55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
1799s
max time network
1795s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/02/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 30 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1424	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1072	AnyDesk.exe
1072	AnyDesk.exe
1072	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1072	AnyDesk.exe
1072	AnyDesk.exe
1072	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1424	2156	AnyDesk.exe	28
PID 2156 wrote to memory of 1424	2156	AnyDesk.exe	28
PID 2156 wrote to memory of 1424	2156	AnyDesk.exe	28
PID 2156 wrote to memory of 1424	2156	AnyDesk.exe	28
PID 2156 wrote to memory of 1072	2156	AnyDesk.exe	29
PID 2156 wrote to memory of 1072	2156	AnyDesk.exe	29
PID 2156 wrote to memory of 1072	2156	AnyDesk.exe	29
PID 2156 wrote to memory of 1072	2156	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
e3ffe1ac4625be5686b61f8e7746ba6c

SHA1
366eb743e9b2ab512b65205977339bcc4ebc545a

SHA256
5f97778d49984d6ba9350dc3ff31443342b38ad77553c82b9a4568d446523874

SHA512
ed10c7f116a38914bf2e5ad199142dd6c71ff5c6aa3c7cbc976b376e59274b4ebaa19d88ee976f461b88cf8bc0cc559df491e4de145917f1c40de52504896eaf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e71b6f926345cb9a4ef42c5037a372a5

SHA1
f5603ffebad5ce4e21507005b183c1c3d0a78ad4

SHA256
011e98742dc3be1f96121046ad39f06377f8bdca7cdc5b432f8430d8805bfd1b

SHA512
6214d77daba3d9b08bff2ffccfb20ee498ce6e4b09160a36a409ed69943e9abe0968aa7a4629d527c589f36d4d23c06e08b5f7fe0f3a249ea950a862e5ece9d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5be1519eb02fef6cb34ed526e61e4c30

SHA1
217f6a6edcdb41777534aad0a94381f56dcdd285

SHA256
5c13cb4e7ca91ffc86997fb39bd4496ae1f01587d1975233e3ba7cff4626a36a

SHA512
99229adf37a3e3b39ee04f0d823e365a027325763e25c294f9238b423f2538a0a3cea2e4b7e8c81531a1b432f5753f6df0a34b8d5137660ea4025b915ae4c845

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c6d12459c798c886a61ca7f86276dee5

SHA1
034ccf2c490849039b838f1315ab4558c8897042

SHA256
a702e84cb9be1145ea2b30aa6c1b4de236a08f0a76c8234d7fae751e52e39313

SHA512
98bd95c9f21ed416a97cbee2081339e5ce788baa2ef9ba50e65d35820e56cedf1f2edd168e0ae2f8f5a91fdb3bc9abd60f3cffa4c3be3c9a2c76786fd77a4c42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ce6768ca4c5bd481bd59f2aa1691b2dd

SHA1
82f34cf2a2e3b253f5d76da968df0b780152582e

SHA256
6a2f0f78a4c9bc81a3853e90c8e6e200f60b275b12ad6b70322687b153ac9cf2

SHA512
f288a67999569afa729f65437cd70bebd35ce0c69b6e76fcbdca392713e5778430b67b2234eb00465653e32b7fb12a42328e432ad3d88d59b002e2236b89a936

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2c0ce2c3e7c62d8ea413e2373df05663

SHA1
28f2a2b2b96cca1e2e7e378f94795f9f62fddd2a

SHA256
3451ee70bf3ecf630e7a845590f2f8a07a47a34909cd08f1721ef66b4c3242f2

SHA512
6ec35600c31a012a9a3b5ae985f98ebffe36ff6930c4a14c1ed2211e4fa91ecb38f007dc5fb2f94563f7d49beec878f9ae7f8f25d51cd335f0c818ab618f7709

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d1559c74fb9842b3fefdeacc6093a59d

SHA1
90a24e7bfeafc6e40e5d58ab8109d92a3ea99535

SHA256
fca60b68989fefb977e64f7eb5f0a43c3c81912bd3b0e41d736b3b1c3b7926b1

SHA512
83f027afcba386145808ba660287c04a675357025b4ed3549ea807a9012ccd84b8ef5ac29fb490122abc6202cbca15b8e7917d7665e4487f906c61121be8f410

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6c8f8c724a7ffb2edd44e18120f110de

SHA1
92cb73dae252d8d168d72e7d6e7fd55869ca444b

SHA256
5333cd0b4d2293d88d7dba07df19a401a520635bbe00ceb47e8fa85f902e1102

SHA512
c35b76466430d100031cfa217a3324f1fef0f8a8bacc85b1d823221b5aa47968663a976fe0d1237e755e175694906c3bd398bce28e93df5a2f2059eb56eea0ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e6eb3e05a1692abd0e4fef621a40734a

SHA1
51c1099797d815478000b9b79a16890b59e9ea3e

SHA256
986a85b093aee633128cc01de0e016c22e501a295ae50d6dfd85fd350e30d1e0

SHA512
1ab74e8b0dfcc1e97af7f181ef47d02f5e3980456c9e8bfdeec5018d9bf7ee12dc31607abc97c72cc19e7120b5b6738fabaf5d5015715a7fd6eaea2a026345a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
59e10fd17228ba08d3c72106ad064ecc

SHA1
3171b19e0adb8e123e677ed4a9c894b10d65621c

SHA256
bbd238996e9e8de893493dffc17e258f69737614631fa12dcda01127830d5aba

SHA512
a2bd9e2112940a4c4cff71696a8ae19b6cf03c748ceba38ecd5753d4331c3132bd74c7939a350cb20c58a20d2ae68a415e862aa627f9c3778b362af42e6d2d87

Download Submit
memory/1072-60-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1072-34-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1072-85-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1072-218-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1072-12-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1424-11-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1424-58-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1424-287-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1424-84-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/1424-26-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/1424-215-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/2156-21-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/2156-165-0x0000000001180000-0x0000000001181000-memory.dmp

Filesize
4KB

Download
memory/2156-166-0x0000000004D80000-0x0000000004D81000-memory.dmp

Filesize
4KB

Download
memory/2156-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2156-210-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/2156-46-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download
memory/2156-22-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2156-1-0x00000000012E0000-0x0000000002A17000-memory.dmp

Filesize
23.2MB

Download