55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

max time kernel
1801s
max time network
1762s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 34 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1444	AnyDesk.exe
1444	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4752	AnyDesk.exe
4752	AnyDesk.exe
4752	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 1444	376	AnyDesk.exe	86
PID 376 wrote to memory of 1444	376	AnyDesk.exe	86
PID 376 wrote to memory of 1444	376	AnyDesk.exe	86
PID 376 wrote to memory of 4752	376	AnyDesk.exe	87
PID 376 wrote to memory of 4752	376	AnyDesk.exe	87
PID 376 wrote to memory of 4752	376	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:376
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
0ea468a07bba62b0bf6db7f47b0e67b6

SHA1
5fd1d9bbc37c2f5843c757d8590dfbf121d6ecb5

SHA256
b1cc339de37818b0a7a180e2dc7ca81fd948292f6b00d7ce47460a7a2c07e673

SHA512
e5071aa80c977eec126aa234e27408b8655ea1952b766a2acbcc809eeff51bf7d5044359c465cdf7e501209754aa3640d6a90db3acab743bc62f8e35ad1c5a92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b985107b9e8cd3a63420551242ec116c

SHA1
c555b6a3f70134ea665c529127017194d129e5e8

SHA256
e8d41e0d90b89e33219583ba230a230dd94fa0fbe94c7642328f280704fc0885

SHA512
62008736bea176f002a94dfa7ce1337d5fa70be8532ae9671b388ce69e5f70918c2ca96cb33396d2b9d3ca4984fe18f45256714cbaca6602eebca4bfd9f3e778

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
602673dadcdf6137520029e14ff01ca0

SHA1
17e5c1157d0ee5b817dc3dd605961116c4abb549

SHA256
c2433fc8447d47aae33af30dd7940703c3d14c0dd1f0b11176dfe4b0c389fe65

SHA512
7e63c2ca361429687e7306d5319f64e4bf9917867ac82b4324d71b92d39b8a3b8dc9ce70f6aeff9f4ecbf052154a4a59b3611aed7c8dd3458b6a165d5d7deac1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
29d51714c864cc17956c097cddc3381c

SHA1
dac03932cdc8ca66b4d5955ecdb88f9712117fe5

SHA256
11abb7f1034b5952d2e1bb08b6e0e87346d4ca9f962e7fc084f171cf3343d773

SHA512
d8132881ac0f7d87d573fce3b957d71a62cfc8ebc4368eaa1ffe504804e3f2ccc68a41751113117f6e14aae2db93d326fec7ba77b73c02794d17bffc6f197593

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
562705f1031c582e8d87d94170390c5a

SHA1
9521152c54e6a9df8a2e88865dfba2b9b5fb59ee

SHA256
2d82d2d3ecff59f32880626e8ab96b8304bdf898004161c39a7ab16f2b371e66

SHA512
44be8f9f3dfda8dfbbb0a713b71f7f30ccb2d8bd84db142d9faa820fd667ee909aef6e330e20ddb5abe0960d222a3568a340528357314db566a702564b7c5f46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cc3019a9fea7c4f1b299e66f6b1fc7b3

SHA1
41cd58c89df3100f2ee0a4fba42740cc88f04073

SHA256
781460667950f68ade840f15f2f84bc7b3e7126402953fbe0ca076486395faa6

SHA512
d9059219b03d2cd401350bf25b39233847328314d9e9c20ed146dfa8f8aefa68dd419832b16c8e1769011835407d70723048f4349e254cf6aea8f473bc27c670

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
94cfda3fae51ff681773b506c5572a68

SHA1
e49434ea78c96bd0c1038ae33975ef0b8f4a30b5

SHA256
ebcb73be93ad15f9297c4008615d288cea4497afcfd3b64bbddb9072b46daa94

SHA512
08862aa6d692be87b7932977c4d07c52caa67c201a1a5a1f6d725ea1ce04c2842dda6c762f5a63db1a7d593acee4c82c2a1800a8204cd3ea96241ab31bf7ebd3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
744434474072fd457da4586192d4062a

SHA1
884e175cf4d5b96cd0767822aa3deb0db5df17d3

SHA256
125fc769b83d3481ee657f0065a8686cd1e32ceeff40e10121418f43345d6555

SHA512
f080aaa49e8ed386b4567559c2bdb9cd1a9edc60c1ef36f3d248b334cb0ff7a4b0d0274bdbb74de61a1d782e08c32dddfa86e621a87691af6569c7dd7a228daa

Download Submit
memory/376-4-0x0000000002040000-0x0000000002041000-memory.dmp

Filesize
4KB

Download
memory/376-0-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/376-173-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/376-122-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/376-1-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/376-17-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/376-118-0x0000000007F60000-0x0000000007F61000-memory.dmp

Filesize
4KB

Download
memory/376-18-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/376-121-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/1444-163-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/1444-32-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/1444-21-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/1444-184-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/1444-235-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/1444-379-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/1444-541-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/4752-20-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/4752-164-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/4752-29-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/4752-380-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download
memory/4752-544-0x0000000000050000-0x0000000001787000-memory.dmp

Filesize
23.2MB

Download