fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
1794s
max time network
1604s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-02-2023 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	Process
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE
Token: 33	1972	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1972	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
968	AnyDesk (1).exe
968	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
968	AnyDesk (1).exe
968	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 836 wrote to memory of 1312	836	AnyDesk (1).exe	28
PID 836 wrote to memory of 1312	836	AnyDesk (1).exe	28
PID 836 wrote to memory of 1312	836	AnyDesk (1).exe	28
PID 836 wrote to memory of 1312	836	AnyDesk (1).exe	28
PID 836 wrote to memory of 968	836	AnyDesk (1).exe	29
PID 836 wrote to memory of 968	836	AnyDesk (1).exe	29
PID 836 wrote to memory of 968	836	AnyDesk (1).exe	29
PID 836 wrote to memory of 968	836	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  PID:1312
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:968

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\BackupReset.js"
1⤵
PID:1144

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\BackupReset.js"
1⤵
PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
af6eabb75b22e79d333a2e00e1698b25

SHA1
9b9ab8465588618d25025ce2d0642a79542d5895

SHA256
86eb91ea3a05c34558e8c4fa5c5de75387d13c01f1d9cbd3ae8a8bbd0b3963f7

SHA512
e69833ec08af657e341a32cbe22ef202d28a964affe6f44dc6eb9dd06ed69334248191d9ece68fbb02533e57e24c3f694fcc71465fdbeef1b0d7c2fcdeba8c35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
af6eabb75b22e79d333a2e00e1698b25

SHA1
9b9ab8465588618d25025ce2d0642a79542d5895

SHA256
86eb91ea3a05c34558e8c4fa5c5de75387d13c01f1d9cbd3ae8a8bbd0b3963f7

SHA512
e69833ec08af657e341a32cbe22ef202d28a964affe6f44dc6eb9dd06ed69334248191d9ece68fbb02533e57e24c3f694fcc71465fdbeef1b0d7c2fcdeba8c35

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a9a8401f45a9300a0f259413056eb2ff

SHA1
c7fcb2d6d6c304c602998fff6fa25232003ee0b9

SHA256
79303e7ecf46253953d1ca0f3f6e9fc2e21addb22efe10f0a986b40b3b46537b

SHA512
8172ec7685920235b90274187784ff201bef76e64dad53725de689eb901bb160944186b9e22773e22a1d5bdecd9c280526552582c5d0b826e4f3da9411dd0449

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a9a8401f45a9300a0f259413056eb2ff

SHA1
c7fcb2d6d6c304c602998fff6fa25232003ee0b9

SHA256
79303e7ecf46253953d1ca0f3f6e9fc2e21addb22efe10f0a986b40b3b46537b

SHA512
8172ec7685920235b90274187784ff201bef76e64dad53725de689eb901bb160944186b9e22773e22a1d5bdecd9c280526552582c5d0b826e4f3da9411dd0449

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e6b7085d0f6718b723479614efbad9ab

SHA1
a8b0f5c1d6cdd3551a8fcc776b57cacc98faea48

SHA256
a0209bb2c9a91d5a6864c7b422edbe91e7d6b81832e0a4795a1296d97707e0b7

SHA512
e116da3abcebbcadc7b683e0f98398f9ed92407d67970f4e65d30817a03e312e12c2e4357cbbfb8508f3f5f5390c89ee9dff325857f055cb2e8ecf32b376393e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f73f95a7d9ab0e8f433ef29055dbfc82

SHA1
ac771c24a17ec1a7d6e2b3d1d985ef9ec45cac9c

SHA256
009788e8512ecf87559d84ba98bb84c6f1e5afadacc6c2176088da8d6e6543fc

SHA512
615ffeb0dd43a6c19ba837bba23b0d3482e3c10339127930d5873b791bd49d010293f21132bba7bf71749f0ce6a1a7f504b9974bd22db84b909a698fe3f6a2f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f73f95a7d9ab0e8f433ef29055dbfc82

SHA1
ac771c24a17ec1a7d6e2b3d1d985ef9ec45cac9c

SHA256
009788e8512ecf87559d84ba98bb84c6f1e5afadacc6c2176088da8d6e6543fc

SHA512
615ffeb0dd43a6c19ba837bba23b0d3482e3c10339127930d5873b791bd49d010293f21132bba7bf71749f0ce6a1a7f504b9974bd22db84b909a698fe3f6a2f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
a63b791420d92d04450d805066bcc30d

SHA1
1a628e32969ad519a3c09163a19f172e7ec284b0

SHA256
31603b11237ec211ed7c25a79a095af05290527dd4aa68c535fcfcedfaf0e6c2

SHA512
60fe025e850f04b67818f9614428a2bd0df176e63e04bb1a802b288d4e4f9b35b445c9f0fdcbdc47abb322a4a717b0de923c00dfd545b03d85a06526aed1e4a3

Download Submit
memory/836-81-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download
memory/836-54-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download
memory/836-74-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/836-73-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/836-56-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/968-86-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download
memory/968-93-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download
memory/968-97-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/968-69-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download
memory/1312-85-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download
memory/1312-70-0x0000000000F30000-0x0000000001FAE000-memory.dmp

Filesize
16.5MB

Download