC.exe
    PID 1412 wrote to memory of 9641412AnyDesk.exeAnyDesk.exe
    PID 1412 wrote to memory of 9641412AnyDesk.exeAnyDesk.exe
    PID 1412 wrote to memory of 9641412AnyDesk.exeAnyDesk.exe
    PID 1412 wrote to memory of 9641412AnyDesk.exeAnyDesk.exe
    PID 1412 wrote to memory of 9641412AnyDesk.exeAnyDesk.exe
    PID 840 wrote to memory of 948840AnyDesk.exeAnyDesk.exe
    PID 840 wrote to memory of 948840AnyDesk.exeAnyDesk.exe
    PID 840 wrote to memory of 948840AnyDesk.exeAnyDesk.exe
    PID 840 wrote to memory of 948840AnyDesk.exeAnyDesk.exe
    PID 840 wrote to memory of 948840AnyDesk.exeAnyDesk.exe
    PID 1592 wrote to memory of 10361592AnyDesk.exeAnyDesk.exe
    PID 1592 wrote to memory of 10361592AnyDesk.exeAnyDesk.exe
    PID 1592 wrote to memory of 10361592AnyDesk.exeAnyDesk.exe
    PID 1592 wrote to memory of 10361592AnyDesk.exeAnyDesk.exe
    PID 1592 wrote to memory of 10361592AnyDesk.exeAnyDesk.exe
Processes 17
  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious behavior: MapViewOfSection
    Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
      Modifies extensions of user files
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1420
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:1412
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
          PID:964
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          Interacts with shadow copies
          PID:1532
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          Deletes backup catalog
          PID:900
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          Suspicious use of AdjustPrivilegeToken
          PID:1592
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:840
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
          PID:948
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
          PID:1036
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n1420
        Loads dropped DLL
        PID:1928
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:1080
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    Suspicious use of AdjustPrivilegeToken
    PID:1820
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    PID:856
  • C:\Windows\System32\vds.exe
    C:\Windows\System32\vds.exe
    PID:344
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Discovery
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Users\Admin\AppData\Roaming\827763568

                MD5

                dbdbdbd7c85332a9fbf1bba97560a0f2

                SHA1

                1c9489611459f5966a7729a8f7410e18be60ebd1

                SHA256

                501d82e8f4170bbaa3aabeb160792463609b4df3dcfac734d915acb576f2c52b

                SHA512

                4c77456ed008cb5e176873b401ab8e21da36bddde5e6460cfc844a74e2effed6716608e1abb29ba485f91a2c073e11dcb5fd923f6ddb017d3ab5ec8cc79126b2

              • C:\Users\Admin\AppData\Roaming\827763568

                MD5

                bc251d6a9f3408d4a2ff3add1d27ad3d

                SHA1

                99091c8e7a4ce7df879e157ddfba12d60095b1a9

                SHA256

                6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

                SHA512

                23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

              • C:\Users\Admin\AppData\Roaming\827763568

                MD5

                6d41617a73665f559cb4166aaf5dbb82

                SHA1

                05c40171c3f8b6355f262c84f8511009c2cdbd6d

                SHA256

                fd830e2f0b028cdaa59cf9cb46c0b8bb63e27b4ac2a5f2477ea7a980a2dde8cd

                SHA512

                bd911c79406f6bb306e3c4d4bfaf8c420bafe317921520e9d99d8a9b696aaa173b8d2f0eb0cd9b41cff32d9132f89a33e29f05bb21de78110c4c389d4e137cfd

              • C:\Users\Admin\AppData\Roaming\827763568

                MD5

                bc251d6a9f3408d4a2ff3add1d27ad3d

                SHA1

                99091c8e7a4ce7df879e157ddfba12d60095b1a9

                SHA256

                6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

                SHA512

                23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

              • C:\Users\Admin\AppData\Roaming\827763568

                MD5

                2bb8c16685e5cb863a94051453b77e80

                SHA1

                66ccd01871337de9995fbf30cc717f86c10ebcbf

                SHA256

                e279b46faf01187b52c90f9b182c2621b0f8ec0ad64036eae33a2b94a77ee163

                SHA512

                0fa00bcd299c527cc0d4064188a4e603d0d0abd75755dcde840808fab003db483342c50428230f283e0b0d6f6e8c6e65deae8f39e7f4b6b74f7149101549bf02

              • C:\Users\Admin\AppData\Roaming\827763568

                MD5

                bc251d6a9f3408d4a2ff3add1d27ad3d

                SHA1

                99091c8e7a4ce7df879e157ddfba12d60095b1a9

                SHA256

                6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

                SHA512

                23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

              • \??\PIPE\wkssvc

                MD5

                d41d8cd98f00b204e9800998ecf8427e

                SHA1

                da39a3ee5e6b4b0d3255bfef95601890afd80709

                SHA256

                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                SHA512

                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

              • \Users\Admin\AppData\Local\Temp\nsdE17A.tmp\System.dll

                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              • \Users\Admin\AppData\Local\Temp\nsi5B2B.tmp\System.dll

                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              • \Users\Admin\AppData\Local\Temp\nsn2DB6.tmp\System.dll

                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              • \Users\Admin\AppData\Local\Temp\nsx4EDC.tmp\System.dll

                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              • \Users\Admin\AppData\Local\Temp\nsy65F5.tmp\System.dll

                MD5

                fccff8cb7a1067e23fd2e2b63971a8e1

                SHA1

                30e2a9e137c1223a78a0f7b0bf96a1c361976d91

                SHA256

                6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

                SHA512

                f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

              • memory/900-10-0x0000000000000000-mapping.dmp

              • memory/948-20-0x0000000000405A20-mapping.dmp

              • memory/964-13-0x0000000000405A20-mapping.dmp

              • memory/1036-25-0x0000000000405A20-mapping.dmp

              • memory/1420-3-0x0000000000400000-0x000000000041E000-memory.dmp

              • memory/1420-5-0x0000000000400000-0x000000000041E000-memory.dmp

              • memory/1420-4-0x0000000000405A20-mapping.dmp

              • memory/1528-6-0x0000000000000000-mapping.dmp

              • memory/1528-16-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmp

              • memory/1532-7-0x0000000000000000-mapping.dmp

              • memory/1592-11-0x0000000000000000-mapping.dmp