Analysis
-
max time kernel
145s -
max time network
142s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-01-2021 05:07
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v20201028
General
-
Target
AnyDesk.exe
-
Size
262KB
-
MD5
53e7b9e873404afdd22cdeba41b4e1c9
-
SHA1
18b1a19f826e9d48d5776f6e3c279547f3ff517d
-
SHA256
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
-
SHA512
ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
moloch_helpdesk@tutanota.com
moloch_helpdesk@protonmail.ch
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 900 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
AnyDesk.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\RestartProtect.tiff AnyDesk.exe -
Loads dropped DLL 5 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 1640 AnyDesk.exe 1412 AnyDesk.exe 840 AnyDesk.exe 1592 AnyDesk.exe 1928 AnyDesk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AnyDesk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AnyDesk.exe\"" AnyDesk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exedescription pid process target process PID 1640 set thread context of 1420 1640 AnyDesk.exe AnyDesk.exe PID 1412 set thread context of 964 1412 AnyDesk.exe AnyDesk.exe PID 840 set thread context of 948 840 AnyDesk.exe AnyDesk.exe PID 1592 set thread context of 1036 1592 AnyDesk.exe AnyDesk.exe -
Drops file in Program Files directory 9681 IoCs
Processes:
AnyDesk.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\ACT3R.SAM AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+6 AnyDesk.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\HORN.WAV AnyDesk.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\service.js AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21375_.GIF AnyDesk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_rest.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF AnyDesk.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\LightSpirit.css AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Hiring Requisition.fdt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\THMBNAIL.PNG AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\classlist AnyDesk.exe File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\tab_on.gif AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTIRM.XML AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATWIZ.POC AnyDesk.exe File opened for modification C:\Program Files\7-Zip\Lang\pl.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00242_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21519_.GIF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html AnyDesk.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_ja.jar AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.zh_CN_5.5.0.165303.jar AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_zh_CN.jar AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01015_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10266_.GIF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_SelectionSubpicture.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\settings.css AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213243.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL01395_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00792_.WMF AnyDesk.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN002.XML AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239943.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00915_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\Kerguelen AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Kosrae AnyDesk.exe File opened for modification C:\Program Files\SwitchSync.mov AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF AnyDesk.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1532 vssadmin.exe -
Processes:
AnyDesk.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 AnyDesk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AnyDesk.exepid process 1420 AnyDesk.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 1640 AnyDesk.exe 1412 AnyDesk.exe 840 AnyDesk.exe 1592 AnyDesk.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1080 vssvc.exe Token: SeRestorePrivilege 1080 vssvc.exe Token: SeAuditPrivilege 1080 vssvc.exe Token: SeBackupPrivilege 1820 wbengine.exe Token: SeRestorePrivilege 1820 wbengine.exe Token: SeSecurityPrivilege 1820 wbengine.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemProfilePrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeProfSingleProcessPrivilege 1592 WMIC.exe Token: SeIncBasePriorityPrivilege 1592 WMIC.exe Token: SeCreatePagefilePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeDebugPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeRemoteShutdownPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: 33 1592 WMIC.exe Token: 34 1592 WMIC.exe Token: 35 1592 WMIC.exe Token: SeIncreaseQuotaPrivilege 1592 WMIC.exe Token: SeSecurityPrivilege 1592 WMIC.exe Token: SeTakeOwnershipPrivilege 1592 WMIC.exe Token: SeLoadDriverPrivilege 1592 WMIC.exe Token: SeSystemProfilePrivilege 1592 WMIC.exe Token: SeSystemtimePrivilege 1592 WMIC.exe Token: SeProfSingleProcessPrivilege 1592 WMIC.exe Token: SeIncBasePriorityPrivilege 1592 WMIC.exe Token: SeCreatePagefilePrivilege 1592 WMIC.exe Token: SeBackupPrivilege 1592 WMIC.exe Token: SeRestorePrivilege 1592 WMIC.exe Token: SeShutdownPrivilege 1592 WMIC.exe Token: SeDebugPrivilege 1592 WMIC.exe Token: SeSystemEnvironmentPrivilege 1592 WMIC.exe Token: SeRemoteShutdownPrivilege 1592 WMIC.exe Token: SeUndockPrivilege 1592 WMIC.exe Token: SeManageVolumePrivilege 1592 WMIC.exe Token: 33 1592 WMIC.exe Token: 34 1592 WMIC.exe Token: 35 1592 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
AnyDesk.exeAnyDesk.execmd.exeAnyDesk.exeAnyDesk.exeAnyDesk.exedescription pid process target process PID 1640 wrote to memory of 1420 1640 AnyDesk.exe AnyDesk.exe PID 1640 wrote to memory of 1420 1640 AnyDesk.exe AnyDesk.exe PID 1640 wrote to memory of 1420 1640 AnyDesk.exe AnyDesk.exe PID 1640 wrote to memory of 1420 1640 AnyDesk.exe AnyDesk.exe PID 1640 wrote to memory of 1420 1640 AnyDesk.exe AnyDesk.exe PID 1420 wrote to memory of 1528 1420 AnyDesk.exe cmd.exe PID 1420 wrote to memory of 1528 1420 AnyDesk.exe cmd.exe PID 1420 wrote to memory of 1528 1420 AnyDesk.exe cmd.exe PID 1420 wrote to memory of 1528 1420 AnyDesk.exe cmd.exe PID 1528 wrote to memory of 1532 1528 cmd.exe vssadmin.exe PID 1528 wrote to memory of 1532 1528 cmd.exe vssadmin.exe PID 1528 wrote to memory of 1532 1528 cmd.exe vssadmin.exe PID 1528 wrote to memory of 900 1528 cmd.exe wbadmin.exe PID 1528 wrote to memory of 900 1528 cmd.exe wbadmin.exe PID 1528 wrote to memory of 900 1528 cmd.exe wbadmin.exe PID 1528 wrote to memory of 1592 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1592 1528 cmd.exe WMIC.exe PID 1528 wrote to memory of 1592 1528 cmd.exe WMIC.exe PID 1412 wrote to memory of 964 1412 AnyDesk.exe AnyDesk.exe PID 1412 wrote to memory of 964 1412 AnyDesk.exe AnyDesk.exe PID 1412 wrote to memory of 964 1412 AnyDesk.exe AnyDesk.exe PID 1412 wrote to memory of 964 1412 AnyDesk.exe AnyDesk.exe PID 1412 wrote to memory of 964 1412 AnyDesk.exe AnyDesk.exe PID 840 wrote to memory of 948 840 AnyDesk.exe AnyDesk.exe PID 840 wrote to memory of 948 840 AnyDesk.exe AnyDesk.exe PID 840 wrote to memory of 948 840 AnyDesk.exe AnyDesk.exe PID 840 wrote to memory of 948 840 AnyDesk.exe AnyDesk.exe PID 840 wrote to memory of 948 840 AnyDesk.exe AnyDesk.exe PID 1592 wrote to memory of 1036 1592 AnyDesk.exe AnyDesk.exe PID 1592 wrote to memory of 1036 1592 AnyDesk.exe AnyDesk.exe PID 1592 wrote to memory of 1036 1592 AnyDesk.exe AnyDesk.exe PID 1592 wrote to memory of 1036 1592 AnyDesk.exe AnyDesk.exe PID 1592 wrote to memory of 1036 1592 AnyDesk.exe AnyDesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14203⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14204⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14203⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14204⤵
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14203⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14204⤵
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n14203⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\827763568MD5
dbdbdbd7c85332a9fbf1bba97560a0f2
SHA11c9489611459f5966a7729a8f7410e18be60ebd1
SHA256501d82e8f4170bbaa3aabeb160792463609b4df3dcfac734d915acb576f2c52b
SHA5124c77456ed008cb5e176873b401ab8e21da36bddde5e6460cfc844a74e2effed6716608e1abb29ba485f91a2c073e11dcb5fd923f6ddb017d3ab5ec8cc79126b2
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
6d41617a73665f559cb4166aaf5dbb82
SHA105c40171c3f8b6355f262c84f8511009c2cdbd6d
SHA256fd830e2f0b028cdaa59cf9cb46c0b8bb63e27b4ac2a5f2477ea7a980a2dde8cd
SHA512bd911c79406f6bb306e3c4d4bfaf8c420bafe317921520e9d99d8a9b696aaa173b8d2f0eb0cd9b41cff32d9132f89a33e29f05bb21de78110c4c389d4e137cfd
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
2bb8c16685e5cb863a94051453b77e80
SHA166ccd01871337de9995fbf30cc717f86c10ebcbf
SHA256e279b46faf01187b52c90f9b182c2621b0f8ec0ad64036eae33a2b94a77ee163
SHA5120fa00bcd299c527cc0d4064188a4e603d0d0abd75755dcde840808fab003db483342c50428230f283e0b0d6f6e8c6e65deae8f39e7f4b6b74f7149101549bf02
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\nsdE17A.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsi5B2B.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsn2DB6.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsx4EDC.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsy65F5.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/900-10-0x0000000000000000-mapping.dmp
-
memory/948-20-0x0000000000405A20-mapping.dmp
-
memory/964-13-0x0000000000405A20-mapping.dmp
-
memory/1036-25-0x0000000000405A20-mapping.dmp
-
memory/1420-5-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1420-4-0x0000000000405A20-mapping.dmp
-
memory/1420-3-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1528-16-0x000007FEF7B10000-0x000007FEF7D8A000-memory.dmpFilesize
2.5MB
-
memory/1528-6-0x0000000000000000-mapping.dmp
-
memory/1532-7-0x0000000000000000-mapping.dmp
-
memory/1592-11-0x0000000000000000-mapping.dmp