Overview

overview

7

Static

static

7

AnyDesk ID...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    11s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/02/2023, 14:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    AnyDesk ID Changer.exe

  • Size

    56KB

  • MD5

    bc39e783bb977d61f435361f004ce75f

  • SHA1

    ed6c979c0323f606762a3ecd866be93f39cb8e5b

  • SHA256

    e305c9ff82307ce675ac9659b302e24cd93574fa9d52f92eb12394935b94fcb4

  • SHA512

    a743d91b1286f53c125756996e5da8270be9293fbd4d19c4ad2f1103970df68099f7ac893c3da8547e67ac9ed7ea7bc15b3135a3ecca5707393877487bf5ac81

  • SSDEEP

    768:H/oopV0TmEgMdeU/f5kjDCvk+8ch4WIgRCS34+Uj9X8XtnBkSUaq1LyJkz:foopVl8eUH+joGc/IgRVUj98LHa

Score
7/10
upx

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AnyDesk ID Changer.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk ID Changer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4972
    • C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\812B.tmp\812C.tmp\812D.bat "C:\Users\Admin\AppData\Local\Temp\AnyDesk ID Changer.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Windows\system32\taskkill.exe
        taskkill /f /im anydesk.exe /t
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4556

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\812B.tmp\812C.tmp\812D.bat
          Filesize

          183B

          MD5

          5b1f42629d67189f16cf3333bc939dbd

          SHA1

          ae229ab0666477045f2c7a0a30695b52797cd697

          SHA256

          61c6d5b739c8eb8ad52b37807994640f2100a6e5ec18f67ed088a382f7210e2a

          SHA512

          4d08a887c35fb358a31c71897ab571b65ac204660334e34956e4ccd35d29faf00c7281b3c2377d2f17c712d3f77c9219f3f956c07afa325705e9da5a92bfeba0

          Download Submit

        • memory/4972-132-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4972-136-0x0000000000400000-0x0000000000422000-memory.dmp

          Filesize

          136KB

          Download