55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
1801s
max time network
1776s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 31 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5080	AnyDesk.exe
5080	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4468	AnyDesk.exe
4468	AnyDesk.exe
4468	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4468	AnyDesk.exe
4468	AnyDesk.exe
4468	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 5080	4524	AnyDesk.exe	86
PID 4524 wrote to memory of 5080	4524	AnyDesk.exe	86
PID 4524 wrote to memory of 5080	4524	AnyDesk.exe	86
PID 4524 wrote to memory of 4468	4524	AnyDesk.exe	87
PID 4524 wrote to memory of 4468	4524	AnyDesk.exe	87
PID 4524 wrote to memory of 4468	4524	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
e26c332f0abcdeda9678e84e1d56246e

SHA1
9e7a3f502c7d5163d32aa347e80d69a59d584d8c

SHA256
dace7fba3a0f02011443392b98fb771c887934e9f8860f6cecea505d9adb0094

SHA512
0ead3accdb61a1deeb8f0285b14d50ab43cb9e2a98a4bd5d2bfb0cb788fad6b06284efb7a79a14af3b42497ac55150d0bbbde3f282cf9cd2f05b93b9e7d48810

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
6761470c2c91dc8a2bf37edf110f4cdd

SHA1
06ee44e566294fd685fe78b296d278e615f3b430

SHA256
0ce1fd740f2dbbea793015e816f6c27452e94e0e4502875b0d5d2512fbb88675

SHA512
de732fec5ebf12da7c238e3727e9a53b3d0f9cc2c57fcb4e218829dbd7a6f606421712bf3d5cc72c6aa98df00a1ede95785e8f46be0ee57e5824e6b6359c2b16

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
cbd903beaedb38a62c408938da568d62

SHA1
6ec9168502adcda657a12905bff6d9aeef0440db

SHA256
feab2f22d64093fd6dbea4244234beadd74aa4e7189fb2110d786d426c5342c5

SHA512
9ce1cb3299f26d5be8bb65f652e599b3aee968636d70f099004351270c4a96e385b0871ac03b0156e4073b62340f8749e0f0919565cc3482187862a34b631c53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
649892d2b76065f7ea8ef162443defbf

SHA1
98b6874277eeeca1f6e4f572cf2a8dbc86849caf

SHA256
41b1fb4c931c995fb24cd1e16371ed5a2523659b8deadf0c02e3f38034a29653

SHA512
5812cb39922eb7c8ca85eb7c6e7eaa2376d638d520904681dba4aac0131c1270fb3e0790ba0be9daee4dc32fba55c37eaed07e0b51f34cc452177ac90d25150b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
be272cfa6ebeef241919fe8eadf8cbff

SHA1
872b08048f87df8da7a78c29aa765c93c6064e2d

SHA256
0786a78e0f094c4e6fe932ee9bcfff83bf9a112d60f99eca5a4c3a47f13cd57a

SHA512
7e9e68213195b6c540b49b1d379eed84514a3acec5ed3293f642c90e6b16936d69491af1cda763aebaadd9a0067536cdd60cdcde009bc8848b187878705c98de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
145cda282b0803f4ba14449a2bd6b5fa

SHA1
fa262dfbabf49e2802577ccd9c46364d7071adf9

SHA256
d0997ea3c2d930b6eba4867c6ab8551313d603fb3998cc97d4cd81253a41c30f

SHA512
e79798919ee06c0a16c69df3d7ec5a87e254d53f4f52d3af3aae02cfa978cfccb3bb3096b1e928d8f4ad622dc1160353a654fb9614ffa387fa67c865eddfa363

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d699d4db66ff3e08108b78bacf0e98fe

SHA1
226b990deebc8d68fed33d73948559bc1bce9541

SHA256
cd0eb310b487d12d06e76e5087dc633f97eaecc26680f5df7de837e2b24cc69e

SHA512
d2b0562679761865977ac1f985e927d174450a6486a76dcb5b50d6925ac1b9b0c2d46751b04c3e7db2a5419054cf1012c45c2062c3954a9821ad35fb270f2aec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ecb93a2a109af00e55c20a3c5dc0515d

SHA1
5281c02b62c0122ae5a722097ece5efb55868bf4

SHA256
fde307d8a1fbe06306de549814f3c0280646e395bad59fe8b8779212a5126b92

SHA512
06b2fd22a4192c99581c8a278733e48e6e143ee24f7ce84b04ded9661cc13194ac9c2d84d65b8b3ab7abe7cb48d769b14aa875b8da5bf58bd2ee01ccadb0330f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6b764e6691193d4a9333c635fb91f269

SHA1
96f4b065c7433526c2ed99bd896cfafb7cc8bb3e

SHA256
ca18dab18ece3ff4c39e2b4a8258489d75ff752e9999818027eb394ede499a97

SHA512
a71e4c814ca5a49731d72518da0546f6c314ab0d78a720ba835d7d14463df6948d57a6d6d7654cd61d6d4e7620bf9bff5d9a1e135f9dda203c9bfb9e0080012b

Download Submit
memory/4468-153-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4468-537-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4468-19-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4468-22-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4468-34-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4524-497-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-17-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/4524-3-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/4524-18-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/4524-1-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-24-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-107-0x00000000086F0000-0x00000000086F1000-memory.dmp

Filesize
4KB

Download
memory/4524-110-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-111-0x00000000078A0000-0x00000000078A1000-memory.dmp

Filesize
4KB

Download
memory/4524-0-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/4524-160-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-33-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-152-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-177-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-229-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-345-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-35-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/5080-534-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download
memory/5080-20-0x00000000007A0000-0x0000000001ED7000-memory.dmp

Filesize
23.2MB

Download