55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
1799s
max time network
1789s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
08-02-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 32 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4528	AnyDesk.exe
4528	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3628	AnyDesk.exe
3628	AnyDesk.exe
3628	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3628	AnyDesk.exe
3628	AnyDesk.exe
3628	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3520 wrote to memory of 4528	3520	AnyDesk.exe	74
PID 3520 wrote to memory of 4528	3520	AnyDesk.exe	74
PID 3520 wrote to memory of 4528	3520	AnyDesk.exe	74
PID 3520 wrote to memory of 3628	3520	AnyDesk.exe	73
PID 3520 wrote to memory of 3628	3520	AnyDesk.exe	73
PID 3520 wrote to memory of 3628	3520	AnyDesk.exe	73

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3628
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
bc9b39a2619832dd21f817d892fd6526

SHA1
630df723dd5212e5b7e7b30c1399f0c9ff7bcbf5

SHA256
0106b51dc5bdb2fe74d61803fd17568939de1d415c93e12a8fcbfe19c8fa6853

SHA512
49d8c751f522bfd5693cab571d88ea8cfac98b308c9ee069c84962c3647a1a92fed1f52c595dcafed264a3f87d2456c3936217a65d9e1ee239143189e709b49e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0e4bc5f428780966a795963358a0416f

SHA1
fbc851e1be3ddb8e100c1119c53cba9bb28ab7b5

SHA256
8b31d0c84bac1f42c7571be9680c35aa757c5d8e38125a8d2f6a7bfb709f758b

SHA512
5794ffa392b7f13bdd0fc833e2dc4b9da804ee1d388f5f027ca9f9dd723dd8f718c6aabaae6dbcb7a1a60092aa7aea39e76b0f06ed53cfa68d53b89ba5a68873

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df94b59338a5ca9744c7ce3e81d1994f

SHA1
5db2a633c10e34af2b2ed64b4e5d54c328319dba

SHA256
a6776fcfadd727fced9d147261168c5f24caacf19995423c926c203edd516911

SHA512
f75952e66efc8b9749f587961c2ace9cc98e2910f503ff37f14b50889752050b822b949384b86a9ee7a8f7315b4b5e8f49d11902794fa2fa9fa80890590edda9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6f3553fde05bef6f711f2c59c84f2949

SHA1
f12f8c0ae1e3b258d4fc0da800af47b53d30b7bc

SHA256
2c04e93d6b72ca97828ef1ccd07349047c9986c6e7a9467df12b4f1d9f9c392f

SHA512
84ba5ab14d233cc18aec93edfa83f932dae9123d9e3eb4ed7e897ec3ea390487364fae5d7540595625d746473b52bec220e9b1370d403538745e84e5f38e8919

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cd71c89e3c813d4093bef4affae67fd7

SHA1
aab7d63a31557e67c92daee7e7f46890f692bf5d

SHA256
374b19c5c716b00a1472e4d3a14ef486dd8aa66c7388a27a1a3df27c400b165c

SHA512
cbcc0891bce3df19a04e531a6a35a5a01c4a1f193c9820d2d02945bc4215328f02a25a3c4c01e468b18ebe9b3be94947014bed64022109175537d7caee2eaa2c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ef3ee0399c47d64d99c826659d28ab18

SHA1
9083dd73c5446cf1f64b165c8f26f33f91e7f0c7

SHA256
8cc692c91401d16a7b1bd3d7b249c186b90e2bca441d48892a7c1f1c249a4587

SHA512
acb6192d92f8699ff711d382f64721da03597f3f2d82c9e8baa6f0e9205be0fce71ab3541fb8ff432ffd958c88af72d8798b9c8c1139a11e6edf7c95e18573e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
113f66d27a428a09793bbfb9a317c9e4

SHA1
0d70ef40b712e664ae3ac64a0c1c016e2b431830

SHA256
41bbe652507cf19ab5170dae9c966d37b780e6405eb183ae3b3459a2792eb9f2

SHA512
90f9814a6ab7f1feb8bc06f9e52a1655e2f337944d6f534323b5e3166c59a11c01bf3a8f4e7369e989dabba65b93188b01021ba45e8ee6dce6348597514230f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6f6dc1158ec173b647f89b51608a75cb

SHA1
ce9e8b756172b8f81337e6165abad7c59b57f96d

SHA256
80a445d743f46ff9fdf3740b9c265abeda7dc6140caa212b31aaa7f1077fb2fa

SHA512
97a10892cb1e6ddf98fb4b860f9af1ed2d6e6162db578e0eb6e9a71c4993cff6287aa4c89a996a1248383a2ffdd8509ebc3ee562ddc6f615deed7b43bf3c0150

Download Submit
memory/3520-22-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/3520-94-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/3520-0-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/3520-1-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/3520-23-0x0000000006320000-0x0000000006321000-memory.dmp

Filesize
4KB

Download
memory/3520-102-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/3520-95-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/3520-4-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/3628-19-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/3628-32-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/3628-138-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/3628-329-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/3628-518-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/4528-12-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/4528-31-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/4528-137-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/4528-156-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/4528-207-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/4528-326-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download
memory/4528-517-0x0000000000BE0000-0x0000000002317000-memory.dmp

Filesize
23.2MB

Download