b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Resubmissions

12-02-2024 14:18

240212-rmqw8she34 9

12-02-2024 14:14

240212-rkfngshd56 6

12-02-2024 14:08

240212-rflzpsfe9x 8

Analysis

max time kernel
1793s
max time network
1797s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
12-02-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2420	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2724	AnyDesk.exe
2724	AnyDesk.exe
2724	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2724	AnyDesk.exe
2724	AnyDesk.exe
2724	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2420	1948	AnyDesk.exe	28
PID 1948 wrote to memory of 2420	1948	AnyDesk.exe	28
PID 1948 wrote to memory of 2420	1948	AnyDesk.exe	28
PID 1948 wrote to memory of 2420	1948	AnyDesk.exe	28
PID 1948 wrote to memory of 2724	1948	AnyDesk.exe	29
PID 1948 wrote to memory of 2724	1948	AnyDesk.exe	29
PID 1948 wrote to memory of 2724	1948	AnyDesk.exe	29
PID 1948 wrote to memory of 2724	1948	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1ed905083faba4afd6699d68def9ca38

SHA1
17ac1ecf0ff296f93c143cdcb5da5faaaa743420

SHA256
b12710ea5be8722c4a60e33c9128e875973e5f8bdc73734cf0daa9f0fd306a01

SHA512
cf9a7bbdb47c8eb56fdc540b2cb43efc118bb1b0a2fd9b389032359c8137a6fad55e831448421bcd02776c59229b1a52a20d2046e1ba611f4f4c66c2ed6fde40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
52728c965b696c09edb269f08587c2a3

SHA1
61a78ae409b149f573b87e6d9325623bd84152fc

SHA256
89efe8048301795e52513d44813dee62f5bceb445d2338f28c25f3a0778511fa

SHA512
2a9e8643777786d2556668a3806fd00e7489c1938fec99b06dd0b824e6bed9fc94291eb51201d1fe78ed1428b927511df498d5a7903daec47b3e5adcd414867e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
e34252afc0790fa244535df93b3cba8e

SHA1
0c5449ced82e599b7b6101a2d4d5bcf1c4a133c7

SHA256
4d5f438d564fe4b7adc37794e0a2b33efa39e03f2616573e3e981f1a7427553a

SHA512
cbfcd5dcad3864ac28a36d790050642228eac824cbbd11d0e3d13a7123ae219f0a03b2e4c7af3d7b51e9357b8beab06dbd4d8cda256edf962f35b6a6f752bf47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
e85f3dad4a7adc13785947433604ac51

SHA1
978b7a92dc3c2510355d4950d1d50e9361b48b18

SHA256
5c897666ef97626695662badf3c5122230521403866ea4d0eb2f201584c63f5f

SHA512
6055d993236db3e0a41249ad2950a2368c7b550a83c2bb4cc6e2ab5ec03f7e729deed1172de3a69d390b47e41e86db9bcea34d878f5f0b6a9f008d72f5e1d534

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1948-20-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1948-3-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1948-27-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/1948-26-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1948-25-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/1948-24-0x0000000004090000-0x0000000004091000-memory.dmp

Filesize
4KB

Download
memory/1948-23-0x0000000004040000-0x0000000004041000-memory.dmp

Filesize
4KB

Download
memory/1948-22-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/1948-21-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/1948-0-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/1948-19-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/1948-29-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/1948-80-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/1948-1-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/1948-28-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/1948-15-0x0000000003050000-0x0000000003051000-memory.dmp

Filesize
4KB

Download
memory/1948-14-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/1948-13-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/2420-32-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/2420-31-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/2420-82-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/2420-88-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/2420-91-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/2724-39-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/2724-30-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download
memory/2724-83-0x0000000000060000-0x0000000000C72000-memory.dmp

Filesize
12.1MB

Download