55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
1804s
max time network
1771s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/02/2024, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 31 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4620	AnyDesk.exe
4620	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3052	AnyDesk.exe
3052	AnyDesk.exe
3052	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3052	AnyDesk.exe
3052	AnyDesk.exe
3052	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 4620	2580	AnyDesk.exe	84
PID 2580 wrote to memory of 4620	2580	AnyDesk.exe	84
PID 2580 wrote to memory of 4620	2580	AnyDesk.exe	84
PID 2580 wrote to memory of 3052	2580	AnyDesk.exe	85
PID 2580 wrote to memory of 3052	2580	AnyDesk.exe	85
PID 2580 wrote to memory of 3052	2580	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
dfc569a31cfc4bfb2c5504bd276e5b3e

SHA1
5a31dd5b55c15ed191d42a25ff3447ad6ecb1b09

SHA256
c8aee92b5771a3195cc8df1b1ca69d121ca2203f72cb6eef12dbf0861aac587d

SHA512
d24b49bf79d608ac48194af8bcdec401620568c093c15d02526fb09096e9d7a863c9d254545e9e880301c404ada900753a97284f2d686eae6f140a024af59e88

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1269cf6f128ece84bbf349e7390c48d5

SHA1
4e8cf2bffd698a5961ab9752aaa1199ed56cd513

SHA256
72ae732ce4876e11a2b89969f332cd30c23accfbad9dafb51a9410d59296a760

SHA512
e9edeb6b77608df8764ed03d7da894061e071a598d3140d3ec8b9b91c72562805afab9e6e7c3d9ceaeac72c7501fcd69559778bd9ed6b8e172db5138364e1bb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3cf83266a3112aed41ac0321a23e15e4

SHA1
0090444e346c475006c6c770c227f9e651354ccf

SHA256
158b582f8d413625a26b6d8df573f590ac4f60781fd8a6f71e3356f5742098f1

SHA512
be58cab05c84cc5321148993204c52451f67c11b7d66286d7c9b382aa2f4f1d003dc4e2d8c8ce4f87b1fdbcf7f4f42efe6ccc33bf3aad150fd63bade601dc011

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa0bba73508f97c3d7c6ae9aa6e58223

SHA1
4922ef2834b04f69230e9c2c514f8a5474fcfe77

SHA256
43fa1fb6dbae9d9f1c4f1ebc617414b4896dcf99b81a65a0117344d8a764cd42

SHA512
0a8c0970cf07bfce6dadf39198fa5f2d8d413d31dfa64f3b7a7fa162f1fe541e9881a422caaf9d9e434ae29907318861ad4f2b2650acd98581facc5f891a54db

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f7c652f8bcb969a7484ee9b6d9ce2c4e

SHA1
db806aba2a07fd2a248479a5a3e387ae8da385f5

SHA256
beac78e59999f87152573772ca0bbeee4184e12d174a886da3d7873befd7fcce

SHA512
88539e5bbe1868cb631bb8fa3bc1b51d957b7bb96240184e1987f23e135875ac7590d7cf24a5634fda94a75c55ab3ea5451ad9686eab4fa896d862e39fbff497

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6ff44965e3b798b7e1d5054850d6c0d3

SHA1
792fa95d12cbad8dc2cdc8d1a280d440bf50595c

SHA256
2043cf8d3e381b9641848d59f7deb2a2f266c808760b883ab4d4ef96af7e4740

SHA512
274ef88c036c836899e5fdaedbf0fc8cf1ae719d3a889717cfb81fe2b3da5d07f42780dfb13191922c8ab989f40e860135b530e2c296380b4acaf9fd060f32f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ee91f281cb3145d23f64c29458f1af3e

SHA1
1026121dc6d17c352c89306219f4d6c0d85c37cd

SHA256
558318d75f06a327a106e5492e91bc64964603feeaa5ada06a2ccc8baa2a98b6

SHA512
a9649db92272d93884ecb0f0147d0c1b4e6e916e16d3cb46d7a09d8e3bc3e71ede4600c729bccd917ee30de2730504349521ea6d8b18c2bbef68eb6a330a9074

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cde7615a927b0aa2796548abed28bb96

SHA1
595457fe02885d6d510015b6c6b7bd1892901fa0

SHA256
f37a4b963139dbdb8c81ec133902176517c13a1072eb55eed5ab3ec38e7a460c

SHA512
1feb30d1b28ead05010d52ae7626bfafaa0c9675d4bfd8607f0c0c1559d99035da21625e9bf037712dfe15240ed1c3a16d289ed2b13de7735014bc54c097ecfd

Download Submit
memory/2580-99-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/2580-96-0x0000000008580000-0x0000000008581000-memory.dmp

Filesize
4KB

Download
memory/2580-100-0x0000000007730000-0x0000000007731000-memory.dmp

Filesize
4KB

Download
memory/2580-20-0x0000000005FB0000-0x0000000005FB1000-memory.dmp

Filesize
4KB

Download
memory/2580-0-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/2580-17-0x0000000005FA0000-0x0000000005FA1000-memory.dmp

Filesize
4KB

Download
memory/2580-1-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/2580-105-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/2580-3-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/3052-529-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/3052-31-0x0000000002980000-0x0000000002981000-memory.dmp

Filesize
4KB

Download
memory/3052-147-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/3052-18-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/3052-338-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/4620-32-0x0000000004650000-0x0000000004651000-memory.dmp

Filesize
4KB

Download
memory/4620-169-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/4620-216-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/4620-337-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/4620-146-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/4620-528-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download
memory/4620-19-0x0000000000D00000-0x0000000002437000-memory.dmp

Filesize
23.2MB

Download