ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

Resubmissions

31-12-2023 09:11

231231-k5vvksadc3 6

29-12-2023 08:53

231229-ktts5sgbh8 10

Analysis

max time kernel
846s
max time network
851s
platform
windows7_x64
resource
win7-20231215-ja
resource tags

arch:x64arch:x86image:win7-20231215-jalocale:ja-jpos:windows7-x64systemwindows
submitted
31-12-2023 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

75eecc3a8b215c465f541643e9c4f484
SHA1

3ad1f800b63640128bfdcc8dbee909554465ee11
SHA256

ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
SHA512

b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff
SSDEEP

98304:j5ObAu2pmits24nYhQCWQdaQQo/mJPv4KYZPKBhYI5RuN4OL2wIjcsJWNg3:IAnRu24nR5QcTvYdmPuWOL2TcQWe3

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2336	AnyDesk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2588	AcroRd32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2280	AnyDesk.exe
2280	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2280	AnyDesk.exe
2280	AnyDesk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe
2588	AcroRd32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2336	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2336	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2336	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2336	3012	AnyDesk.exe	28
PID 3012 wrote to memory of 2280	3012	AnyDesk.exe	29
PID 3012 wrote to memory of 2280	3012	AnyDesk.exe	29
PID 3012 wrote to memory of 2280	3012	AnyDesk.exe	29
PID 3012 wrote to memory of 2280	3012	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2280

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5e98b039142865b8151d8c6d9c1a410f

SHA1
ded213055a2b040e5a46bc906800d23327b2fd62

SHA256
af8f7bbdd863b424773237938f15caf8fc1caa99b42c75df0ee92513b575b4c5

SHA512
b9d5386e52ee05a39e230743a09aa2578ef8819c04c1f0f3b725d3f6321dca52fede2fe1fcb79af39f87640100c44c520583572ec6023920b043c93d1cf7bdab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
abfb36f947b52f7edfd50ee359288025

SHA1
2c2722fe3a8b89fa654826b6f3a812068cc191ce

SHA256
d2a9838b8e0ce679ef4bef3f8f4990a6184ecd9b740171feaad0b980f2b6f72b

SHA512
3e05e46d4d6296c9722a9fb0e5787c9a7155c3c24be1ab36d6aaa47ad523c022e9a22b2f4019df912d89456a745885c32d94c52bf4458b105e986250242f49c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
ce06418796089e8dcab54cfa2c86579e

SHA1
585763fc76696d5444fd0c369bc5d1a52bb38763

SHA256
89be93c232c04701e9f808cc0678867e7a63271a8a40625fcfa2c64993f70ff1

SHA512
198c3ec79cebbdc3e564b95359492adcb2b402a9c2ce524ce7e37f210c84a49f47ba1e8a5e6dd8f5535cf62cbf0492e1ea0b615fec5ff375851da98767ee9312

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f964435c06a128adbad7390651b9df87

SHA1
1682daa45ccd1999a7665ccf320d991128a30bd4

SHA256
0000dd261b720eda9fb8c284b42fbae24b887665092be5004758ecc8ffe43a10

SHA512
bfbc33face2c08461298e734c0c94678502abd6d3e328aaeaa7c426cb302653f8b65ade01052bbf73c5796665bf71b19c462b8d04f30e90e2c5c06d434a98f3d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef654551fb6db0ea0335f8514a91c738

SHA1
a6eddbc82b6b19020f015cc5be2f80431a818c3e

SHA256
f833d6f18719798d8ef3a6c98596bf3f6f792019b9aa039d70ab4ea4412d966b

SHA512
0ba55dd439ac4adf781ac3418b8142995d4877c9227f79852ad5a723492c6f856a3b80fbbababfcb80db524d569bd4ce8aa0fef4a9d16d443ed8a678a5899b4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ce600bca633106d00da0ed948fda6272

SHA1
20a06edfe7846dc8f3ee9db1ac77e3cf568dbeb6

SHA256
91449f452dd46f85470e34462bb13fb22d1f993d78b032d7be60c52dad8ea6f7

SHA512
1cd7e7909a740096b8002a6be41e9dab385d0ca88a0aca3396a7de84f5bf4b59f9793b35606679cabbde5d4ca3d36e6734c05479d49b1b7e1758f2ae02211489

Download Submit
memory/2280-27-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2280-81-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download
memory/2280-13-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download
memory/2336-12-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download
memory/2336-32-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2336-80-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download
memory/2588-99-0x0000000000BB0000-0x0000000000BC6000-memory.dmp

Filesize
88KB

Download
memory/3012-25-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download
memory/3012-36-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download
memory/3012-22-0x0000000003D70000-0x0000000003D71000-memory.dmp

Filesize
4KB

Download
memory/3012-1-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download
memory/3012-4-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/3012-0-0x0000000000E00000-0x00000000025D0000-memory.dmp

Filesize
23.8MB

Download