fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
82s
max time network
24s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-01-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AnyDesk.exe

pid	Process
2720	AnyDesk.exe
2720	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AnyDesk.exe

pid	Process
2720	AnyDesk.exe
2720	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 2212 wrote to memory of 2712	2212	AnyDesk.exe	28
PID 2212 wrote to memory of 2712	2212	AnyDesk.exe	28
PID 2212 wrote to memory of 2712	2212	AnyDesk.exe	28
PID 2212 wrote to memory of 2712	2212	AnyDesk.exe	28
PID 2212 wrote to memory of 2720	2212	AnyDesk.exe	29
PID 2212 wrote to memory of 2720	2212	AnyDesk.exe	29
PID 2212 wrote to memory of 2720	2212	AnyDesk.exe	29
PID 2212 wrote to memory of 2720	2212	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  PID:2712
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
3b5a60581dee85cc89de1fb79dcb8ff8

SHA1
62330aefa403e044b8c40bd76eeaabb07713ea48

SHA256
bfa4b144bca792783e3b7a504826ca87c63a8c0846a369e042997eef2d72ad4b

SHA512
48ca30cc8b907f09abd16dda402dfdef82a18888f9239a7ced79dd88ffa8d537417255802c3b54244f4b6f4c2e0d76ddd816d8066ea14678492168d934f364f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
84d660b3fdb40ecd29b3751fd057bd9f

SHA1
311ef3c64dcee45687b6db15294f8ea9968375c1

SHA256
157bb2873a852288ff78b2f4fa2bdc591b040191c1993cbcca62d97e963d83c7

SHA512
c828132dd8ccb5d30927a1cb07d38493c935f6594225eec76f766629cd8c3f9472342c980d17dd5062df398219aa3fc71fa7facfce29c8eb406f811c1c0ff9eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
48afe73ef66ab277e089991a6079be05

SHA1
9445efa0f29af8d9c35f1f9b864f529e53844654

SHA256
43d8f122b043f5431e09e62aa2a77fbeefe8ce67f6ff33aa75bb866b9e064f0a

SHA512
4ae6b4fd2590ba7ca726cffe59c40c1a3f2527df9e1295dbd686702384e8a8471756e880f94b1bf9063ee5a9796fdd12c7b238130ca3df1ca96d4d7a82a2b5c1

Download Submit
memory/2212-27-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2212-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2212-1-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/2212-30-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/2212-0-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/2212-36-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2712-10-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/2712-33-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/2720-9-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download
memory/2720-19-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/2720-35-0x0000000000F80000-0x0000000001FFE000-memory.dmp

Filesize
16.5MB

Download