Analysis
-
max time kernel
146s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-01-2021 18:22
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v20201028
General
-
Target
AnyDesk.exe
-
Size
262KB
-
MD5
53e7b9e873404afdd22cdeba41b4e1c9
-
SHA1
18b1a19f826e9d48d5776f6e3c279547f3ff517d
-
SHA256
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
-
SHA512
ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
moloch_helpdesk@tutanota.com
moloch_helpdesk@protonmail.ch
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
Processes:
svchost.exedescription pid process target process PID 1948 created 2888 1948 svchost.exe AnyDesk.exe PID 1948 created 2888 1948 svchost.exe AnyDesk.exe PID 1948 created 2888 1948 svchost.exe AnyDesk.exe PID 1948 created 2888 1948 svchost.exe AnyDesk.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1620 wbadmin.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
AnyDesk.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CloseReset.tiff AnyDesk.exe File opened for modification C:\Users\Admin\Pictures\EditSync.tiff AnyDesk.exe -
Loads dropped DLL 5 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 1908 AnyDesk.exe 1272 AnyDesk.exe 2284 AnyDesk.exe 3128 AnyDesk.exe 3628 AnyDesk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
AnyDesk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AnyDesk.exe\"" AnyDesk.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 5 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exedescription pid process target process PID 1908 set thread context of 2888 1908 AnyDesk.exe AnyDesk.exe PID 1272 set thread context of 272 1272 AnyDesk.exe AnyDesk.exe PID 2284 set thread context of 4028 2284 AnyDesk.exe AnyDesk.exe PID 3128 set thread context of 3960 3128 AnyDesk.exe AnyDesk.exe PID 3628 set thread context of 3472 3628 AnyDesk.exe AnyDesk.exe -
Drops file in Program Files directory 17718 IoCs
Processes:
AnyDesk.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\readme-warning.txt AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\THMBNAIL.PNG AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\MedTile.scale-125.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\Scrubbing_icons.png AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_ja.jar AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteNotebookSmallTile.scale-200.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsMedTile.scale-100.png AnyDesk.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.e9aab164.pri AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2818_24x24x32.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-125_8wekyb3d8bbwe\Assets\SplashScreen.scale-125.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\resources.b010e8f2.pri AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\16.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_neutral_split.scale-100_kzf8qxf38zg5c\SkypeApp\Assets\highfive.scale-100.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CalculatorWideTile.scale-125.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeBadge.scale-125.png AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\inline-error-1x.png AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.DailyChallenges\Assets\PrizeHistory\badges_none.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\resources.pri AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\8041_32x32x32.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tz_16x11.png AnyDesk.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Microsoft.CPub.BackgroundTasks.winmd AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Yahoo-Dark.scale-125.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt AnyDesk.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spc.txt AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Dark.scale-200.png AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\readme-warning.txt AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\readme-warning.txt AnyDesk.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_4.5.6.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\_Resources\2.rsrc AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-60_altform-unplated.png AnyDesk.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\TestDrive.Tests.ps1 AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\classic.mobile.jpg AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Work\MedTile.scale-200.png AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\NavigationIcons\nav_icons_activityAlert.targetsize-48.png AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Messaging_3.2.24002.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.StarClub\Assets\fue_1_1.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\ui-strings.js AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_hover.png AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-fr\ui-strings.js AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\az_get.svg AnyDesk.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\readme-warning.txt AnyDesk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core.xml AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Grace-ul-oob.xrm-ms AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\GamePlayAssets\Localization\localized_LT-LT.respack AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\ui-strings.js AnyDesk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\icons_ie8.gif AnyDesk.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_6.jpg AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office15\pkeyconfig-office.xrm-ms AnyDesk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.JPG AnyDesk.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 740 vssadmin.exe -
Processes:
AnyDesk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 AnyDesk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AnyDesk.exepid process 2888 AnyDesk.exe 2888 AnyDesk.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepid process 1908 AnyDesk.exe 1272 AnyDesk.exe 2284 AnyDesk.exe 3128 AnyDesk.exe 3628 AnyDesk.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
svchost.exevssvc.exewbengine.exeWMIC.exedescription pid process Token: SeTcbPrivilege 1948 svchost.exe Token: SeTcbPrivilege 1948 svchost.exe Token: SeBackupPrivilege 3004 vssvc.exe Token: SeRestorePrivilege 3004 vssvc.exe Token: SeAuditPrivilege 3004 vssvc.exe Token: SeBackupPrivilege 1108 wbengine.exe Token: SeRestorePrivilege 1108 wbengine.exe Token: SeSecurityPrivilege 1108 wbengine.exe Token: SeIncreaseQuotaPrivilege 4084 WMIC.exe Token: SeSecurityPrivilege 4084 WMIC.exe Token: SeTakeOwnershipPrivilege 4084 WMIC.exe Token: SeLoadDriverPrivilege 4084 WMIC.exe Token: SeSystemProfilePrivilege 4084 WMIC.exe Token: SeSystemtimePrivilege 4084 WMIC.exe Token: SeProfSingleProcessPrivilege 4084 WMIC.exe Token: SeIncBasePriorityPrivilege 4084 WMIC.exe Token: SeCreatePagefilePrivilege 4084 WMIC.exe Token: SeBackupPrivilege 4084 WMIC.exe Token: SeRestorePrivilege 4084 WMIC.exe Token: SeShutdownPrivilege 4084 WMIC.exe Token: SeDebugPrivilege 4084 WMIC.exe Token: SeSystemEnvironmentPrivilege 4084 WMIC.exe Token: SeRemoteShutdownPrivilege 4084 WMIC.exe Token: SeUndockPrivilege 4084 WMIC.exe Token: SeManageVolumePrivilege 4084 WMIC.exe Token: 33 4084 WMIC.exe Token: 34 4084 WMIC.exe Token: 35 4084 WMIC.exe Token: 36 4084 WMIC.exe Token: SeIncreaseQuotaPrivilege 4084 WMIC.exe Token: SeSecurityPrivilege 4084 WMIC.exe Token: SeTakeOwnershipPrivilege 4084 WMIC.exe Token: SeLoadDriverPrivilege 4084 WMIC.exe Token: SeSystemProfilePrivilege 4084 WMIC.exe Token: SeSystemtimePrivilege 4084 WMIC.exe Token: SeProfSingleProcessPrivilege 4084 WMIC.exe Token: SeIncBasePriorityPrivilege 4084 WMIC.exe Token: SeCreatePagefilePrivilege 4084 WMIC.exe Token: SeBackupPrivilege 4084 WMIC.exe Token: SeRestorePrivilege 4084 WMIC.exe Token: SeShutdownPrivilege 4084 WMIC.exe Token: SeDebugPrivilege 4084 WMIC.exe Token: SeSystemEnvironmentPrivilege 4084 WMIC.exe Token: SeRemoteShutdownPrivilege 4084 WMIC.exe Token: SeUndockPrivilege 4084 WMIC.exe Token: SeManageVolumePrivilege 4084 WMIC.exe Token: 33 4084 WMIC.exe Token: 34 4084 WMIC.exe Token: 35 4084 WMIC.exe Token: 36 4084 WMIC.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
AnyDesk.exesvchost.exeAnyDesk.execmd.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exedescription pid process target process PID 1908 wrote to memory of 2888 1908 AnyDesk.exe AnyDesk.exe PID 1908 wrote to memory of 2888 1908 AnyDesk.exe AnyDesk.exe PID 1908 wrote to memory of 2888 1908 AnyDesk.exe AnyDesk.exe PID 1908 wrote to memory of 2888 1908 AnyDesk.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 1272 1948 svchost.exe AnyDesk.exe PID 2888 wrote to memory of 3976 2888 AnyDesk.exe cmd.exe PID 2888 wrote to memory of 3976 2888 AnyDesk.exe cmd.exe PID 3976 wrote to memory of 740 3976 cmd.exe vssadmin.exe PID 3976 wrote to memory of 740 3976 cmd.exe vssadmin.exe PID 3976 wrote to memory of 1620 3976 cmd.exe wbadmin.exe PID 3976 wrote to memory of 1620 3976 cmd.exe wbadmin.exe PID 3976 wrote to memory of 4084 3976 cmd.exe WMIC.exe PID 3976 wrote to memory of 4084 3976 cmd.exe WMIC.exe PID 1272 wrote to memory of 272 1272 AnyDesk.exe AnyDesk.exe PID 1272 wrote to memory of 272 1272 AnyDesk.exe AnyDesk.exe PID 1272 wrote to memory of 272 1272 AnyDesk.exe AnyDesk.exe PID 1272 wrote to memory of 272 1272 AnyDesk.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 2284 1948 svchost.exe AnyDesk.exe PID 2284 wrote to memory of 4028 2284 AnyDesk.exe AnyDesk.exe PID 2284 wrote to memory of 4028 2284 AnyDesk.exe AnyDesk.exe PID 2284 wrote to memory of 4028 2284 AnyDesk.exe AnyDesk.exe PID 2284 wrote to memory of 4028 2284 AnyDesk.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3128 1948 svchost.exe AnyDesk.exe PID 3128 wrote to memory of 3960 3128 AnyDesk.exe AnyDesk.exe PID 3128 wrote to memory of 3960 3128 AnyDesk.exe AnyDesk.exe PID 3128 wrote to memory of 3960 3128 AnyDesk.exe AnyDesk.exe PID 3128 wrote to memory of 3960 3128 AnyDesk.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 1948 wrote to memory of 3628 1948 svchost.exe AnyDesk.exe PID 3628 wrote to memory of 3472 3628 AnyDesk.exe AnyDesk.exe PID 3628 wrote to memory of 3472 3628 AnyDesk.exe AnyDesk.exe PID 3628 wrote to memory of 3472 3628 AnyDesk.exe AnyDesk.exe PID 3628 wrote to memory of 3472 3628 AnyDesk.exe AnyDesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28884⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28884⤵
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28884⤵
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28883⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n28884⤵
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\827763568MD5
02e83b62cecc59b55d329a86b6aece3c
SHA1804a2022e14ac50b7dbe7a744c9d1a4de337aaf2
SHA256b2eddf7a56f25753df62f2057be19588611bd74220a2481b55d29dd5fde1653e
SHA512981aa5fe56eed9067a3615b245242ea81453f051ccaa73dc7f024197eee5216d7087b29c3e8ed111ce76b96be963adfe7ddada3970a1717658622bade0d3e50a
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
b727dcc61e6b1a08c9f3f4824366bc53
SHA16dcce6fceebbece8fc786a296a01dae51b1c371c
SHA2568c40e6e2cc87615d19438444e49a9f6631d549d8e3c8595c45bb1a168fcf6b97
SHA51215d6a5e8570c060251dd48eecbd4afc3c5087fc0a46c950a143b0899dbad528c93b160447f07305788b9c3d66d6c61174b2de47881a96785ae893fcc4be86d4a
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
2b296d27c5a92be627d3ee2b7cf4b53d
SHA138340e9212b7fb08fc116cf4d190c06e55730289
SHA256dc5de48fb9c5c32512d8f7a3bec600ed236f4213d949b6e66b0ab3fe65027ca1
SHA512fba5868285dbe13f5cef20c745f25861ab1ac230cd9cd5c03c4a752ca80e9288dc70a47359811836d415336f75a8e8944996b7f73bb6ee27ff079b889dd0f49e
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bcce685606fdb8239343b1506bd103cc
SHA1d4d860156956f15ff48ba77aa10cfb0a7f2713cc
SHA2569f56333311135425fd383924845a47721394cde11fe633c7a0934a4cf232b2c8
SHA512d3a8fb00b235699e3e8f3a7f70df8a000773f9350c5acb239dc6ca67b95ef134317d77ad6ea34e21c9c2cce5e34023060527faee42efbcb1b853a43ac171b8c7
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
\Users\Admin\AppData\Local\Temp\nsj3724.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsk4E2D.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsvD284.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsw55B3.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsx5952.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/272-12-0x0000000000405A20-mapping.dmp
-
memory/740-6-0x0000000000000000-mapping.dmp
-
memory/1272-4-0x0000000000000000-mapping.dmp
-
memory/1620-7-0x0000000000000000-mapping.dmp
-
memory/2284-16-0x0000000000000000-mapping.dmp
-
memory/2888-10-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2888-3-0x0000000000405A20-mapping.dmp
-
memory/3128-21-0x0000000000000000-mapping.dmp
-
memory/3472-31-0x0000000000405A20-mapping.dmp
-
memory/3628-27-0x0000000000000000-mapping.dmp
-
memory/3960-25-0x0000000000405A20-mapping.dmp
-
memory/3976-5-0x0000000000000000-mapping.dmp
-
memory/4028-19-0x0000000000405A20-mapping.dmp
-
memory/4084-11-0x0000000000000000-mapping.dmp