55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
50s
max time network
54s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 14:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2812	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2816	AnyDesk.exe
2816	AnyDesk.exe
2816	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2816	AnyDesk.exe
2816	AnyDesk.exe
2816	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2812	2512	AnyDesk.exe	28
PID 2512 wrote to memory of 2812	2512	AnyDesk.exe	28
PID 2512 wrote to memory of 2812	2512	AnyDesk.exe	28
PID 2512 wrote to memory of 2812	2512	AnyDesk.exe	28
PID 2512 wrote to memory of 2816	2512	AnyDesk.exe	29
PID 2512 wrote to memory of 2816	2512	AnyDesk.exe	29
PID 2512 wrote to memory of 2816	2512	AnyDesk.exe	29
PID 2512 wrote to memory of 2816	2512	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2816

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2960

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
16a4ec955c55e85c88c358f9026a1c73

SHA1
a89ee497a035227f4a9c80b072ed33d236b1589f

SHA256
8f3f0c994412b4e8f2a80bb9c12903459502d8fddf6ca39c4455e59405a1db7f

SHA512
671b533ccb82a1685c230fbb84464111291cc4c73df316d639e1b1edd578706e0bc3b2c0713e6d95d39a89a55bf73f205c7f2632d339ab5b1fbdfebabe78fdb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
701c1c75b89cf308ebbe64b7f3aba3d4

SHA1
7b6333c1ec4e8b7082cbba5b7466c7f8b05a3fa1

SHA256
ac6967d51de06583cfeb9e6a4786cbb837443c453299c73ad8b3107fa2533e60

SHA512
8d70bf8ebade621f1ea85f2065d4bad8ea3e79f26da6c452ee465abbb522b7d90a410263e1cad3d151111973b7ff1280b83bf2ba03859f0a26d2b234f56213d5

Download Submit
memory/2512-28-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2512-3-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2512-0-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2512-32-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2512-21-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/2812-37-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2812-12-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2812-11-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2812-52-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2816-10-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2816-41-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download
memory/2816-57-0x00000000009B0000-0x00000000020E7000-memory.dmp

Filesize
23.2MB

Download