55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
599s
max time network
366s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2648	AnyDesk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2528	AnyDesk.exe
2528	AnyDesk.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2528	AnyDesk.exe
2528	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2648	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2648	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2648	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2648	2700	AnyDesk.exe	28
PID 2700 wrote to memory of 2528	2700	AnyDesk.exe	29
PID 2700 wrote to memory of 2528	2700	AnyDesk.exe	29
PID 2700 wrote to memory of 2528	2700	AnyDesk.exe	29
PID 2700 wrote to memory of 2528	2700	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2528

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
b1e737a5e65c364ee4fe960793f8fa31

SHA1
198cf76563a9a40f94af7688368149d5dbfe9f4a

SHA256
36b63c1ed94a71d4d6b1f3cc4578e857e95ac1dddfbb91127c19deb0c6e5a6ee

SHA512
176f94b463cc556a1605b111487e854dcd00b2e37ff0db8c3ed105158dea6e29d058a85b8aa589886850bcbd794b747147c390968c4f903e013c120d40f47327

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
7f423946712258bb503e72dde070bd57

SHA1
2545d2e9d6a8049dfd38bd85eb40ec7f151f5908

SHA256
fec43b3c20c33dc31ae687c723e149708792f9cd12ae91a443684e8a5819e744

SHA512
0237335ad4459731a08c88eb47ec393c83e629d2c8d32f316f3c558e664a84365a7664151b58e75c346010ad2446e5c3134802bdd66c533ea30f2484d381d6d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
94f30378017931ca6a3d601166d445b9

SHA1
a5a4235158570d3cb323717303b1c5bf479ccfc1

SHA256
84a1643cdd05e324b39065746b29572f475d13994d2d5a144fd1491d5d3bc985

SHA512
80f7e9027437a1f156d8194ffca6b510b7c9faa6f09d08b7c9b3ab5b20baa9631ad830013dd2c3b7c2f5933ddfc2358cd5c80ca2529a427077c047a8f49fa1d3

Download Submit
memory/2528-42-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-12-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2528-26-0x0000000001800000-0x0000000001801000-memory.dmp

Filesize
4KB

Download
memory/2648-13-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2648-34-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/2648-40-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2648-55-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2700-23-0x00000000036A0000-0x00000000036A1000-memory.dmp

Filesize
4KB

Download
memory/2700-22-0x00000000036B0000-0x00000000036B1000-memory.dmp

Filesize
4KB

Download
memory/2700-0-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2700-4-0x00000000018F0000-0x00000000018F1000-memory.dmp

Filesize
4KB

Download
memory/2700-36-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download
memory/2700-2-0x0000000000090000-0x00000000017C7000-memory.dmp

Filesize
23.2MB

Download