Analysis
-
max time kernel
146s -
max time network
115s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v20201028
General
-
Target
AnyDesk.exe
-
Size
262KB
-
MD5
53e7b9e873404afdd22cdeba41b4e1c9
-
SHA1
18b1a19f826e9d48d5776f6e3c279547f3ff517d
-
SHA256
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
-
SHA512
ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
moloch_helpdesk@tutanota.com
moloch_helpdesk@protonmail.ch
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1480 wbadmin.exe -
Loads dropped DLL 5 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 644 AnyDesk.exe 1520 AnyDesk.exe 972 AnyDesk.exe 1532 AnyDesk.exe 1932 AnyDesk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AnyDesk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AnyDesk.exe\"" AnyDesk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exedescription pid process target process PID 644 set thread context of 316 644 AnyDesk.exe AnyDesk.exe PID 1520 set thread context of 1120 1520 AnyDesk.exe AnyDesk.exe PID 972 set thread context of 508 972 AnyDesk.exe AnyDesk.exe PID 1532 set thread context of 2040 1532 AnyDesk.exe AnyDesk.exe -
Drops file in Program Files directory 9683 IoCs
Processes:
AnyDesk.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Juneau AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Funafuti AnyDesk.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile.html AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF AnyDesk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\203x8subpicture.png AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Manaus AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196358.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282126.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR36F.GIF AnyDesk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\40.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\EDGE.INF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF AnyDesk.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GostTitle.XSL AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dushanbe AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01330_.GIF AnyDesk.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\shuffle_down.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor_1.0.300.v20131211-1531.jar AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105272.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESP.CFG AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Helsinki AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\deploy\messages_es.properties AnyDesk.exe File created C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21433_.GIF AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views_3.7.0.v20140408-0703.jar AnyDesk.exe File created C:\Program Files\Windows Sidebar\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD06200_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\tab_off.gif AnyDesk.exe File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar AnyDesk.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\vlm.html AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar AnyDesk.exe File created C:\Program Files\Java\jre7\lib\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICSTYLES.DPV AnyDesk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ja-jp.xml AnyDesk.exe File opened for modification C:\Program Files\Java\jre7\lib\management\management.properties AnyDesk.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.fca.[A734E61C].[moloch_helpdesk@tutanota.com].moloch AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN001.XML AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler.jar AnyDesk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo AnyDesk.exe File opened for modification C:\Program Files\Windows Journal\Templates\Genko_2.jtp AnyDesk.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14691_.GIF AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_COL.HXT AnyDesk.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-shadow.png AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ja_JP.jar AnyDesk.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR2F.GIF AnyDesk.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 796 vssadmin.exe -
Processes:
AnyDesk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 AnyDesk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e AnyDesk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
AnyDesk.exepid process 316 AnyDesk.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 644 AnyDesk.exe 1520 AnyDesk.exe 972 AnyDesk.exe 1532 AnyDesk.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 428 vssvc.exe Token: SeRestorePrivilege 428 vssvc.exe Token: SeAuditPrivilege 428 vssvc.exe Token: SeBackupPrivilege 1624 wbengine.exe Token: SeRestorePrivilege 1624 wbengine.exe Token: SeSecurityPrivilege 1624 wbengine.exe Token: SeIncreaseQuotaPrivilege 1316 WMIC.exe Token: SeSecurityPrivilege 1316 WMIC.exe Token: SeTakeOwnershipPrivilege 1316 WMIC.exe Token: SeLoadDriverPrivilege 1316 WMIC.exe Token: SeSystemProfilePrivilege 1316 WMIC.exe Token: SeSystemtimePrivilege 1316 WMIC.exe Token: SeProfSingleProcessPrivilege 1316 WMIC.exe Token: SeIncBasePriorityPrivilege 1316 WMIC.exe Token: SeCreatePagefilePrivilege 1316 WMIC.exe Token: SeBackupPrivilege 1316 WMIC.exe Token: SeRestorePrivilege 1316 WMIC.exe Token: SeShutdownPrivilege 1316 WMIC.exe Token: SeDebugPrivilege 1316 WMIC.exe Token: SeSystemEnvironmentPrivilege 1316 WMIC.exe Token: SeRemoteShutdownPrivilege 1316 WMIC.exe Token: SeUndockPrivilege 1316 WMIC.exe Token: SeManageVolumePrivilege 1316 WMIC.exe Token: 33 1316 WMIC.exe Token: 34 1316 WMIC.exe Token: 35 1316 WMIC.exe Token: SeIncreaseQuotaPrivilege 1316 WMIC.exe Token: SeSecurityPrivilege 1316 WMIC.exe Token: SeTakeOwnershipPrivilege 1316 WMIC.exe Token: SeLoadDriverPrivilege 1316 WMIC.exe Token: SeSystemProfilePrivilege 1316 WMIC.exe Token: SeSystemtimePrivilege 1316 WMIC.exe Token: SeProfSingleProcessPrivilege 1316 WMIC.exe Token: SeIncBasePriorityPrivilege 1316 WMIC.exe Token: SeCreatePagefilePrivilege 1316 WMIC.exe Token: SeBackupPrivilege 1316 WMIC.exe Token: SeRestorePrivilege 1316 WMIC.exe Token: SeShutdownPrivilege 1316 WMIC.exe Token: SeDebugPrivilege 1316 WMIC.exe Token: SeSystemEnvironmentPrivilege 1316 WMIC.exe Token: SeRemoteShutdownPrivilege 1316 WMIC.exe Token: SeUndockPrivilege 1316 WMIC.exe Token: SeManageVolumePrivilege 1316 WMIC.exe Token: 33 1316 WMIC.exe Token: 34 1316 WMIC.exe Token: 35 1316 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
AnyDesk.exeAnyDesk.execmd.exeAnyDesk.exeAnyDesk.exeAnyDesk.exedescription pid process target process PID 644 wrote to memory of 316 644 AnyDesk.exe AnyDesk.exe PID 644 wrote to memory of 316 644 AnyDesk.exe AnyDesk.exe PID 644 wrote to memory of 316 644 AnyDesk.exe AnyDesk.exe PID 644 wrote to memory of 316 644 AnyDesk.exe AnyDesk.exe PID 644 wrote to memory of 316 644 AnyDesk.exe AnyDesk.exe PID 316 wrote to memory of 1540 316 AnyDesk.exe cmd.exe PID 316 wrote to memory of 1540 316 AnyDesk.exe cmd.exe PID 316 wrote to memory of 1540 316 AnyDesk.exe cmd.exe PID 316 wrote to memory of 1540 316 AnyDesk.exe cmd.exe PID 1540 wrote to memory of 796 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 796 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 796 1540 cmd.exe vssadmin.exe PID 1540 wrote to memory of 1480 1540 cmd.exe wbadmin.exe PID 1540 wrote to memory of 1480 1540 cmd.exe wbadmin.exe PID 1540 wrote to memory of 1480 1540 cmd.exe wbadmin.exe PID 1540 wrote to memory of 1316 1540 cmd.exe WMIC.exe PID 1540 wrote to memory of 1316 1540 cmd.exe WMIC.exe PID 1540 wrote to memory of 1316 1540 cmd.exe WMIC.exe PID 1520 wrote to memory of 1120 1520 AnyDesk.exe AnyDesk.exe PID 1520 wrote to memory of 1120 1520 AnyDesk.exe AnyDesk.exe PID 1520 wrote to memory of 1120 1520 AnyDesk.exe AnyDesk.exe PID 1520 wrote to memory of 1120 1520 AnyDesk.exe AnyDesk.exe PID 1520 wrote to memory of 1120 1520 AnyDesk.exe AnyDesk.exe PID 972 wrote to memory of 508 972 AnyDesk.exe AnyDesk.exe PID 972 wrote to memory of 508 972 AnyDesk.exe AnyDesk.exe PID 972 wrote to memory of 508 972 AnyDesk.exe AnyDesk.exe PID 972 wrote to memory of 508 972 AnyDesk.exe AnyDesk.exe PID 972 wrote to memory of 508 972 AnyDesk.exe AnyDesk.exe PID 1532 wrote to memory of 2040 1532 AnyDesk.exe AnyDesk.exe PID 1532 wrote to memory of 2040 1532 AnyDesk.exe AnyDesk.exe PID 1532 wrote to memory of 2040 1532 AnyDesk.exe AnyDesk.exe PID 1532 wrote to memory of 2040 1532 AnyDesk.exe AnyDesk.exe PID 1532 wrote to memory of 2040 1532 AnyDesk.exe AnyDesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3163⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3164⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3163⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3164⤵
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3163⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3164⤵
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n3163⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\827763568MD5
120031bc33be5f42769515a1a836cd52
SHA1093829c78890bbba65ec428cc8bb3cab85c5b36d
SHA256bf0547c557dd71fe4ce1989c24ab7a09fb272f6f86e230c96381f2d22a638ccc
SHA5127553f96a21d2cf38a80c35a5ae898dbc99e9ec3725442240078b5df1d94be97837b165c21f65f28766c68feff233a2265602b24ea389c6d10b56d24d8881950d
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
b98fcb966a5e82aaeb6feb5bd21efced
SHA1317678781479aba7b0cf9edfcfa78f662e077e63
SHA256db21de0ad45f867d8b4bc1136cf3993ceebadd7db0074d6489f51a51828e7d63
SHA51295ecd503e62b4ab79ed158507b463217f4bfe9186a9a77529ac446e208b2d082ebf5a938d67a5c10172988b79b09179364a195d7bb391102387424a966bf3026
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
883d2f7f2305be70c36f74f97343419d
SHA1ea587bf0645186d9bacb61cedea8c9718b53db4f
SHA256ca18d72a563e26a335a4416b8ceed8578a642a28915672ad4b9787ea9f0f79ed
SHA512293b52e63aa75a4c7db0329c99cbdb20f15c5b1a341ca3905f9a38aa868a4c7477ba717d21974d5f0797773a34c451eb96f010e0fde43672da486aad483a17c6
-
C:\Users\Admin\AppData\Roaming\827763568MD5
f56cc40d7bed2e6d268056ce171343a5
SHA128dee18fe6173caa1946258e5b5b48188164aa17
SHA256d9309ae99e64dec03a4a74ded77f79bb8d6c901848afedb5df34c98e577e196c
SHA512f289380ed13dcad7fb083f1989db1ff89896c01e2ea52153bdc6a38fe3d188cc714a4378e380d66b02a9c83c04ddb9d0b47216ae9816ac6f4dcba447ef9b1e2f
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
\Users\Admin\AppData\Local\Temp\nsc3F71.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsd5062.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsiD5B7.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsn5BF6.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsx1C48.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/316-11-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/316-4-0x0000000000405A20-mapping.dmp
-
memory/508-23-0x0000000000405A20-mapping.dmp
-
memory/644-2-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/796-8-0x0000000000000000-mapping.dmp
-
memory/1120-15-0x0000000000405A20-mapping.dmp
-
memory/1316-14-0x0000000000000000-mapping.dmp
-
memory/1480-13-0x000007FEFBCD1000-0x000007FEFBCD3000-memory.dmpFilesize
8KB
-
memory/1480-12-0x0000000000000000-mapping.dmp
-
memory/1540-7-0x0000000000000000-mapping.dmp
-
memory/1920-19-0x000007FEF7790000-0x000007FEF7A0A000-memory.dmpFilesize
2.5MB
-
memory/2040-30-0x0000000000405A20-mapping.dmp