55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Resubmissions

05-02-2024 12:32

240205-pqz8zafga4 10

05-02-2024 12:25

240205-plsckahfgj 3

05-02-2024 12:24

240205-plefpshffk 7

Analysis

max time kernel
2394s
max time network
2289s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
05-02-2024 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	AnyDesk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2800	AnyDesk.exe
2800	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2800	AnyDesk.exe
2800	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2804	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 2804	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 2804	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 2804	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 2800	1992	AnyDesk.exe	29
PID 1992 wrote to memory of 2800	1992	AnyDesk.exe	29
PID 1992 wrote to memory of 2800	1992	AnyDesk.exe	29
PID 1992 wrote to memory of 2800	1992	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1d148172ee4a346b594fc0eee0836262

SHA1
4456f5769142c518fa714a04f25fae0ee8fc1f4c

SHA256
5b921863ecb3f7136816f5990c1c61eacf99dfb05276756187d54defc9cec69e

SHA512
357c782c818bdb74bde6fae1b3b23c0d44132d20aa5ca219231d671636442a4b6e7d13b576f139ad3080120ad45d4a70c789c79056d118abb766e88804149acc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
46c691d791c4bd4b42661efa92858752

SHA1
692783489cc4895295be3405ed22a3a36ebae6ce

SHA256
c5055884f7a5d104cd3ef9f647f5361dc7b61a437d14618abe8b547e513daaaa

SHA512
80e2f4c03feed7f6630cbfbbfb2106ba0fda1e8312ea12058833c8031b33d31d2e54b760dfeb7bd280950013a3ca84a72fb4a656673f03c027c3d9ef1feb9776

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
88ef61eb86579bed8c99276bd2806dd3

SHA1
170217d6a8d6c07ab8fbbf3fbe220a1d39f003db

SHA256
262bd7c76cac765777c1fda1c4a561419ffefb7c5824c219d326df0256613b3d

SHA512
b605e601af8bfcea94ee7474447f93fb52e9549a31b90ab0cfafc4d57281c67427b14a22997b0918de934a035a9bb1efbdcece24efda0168f40f0a536244c43f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4bf332ab72a5586a9bf8b60baec17687

SHA1
15ca954921ab833e48d3151b7cfd6c5aa51dc1cb

SHA256
09066117a38704c6a134b1fc36b79db39f64bffd9bc626ee670533bfe3c2b3c8

SHA512
cb7228135ef5a5b3738e85016876a3695558a577e6193260f5e883afdf74f5140f757c709ff2db9d34166b8798ac49e6aca68e85b7291f62108e822c569038ca

Download Submit
memory/1992-18-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/1992-1-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/1992-17-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/1992-38-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/1992-4-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2800-21-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2800-29-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2800-53-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2804-20-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2804-47-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download
memory/2804-54-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2804-56-0x0000000000950000-0x0000000002087000-memory.dmp

Filesize
23.2MB

Download