55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
1800s
max time network
1788s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08-02-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 32 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2720	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2688	AnyDesk.exe
2688	AnyDesk.exe
2688	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2688	AnyDesk.exe
2688	AnyDesk.exe
2688	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2720	2336	AnyDesk.exe	28
PID 2336 wrote to memory of 2720	2336	AnyDesk.exe	28
PID 2336 wrote to memory of 2720	2336	AnyDesk.exe	28
PID 2336 wrote to memory of 2720	2336	AnyDesk.exe	28
PID 2336 wrote to memory of 2688	2336	AnyDesk.exe	29
PID 2336 wrote to memory of 2688	2336	AnyDesk.exe	29
PID 2336 wrote to memory of 2688	2336	AnyDesk.exe	29
PID 2336 wrote to memory of 2688	2336	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
f9cacda68a84584255363c3a4fd96f76

SHA1
b8b7fd376e91fd185c322a0a0e52235a93cb9103

SHA256
fc19eefc222c5bed47db331d13a3d99f89b6f1763a1a52fe272c07b324d417ab

SHA512
035cc5b4edac8a192811444bd633923eccf2e1f35eab67241b27c0e7944e4f882156537aa11f484d25e66c5ead9d58271c4c2439211e600b7083754ee8e50624

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
840fddeed19dba12679d6655e59ec2b7

SHA1
885880dbd4df3b0f8459674d62fe2458cc565155

SHA256
045ab2c7d7d68f1b8f22c31859a88a9f83adc9d44d58d536d291d5cbc6ed8e33

SHA512
13a546810a922d217ec03c1391d83a775aabe34650a09d340404d382766cbf4de5046d5c5f14cdf18157d87e8d7fa69f2f195e7e55634d616802d346b78920ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
358e7dfd8edfd7c5b8082891921b3262

SHA1
91540c3069e5eebf6f62a3014bd03cbcdba3ec81

SHA256
483dad3914eb3e0164002fcab02405d61a4cc2abe8758a8e51bca67b9a885b06

SHA512
8abf1c727a0520bd061506df8c4734939c1569537a6992b0b4a6f96b442083a4d032670cf63dc5c82db65df872e9f0b84c007cb019593e7d9c2e12c9eb3c940a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
87abbf9600135f87c62ff182fd3d136b

SHA1
1fa7d2504b4bc7225ccb375ad3410f7544dfc861

SHA256
5fc5168ecbea4b9e79117b15fd2b6ef71120a18b4226797369e8bca771732762

SHA512
05135900571b86d2fbc35ed31597679d6dbc3afe7dfabe8eff4ffdf303a965ad1ea35f5573329a17ea570c718fcc19cade7aa77aac22d71fc38a835e6ae09e7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a138ce2a8157a44e18329c99c4d9d86b

SHA1
e21b8524c9e74cbe6205cec6cdbaada183126b21

SHA256
560c91eabc647153c89c118b4cd8f7bb2375a38a810156c28cb0c12c4a643040

SHA512
beed14e6bcb5fa38b1c7851a146acfa620a69ff477dec3ed98a406acb01af5f5602a2b3058f5b2d37a2be89c5b14e9ee886ad5e81d5c0d7ae30962d214f8371d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c961e226943028f894bc8ddace60c150

SHA1
da22f944e2af3a19701e692e32c3dd715cb4ae6e

SHA256
e8f9fc69711be6f138ae87836fd6acf4926e7b7eabed5722e7a0cb71f8b73aa9

SHA512
2e34eb486301cdfabfbacdd9eb917fea227d5408de6ba910877a0b1a3d8d243728deaaf7c43b675bfeca88f2f595f2079b8637599e2e2e4ec6e6e44b8420d507

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10c918c2d5df400a118144dbb8b92801

SHA1
078021b770741a6a63a8ef9e302d1efb7789ad0d

SHA256
8d2f792830850527e9f61884ff963e34209eab6658f1efae613fe95062a31421

SHA512
ecef479570521f91f78f7b292400353fbc0909afc72f035e39fd14c61c08c9f3c0c5b0812a38a50dcdbfe79b956bb8845f862b7ae0a0f9a0a8227c39ce4236d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
eec93d99a244a123f84564d690045fe8

SHA1
780375c68b44bb0a5677fd90e75a928f08595c18

SHA256
e188d40d881dc4140dcde3c9041c2e631a4cf472317edf826ff8c6f4854c6a0f

SHA512
cd35c69a733074f265bf0f1dd174b7c211b4ddd445585009094a59623e5dd3ac2c5a2f816e09ca7b0db7d9535d1c1a3b2730121c150acf53eaef5604bea1306b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3d36b285a8a2bdd017504f680c069c57

SHA1
aaedc7c39ad070d0b435048274b4a678bc9c2ae0

SHA256
2f2059516318f64f741993b6dbf215be9b35bdccf6c7cfda865742664f9ab77c

SHA512
607ba1131671aa41c4e6f3255a7f7b722d9fdf0dfdc49efd093a9fba1a26d985189e482f7f814bb1ab35bf4fbbfaad7aad138a82d16caa8dd148992f53492574

Download Submit
memory/2336-131-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2336-164-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2336-132-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2336-1-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2336-21-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/2336-0-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2336-18-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/2336-149-0x0000000004720000-0x0000000004721000-memory.dmp

Filesize
4KB

Download
memory/2336-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2336-33-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2336-108-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2688-154-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2688-600-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2688-105-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2688-412-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2688-31-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2688-20-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-38-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-109-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-17-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-197-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-271-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-411-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-155-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2720-599-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download
memory/2720-145-0x0000000000E20000-0x0000000002557000-memory.dmp

Filesize
23.2MB

Download