Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2023 13:11
Behavioral task
behavioral1
Sample
anydesk1.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
anydesk1.exe
Resource
win10v2004-20231222-en
General
-
Target
anydesk1.exe
-
Size
23KB
-
MD5
fd5525ee6851e2d72d505553c2f80a6f
-
SHA1
3db8bff5294bf07795db1d03c0a2307590eb09f2
-
SHA256
15d6b2c3c4164dfd7b6eb05593a7e0cc3ebebb6a4ad143938621300bb66cc2c2
-
SHA512
e2ac5f4b10d38cc6378c6463f3eede7ee8fc4fb99c2787c14b1bf16637d0520e4043af55b4ecf10386ff3a40fae2bbb51ef326161a22f2b4ed4165c94c90a3ff
-
SSDEEP
384:eI2SUwXh0ZbAzlRGCvkodj46hgHK0hrV5mRvR6JZlbw8hqIusZzZCq:RbhEkdvXRpcnuG
Malware Config
Signatures
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Drops startup file 2 IoCs
Processes:
anydesk1.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecb79139eb4e20dc63627584e8dc465.exe anydesk1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4ecb79139eb4e20dc63627584e8dc465.exe anydesk1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
anydesk1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ecb79139eb4e20dc63627584e8dc465 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\anydesk1.exe\" .." anydesk1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\4ecb79139eb4e20dc63627584e8dc465 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\anydesk1.exe\" .." anydesk1.exe -
Suspicious use of AdjustPrivilegeToken 35 IoCs
Processes:
anydesk1.exedescription pid process Token: SeDebugPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe Token: 33 3532 anydesk1.exe Token: SeIncBasePriorityPrivilege 3532 anydesk1.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
anydesk1.exedescription pid process target process PID 3532 wrote to memory of 5056 3532 anydesk1.exe netsh.exe PID 3532 wrote to memory of 5056 3532 anydesk1.exe netsh.exe PID 3532 wrote to memory of 5056 3532 anydesk1.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\anydesk1.exe"C:\Users\Admin\AppData\Local\Temp\anydesk1.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\anydesk1.exe" "anydesk1.exe" ENABLE2⤵
- Modifies Windows Firewall
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3532-0-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/3532-1-0x0000000001450000-0x0000000001460000-memory.dmpFilesize
64KB
-
memory/3532-2-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/3532-4-0x0000000074D70000-0x0000000075321000-memory.dmpFilesize
5.7MB
-
memory/3532-5-0x0000000001450000-0x0000000001460000-memory.dmpFilesize
64KB