makop | c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

Resubmissions

17-01-2021 18:22

210117-p2y29rzwds 10

05-01-2021 05:07

210105-svmjjn3wwa 10

Analysis

max time kernel
146s
max time network
122s
platform
windows10_x64
resource
win10v20201028
submitted
17-01-2021 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

262KB
MD5

53e7b9e873404afdd22cdeba41b4e1c9
SHA1

18b1a19f826e9d48d5776f6e3c279547f3ff517d
SHA256

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
SHA512

ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd

Score

10^/10

makop persistence ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\readme-warning.txt

Family

makop

Ransom Note

::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: moloch_helpdesk@tutanota.com or moloch_helpdesk@protonmail.ch .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

Emails

moloch_helpdesk@tutanota.com

moloch_helpdesk@protonmail.ch

Signatures

Makop
Ransomware family discovered by @VK_Intel in early 2020.
ransomware makop

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

svchost.exe

description	pid	process	target process
PID 1948 created 2888	1948	svchost.exe	AnyDesk.exe
PID 1948 created 2888	1948	svchost.exe	AnyDesk.exe
PID 1948 created 2888	1948	svchost.exe	AnyDesk.exe
PID 1948 created 2888	1948	svchost.exe	AnyDesk.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1620 wbadmin.exe

pid	process
1620	wbadmin.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CloseReset.tiff	AnyDesk.exe
File opened for modification	C:\Users\Admin\Pictures\EditSync.tiff	AnyDesk.exe

Loads dropped DLL 5 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid process

1908 AnyDesk.exe
1272 AnyDesk.exe
2284 AnyDesk.exe
3128 AnyDesk.exe
3628 AnyDesk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1908	AnyDesk.exe
1272	AnyDesk.exe
2284	AnyDesk.exe
3128	AnyDesk.exe
3628	AnyDesk.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AnyDesk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AnyDesk.exe\""	AnyDesk.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 5 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

description	pid	process	target process
PID 1908 set thread context of 2888	1908	AnyDesk.exe	AnyDesk.exe
PID 1272 set thread context of 272	1272	AnyDesk.exe	AnyDesk.exe
PID 2284 set thread context of 4028	2284	AnyDesk.exe	AnyDesk.exe
PID 3128 set thread context of 3960	3128	AnyDesk.exe	AnyDesk.exe
PID 3628 set thread context of 3472	3628	AnyDesk.exe	AnyDesk.exe

Drops file in Program Files directory 17718 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\readme-warning.txt	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png	AnyDesk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-100.png	AnyDesk.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e9aab164.pri	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_24x24x32.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b010e8f2.pri	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\16.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\highfive.scale-100.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_none.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\resources.pri	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tz_16x11.png	AnyDesk.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Microsoft.CPub.BackgroundTasks.winmd	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt	AnyDesk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	AnyDesk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\readme-warning.txt	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\readme-warning.txt	AnyDesk.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\classic.mobile.jpg	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\MedTile.scale-200.png	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_activityAlert.targetsize-48.png	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\fue_1_1.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover.png	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\ui-strings.js	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg	AnyDesk.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\readme-warning.txt	AnyDesk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_LT-LT.respack	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif	AnyDesk.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_6.jpg	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms	AnyDesk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG	AnyDesk.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName	vds.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

740 vssadmin.exe

pid	process
740	vssadmin.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AnyDesk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	AnyDesk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

2888 AnyDesk.exe
2888 AnyDesk.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

pid process

1908 AnyDesk.exe
1272 AnyDesk.exe
2284 AnyDesk.exe
3128 AnyDesk.exe
3628 AnyDesk.exe

pid	process
2888	AnyDesk.exe
2888	AnyDesk.exe

pid	process
1908	AnyDesk.exe
1272	AnyDesk.exe
2284	AnyDesk.exe
3128	AnyDesk.exe
3628	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

svchost.exevssvc.exewbengine.exeWMIC.exe

description	pid	process
Token: SeTcbPrivilege	1948	svchost.exe
Token: SeTcbPrivilege	1948	svchost.exe
Token: SeBackupPrivilege	3004	vssvc.exe
Token: SeRestorePrivilege	3004	vssvc.exe
Token: SeAuditPrivilege	3004	vssvc.exe
Token: SeBackupPrivilege	1108	wbengine.exe
Token: SeRestorePrivilege	1108	wbengine.exe
Token: SeSecurityPrivilege	1108	wbengine.exe
Token: SeIncreaseQuotaPrivilege	4084	WMIC.exe
Token: SeSecurityPrivilege	4084	WMIC.exe
Token: SeTakeOwnershipPrivilege	4084	WMIC.exe
Token: SeLoadDriverPrivilege	4084	WMIC.exe
Token: SeSystemProfilePrivilege	4084	WMIC.exe
Token: SeSystemtimePrivilege	4084	WMIC.exe
Token: SeProfSingleProcessPrivilege	4084	WMIC.exe
Token: SeIncBasePriorityPrivilege	4084	WMIC.exe
Token: SeCreatePagefilePrivilege	4084	WMIC.exe
Token: SeBackupPrivilege	4084	WMIC.exe
Token: SeRestorePrivilege	4084	WMIC.exe
Token: SeShutdownPrivilege	4084	WMIC.exe
Token: SeDebugPrivilege	4084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4084	WMIC.exe
Token: SeRemoteShutdownPrivilege	4084	WMIC.exe
Token: SeUndockPrivilege	4084	WMIC.exe
Token: SeManageVolumePrivilege	4084	WMIC.exe
Token: 33	4084	WMIC.exe
Token: 34	4084	WMIC.exe
Token: 35	4084	WMIC.exe
Token: 36	4084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4084	WMIC.exe
Token: SeSecurityPrivilege	4084	WMIC.exe
Token: SeTakeOwnershipPrivilege	4084	WMIC.exe
Token: SeLoadDriverPrivilege	4084	WMIC.exe
Token: SeSystemProfilePrivilege	4084	WMIC.exe
Token: SeSystemtimePrivilege	4084	WMIC.exe
Token: SeProfSingleProcessPrivilege	4084	WMIC.exe
Token: SeIncBasePriorityPrivilege	4084	WMIC.exe
Token: SeCreatePagefilePrivilege	4084	WMIC.exe
Token: SeBackupPrivilege	4084	WMIC.exe
Token: SeRestorePrivilege	4084	WMIC.exe
Token: SeShutdownPrivilege	4084	WMIC.exe
Token: SeDebugPrivilege	4084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4084	WMIC.exe
Token: SeRemoteShutdownPrivilege	4084	WMIC.exe
Token: SeUndockPrivilege	4084	WMIC.exe
Token: SeManageVolumePrivilege	4084	WMIC.exe
Token: 33	4084	WMIC.exe
Token: 34	4084	WMIC.exe
Token: 35	4084	WMIC.exe
Token: 36	4084	WMIC.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

AnyDesk.exesvchost.exeAnyDesk.execmd.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

description	pid	process	target process
PID 1908 wrote to memory of 2888	1908	AnyDesk.exe	AnyDesk.exe
PID 1908 wrote to memory of 2888	1908	AnyDesk.exe	AnyDesk.exe
PID 1908 wrote to memory of 2888	1908	AnyDesk.exe	AnyDesk.exe
PID 1908 wrote to memory of 2888	1908	AnyDesk.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 1272	1948	svchost.exe	AnyDesk.exe
PID 2888 wrote to memory of 3976	2888	AnyDesk.exe	cmd.exe
PID 2888 wrote to memory of 3976	2888	AnyDesk.exe	cmd.exe
PID 3976 wrote to memory of 740	3976	cmd.exe	vssadmin.exe
PID 3976 wrote to memory of 740	3976	cmd.exe	vssadmin.exe
PID 3976 wrote to memory of 1620	3976	cmd.exe	wbadmin.exe
PID 3976 wrote to memory of 1620	3976	cmd.exe	wbadmin.exe
PID 3976 wrote to memory of 4084	3976	cmd.exe	WMIC.exe
PID 3976 wrote to memory of 4084	3976	cmd.exe	WMIC.exe
PID 1272 wrote to memory of 272	1272	AnyDesk.exe	AnyDesk.exe
PID 1272 wrote to memory of 272	1272	AnyDesk.exe	AnyDesk.exe
PID 1272 wrote to memory of 272	1272	AnyDesk.exe	AnyDesk.exe
PID 1272 wrote to memory of 272	1272	AnyDesk.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 2284	1948	svchost.exe	AnyDesk.exe
PID 2284 wrote to memory of 4028	2284	AnyDesk.exe	AnyDesk.exe
PID 2284 wrote to memory of 4028	2284	AnyDesk.exe	AnyDesk.exe
PID 2284 wrote to memory of 4028	2284	AnyDesk.exe	AnyDesk.exe
PID 2284 wrote to memory of 4028	2284	AnyDesk.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3128	1948	svchost.exe	AnyDesk.exe
PID 3128 wrote to memory of 3960	3128	AnyDesk.exe	AnyDesk.exe
PID 3128 wrote to memory of 3960	3128	AnyDesk.exe	AnyDesk.exe
PID 3128 wrote to memory of 3960	3128	AnyDesk.exe	AnyDesk.exe
PID 3128 wrote to memory of 3960	3128	AnyDesk.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 1948 wrote to memory of 3628	1948	svchost.exe	AnyDesk.exe
PID 3628 wrote to memory of 3472	3628	AnyDesk.exe	AnyDesk.exe
PID 3628 wrote to memory of 3472	3628	AnyDesk.exe	AnyDesk.exe
PID 3628 wrote to memory of 3472	3628	AnyDesk.exe	AnyDesk.exe
PID 3628 wrote to memory of 3472	3628	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1908

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
4⤵
PID:272

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:740

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
4⤵
- Deletes backup catalog
PID:1620

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
4⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
4⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
3⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n2888
4⤵
PID:3472

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\827763568
MD5
02e83b62cecc59b55d329a86b6aece3c

SHA1
804a2022e14ac50b7dbe7a744c9d1a4de337aaf2

SHA256
b2eddf7a56f25753df62f2057be19588611bd74220a2481b55d29dd5fde1653e

SHA512
981aa5fe56eed9067a3615b245242ea81453f051ccaa73dc7f024197eee5216d7087b29c3e8ed111ce76b96be963adfe7ddada3970a1717658622bade0d3e50a

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
bc251d6a9f3408d4a2ff3add1d27ad3d

SHA1
99091c8e7a4ce7df879e157ddfba12d60095b1a9

SHA256
6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

SHA512
23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
b727dcc61e6b1a08c9f3f4824366bc53

SHA1
6dcce6fceebbece8fc786a296a01dae51b1c371c

SHA256
8c40e6e2cc87615d19438444e49a9f6631d549d8e3c8595c45bb1a168fcf6b97

SHA512
15d6a5e8570c060251dd48eecbd4afc3c5087fc0a46c950a143b0899dbad528c93b160447f07305788b9c3d66d6c61174b2de47881a96785ae893fcc4be86d4a

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
bc251d6a9f3408d4a2ff3add1d27ad3d

SHA1
99091c8e7a4ce7df879e157ddfba12d60095b1a9

SHA256
6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

SHA512
23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
2b296d27c5a92be627d3ee2b7cf4b53d

SHA1
38340e9212b7fb08fc116cf4d190c06e55730289

SHA256
dc5de48fb9c5c32512d8f7a3bec600ed236f4213d949b6e66b0ab3fe65027ca1

SHA512
fba5868285dbe13f5cef20c745f25861ab1ac230cd9cd5c03c4a752ca80e9288dc70a47359811836d415336f75a8e8944996b7f73bb6ee27ff079b889dd0f49e

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
bcce685606fdb8239343b1506bd103cc

SHA1
d4d860156956f15ff48ba77aa10cfb0a7f2713cc

SHA256
9f56333311135425fd383924845a47721394cde11fe633c7a0934a4cf232b2c8

SHA512
d3a8fb00b235699e3e8f3a7f70df8a000773f9350c5acb239dc6ca67b95ef134317d77ad6ea34e21c9c2cce5e34023060527faee42efbcb1b853a43ac171b8c7

Download Submit
C:\Users\Admin\AppData\Roaming\827763568
MD5
bc251d6a9f3408d4a2ff3add1d27ad3d

SHA1
99091c8e7a4ce7df879e157ddfba12d60095b1a9

SHA256
6e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31

SHA512
23b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995

Download Submit
\Users\Admin\AppData\Local\Temp\nsj3724.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsk4E2D.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsvD284.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsw55B3.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsx5952.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/272-12-0x0000000000405A20-mapping.dmp

Download
memory/740-6-0x0000000000000000-mapping.dmp

Download
memory/1272-4-0x0000000000000000-mapping.dmp

Download
memory/1620-7-0x0000000000000000-mapping.dmp

Download
memory/2284-16-0x0000000000000000-mapping.dmp

Download
memory/2888-10-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2888-3-0x0000000000405A20-mapping.dmp

Download
memory/3128-21-0x0000000000000000-mapping.dmp

Download
memory/3472-31-0x0000000000405A20-mapping.dmp

Download
memory/3628-27-0x0000000000000000-mapping.dmp

Download
memory/3960-25-0x0000000000405A20-mapping.dmp

Download
memory/3976-5-0x0000000000000000-mapping.dmp

Download
memory/4028-19-0x0000000000405A20-mapping.dmp

Download
memory/4084-11-0x0000000000000000-mapping.dmp

Download