Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 09:24
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
AeroAdmin.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AeroAdmin.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
AnyDesk.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
AnyDesk.exe
Resource
win10v2004-20240419-en
General
-
Target
AnyDesk.exe
-
Size
2.0MB
-
MD5
bec8a2806dc3260c1d5f1f3d5a0c4417
-
SHA1
36a061d79f4e3ad833ef8c5989b01c7b00eed06c
-
SHA256
6de889f1309e30e024bd5dfcd4cde7a97c4c3d61e5324a09f356811d9db998eb
-
SHA512
087f98334fc2ac7235f7978cd874c09fe3660a041c28a73d65529d365feacf932979e0f6b56ea33e22113ac11148982b8fc55eb713cebad90b74271c2f78b212
-
SSDEEP
49152:H8NCer0ajCVzFuGuPgobZO2qwa5r1LLX38Iug:ipr0ajCVzFG4B2qw0XsIh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2256 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2592 AnyDesk.exe 2592 AnyDesk.exe 2592 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2592 AnyDesk.exe 2592 AnyDesk.exe 2592 AnyDesk.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2256 1748 AnyDesk.exe 28 PID 1748 wrote to memory of 2256 1748 AnyDesk.exe 28 PID 1748 wrote to memory of 2256 1748 AnyDesk.exe 28 PID 1748 wrote to memory of 2256 1748 AnyDesk.exe 28 PID 1748 wrote to memory of 2592 1748 AnyDesk.exe 29 PID 1748 wrote to memory of 2592 1748 AnyDesk.exe 29 PID 1748 wrote to memory of 2592 1748 AnyDesk.exe 29 PID 1748 wrote to memory of 2592 1748 AnyDesk.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2256
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2592
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD599546311266531aa8709e0b6cfdc4916
SHA1ea03bbbeb5b0a11d074c94aca63311dc0282f353
SHA256ccc93276acbb997c840984a7f09e666a9117c97263cefb89c0b766dd0d7f74a6
SHA51253e17528975e1b136680958557c9a85f0ff28afbea21f36d2e6b04445e601b6ff38a96cab8cdb50b9c6ba9c42f5cd911e2a69c16cd2736d001049f3da7d22e98
-
Filesize
2KB
MD54a36158c43bd8c1a4dcdb3cd7211fc80
SHA195a59801f536868b655ecd96f0b8a810e16bc101
SHA256c7b84cd3c47154275dfb578e3c3a610eeec97d520b6d4dc236579d7327785e80
SHA512712cddddc06c0dcba87b3443e34484d85bc2e6c0370671b1ba01b6819f29c97ab6b58dd80bb08920d627a2bd7dcd840ad7984d6465edf348868ecf39285da172
-
Filesize
105B
MD5bbe3a570ff39e349f63b8bbee6f400df
SHA11156a18caa1c11e17c6a57e8ef59fbb9635d3521
SHA25650181dead8d586b60861228036331c3b8dda455696513820cb0e1a4014c41251
SHA512f75d15dd70fc07b11f202e4afd371dfed4e7b950ce9017066da1504dc5404b8027c62e112b95574344eac6daa09fead2072eab5822b49933933fc5cb45ec8076
-
Filesize
113B
MD59bb75ba82f02b8fb721234ece8a168ab
SHA17a98f77f9e4d514e64699cf2783ea12c6a47921d
SHA2566d9b0cf2f76d505109329565ca5fccbc86eeea41c48a8be07d55cafa1d981f8c
SHA51278ee1364ab54f30c30fc0beb8a2e3854bdf8cc7cad32cf3fdba6b4a4df611128499003c80fcf8db4820af8bccc32992ba7435c5242951684c51c3184d78ed254
-
Filesize
107B
MD5f25e48e1d9e1e1398bc5fbc6885570b8
SHA146557c8ebb9236af6c28c9bdd317d1d25749e710
SHA2560379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA51241e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7
-
Filesize
132B
MD5123c524682c9ff72ec7924efdb41b28c
SHA11e696d9f3e2bf149773186496c7ab9d5df35f9dd
SHA256e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6
SHA512676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD52d9c450c66306ab65446699564cd0753
SHA15567d5d350e64bd51e7037a163eb6269f5cd137b
SHA256b16a778db2b92629abb1d3dbb036fc0a2e09df7a7e738f1f16ff564e2a9be902
SHA51230fcdf527f4dc7cf2bdd871b089853716be7e375c21c9d453b2b9cfd27a6a2672dfa5b185c6ff425b01958962efb6290eb43e838ba4c50dac1bccaf8b353b610