55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2840	AnyDesk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2596	AnyDesk.exe
2596	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2596	AnyDesk.exe
2596	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2840	2088	AnyDesk.exe	28
PID 2088 wrote to memory of 2840	2088	AnyDesk.exe	28
PID 2088 wrote to memory of 2840	2088	AnyDesk.exe	28
PID 2088 wrote to memory of 2840	2088	AnyDesk.exe	28
PID 2088 wrote to memory of 2596	2088	AnyDesk.exe	29
PID 2088 wrote to memory of 2596	2088	AnyDesk.exe	29
PID 2088 wrote to memory of 2596	2088	AnyDesk.exe	29
PID 2088 wrote to memory of 2596	2088	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
df575676e8ea1a09011189851c054f22

SHA1
704cd8c2678da3f4e7af6321d05f548c0a2169fc

SHA256
e6b7ebb83b3a1ab594069a2f4843e18577360c2a4436d53f507d4d6aa62cc93e

SHA512
bfa0bd74d395451e8308722727d868454e3429b18d2bcb25882a1b1254c1947abe5aa44515960252ddd14a586e5cd97e9f520705384087b37ad4c5f8870debb6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
0b748caf8fa8cb7c743f22889b34798d

SHA1
b7a7e07605f3d26065b96c209c838537af43169e

SHA256
4d75cce3638fdf98c959100a1300d3d8077c43f07b18502fc01f680a87b1bd8e

SHA512
932af1964695614d1c9fdea5265280a71115011e81703e0657b3f4e5fe3bd99e97f3bc7234151d25556d86f44f9151833f5e1327e37a1bf50f3af4c0990007f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d47ca49537a04dcc841e666c03220c0e

SHA1
bb4e5732201c7ca5ed30bc6fa15f115a0c183bce

SHA256
545896cf01b848d431688c396e532e2c5fd659f7a35eff084bdc91e8d4fa8a35

SHA512
1180fdb1e0a17e000a3debc7044cc810922f8c9189c82bd2c6be2c39ff1d88fcc95535db2d096c733ccaaa8cc1770edeaceca3eb2daadf75db26b6927f182fed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1bd193eb9b4e11869405e90f1adf6257

SHA1
25f5c0df8d4311cf9254e8c526ebd3dfcc3de0cb

SHA256
c58394fe93eaecf88424f90634f4ccf540c9eb0f225a1b670c08481a12b4cda0

SHA512
e319359c4e942cd2dd5447c5d5ed4e6ca1b5f19ffc595bb936a3a98c44b305124faf86b75049c92e9dc34b1f95152ff9d0efd60a8679255daf3116875f9fc739

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4dc3c641e53e338abc64fbbd0de4ad60

SHA1
5e8079683044b683e74075471b3c5f5a5f4142dd

SHA256
bc7e3753aa5b19e348906010959e66fd9b99978e4f6ec751d3592673740574d1

SHA512
563a307521d4a016281f514473b22f0ae14256e0d5f747e8674139525551e274d28d3e86364160d241c33ac5f9d185f025f96a5a4da267537b1fffb22e1ac359

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9b6acf289a218a5a15b1369676e7a563

SHA1
91801e1ed398661358bf0f4333e96adc181b1eb8

SHA256
38ae1fecc5146ed05feb37808cd54ec01a926ad0f42e9e2a0a312f879195b77c

SHA512
d382f5f2c55a4d91292df78430a274e3d473a2e4da697c82e7c017c05c795c8fd15df89587e38cebeb77050b6fdbfb250c52356d440786eda87a8108dc7b2663

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c6ee0c55bc419c6344b4936595e0f076

SHA1
fe99bc754bf8e7f3235b4f5c57e947cb2d49b8c1

SHA256
2df60b20577ce97ae4d4abf32ab2c4bd24053f966977f05807ae8de3d2b9ad35

SHA512
23e1d79afc55783389d9d035e109a572bed6e365ca75c4043b3e83f61a33013b631428b7bf72a9947d07a15c28621ad2e603ba26ebc504f637e010c8589288dd

Download Submit
memory/2088-26-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2088-102-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/2088-23-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2088-95-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2088-2-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2088-106-0x00000000045E0000-0x00000000045E1000-memory.dmp

Filesize
4KB

Download
memory/2088-0-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2088-24-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/2088-9-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2088-4-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download
memory/2596-19-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2596-57-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2596-83-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2596-101-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2840-21-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2840-96-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2840-61-0x0000000001120000-0x0000000002857000-memory.dmp

Filesize
23.2MB

Download
memory/2840-44-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing