27e9254ee7fb8ad0a65e299e42b60d81166f3b956c817d0148b0b9ee2b2d3c89

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 09:24 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

2.0MB
MD5

bec8a2806dc3260c1d5f1f3d5a0c4417
SHA1

36a061d79f4e3ad833ef8c5989b01c7b00eed06c
SHA256

6de889f1309e30e024bd5dfcd4cde7a97c4c3d61e5324a09f356811d9db998eb
SHA512

087f98334fc2ac7235f7978cd874c09fe3660a041c28a73d65529d365feacf932979e0f6b56ea33e22113ac11148982b8fc55eb713cebad90b74271c2f78b212
SSDEEP

49152:H8NCer0ajCVzFuGuPgobZO2qwa5r1LLX38Iug:ipr0ajCVzFG4B2qw0XsIh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2256	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2592	AnyDesk.exe
2592	AnyDesk.exe
2592	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2592	AnyDesk.exe
2592	AnyDesk.exe
2592	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2256	1748	AnyDesk.exe	28
PID 1748 wrote to memory of 2256	1748	AnyDesk.exe	28
PID 1748 wrote to memory of 2256	1748	AnyDesk.exe	28
PID 1748 wrote to memory of 2256	1748	AnyDesk.exe	28
PID 1748 wrote to memory of 2592	1748	AnyDesk.exe	29
PID 1748 wrote to memory of 2592	1748	AnyDesk.exe	29
PID 1748 wrote to memory of 2592	1748	AnyDesk.exe	29
PID 1748 wrote to memory of 2592	1748	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2256
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2592

Network

DNS

boot-01.net.anydesk.com

AnyDesk.exe

Remote address:

8.8.8.8:53

Request

boot-01.net.anydesk.com

IN A

Response

boot-01.net.anydesk.com

IN A

185.229.190.236
DNS

boot-02.net.anydesk.com

AnyDesk.exe

Remote address:

8.8.8.8:53

Request

boot-02.net.anydesk.com

IN A

Response

boot-02.net.anydesk.com

IN A

92.223.88.232

185.229.190.236:443

boot-01.net.anydesk.com

tls

AnyDesk.exe

434 B
1.4kB
6
3
185.229.190.236:80

boot-01.net.anydesk.com

AnyDesk.exe

152 B
3
78.46.49.23:443

AnyDesk.exe

152 B
3
78.46.49.23:80

AnyDesk.exe

152 B
3
92.223.88.232:443

boot-02.net.anydesk.com

tls

AnyDesk.exe

482 B
1.4kB
7
3
92.223.88.232:80

boot-02.net.anydesk.com

AnyDesk.exe

152 B
3
85.25.103.30:443

AnyDesk.exe

152 B
3
85.25.103.30:80

AnyDesk.exe

152 B
3
185.229.190.236:443

boot-01.net.anydesk.com

tls

AnyDesk.exe

378 B
1.4kB
5
3
185.229.190.236:80

boot-01.net.anydesk.com

tls

AnyDesk.exe

434 B
1.4kB
6
3
78.46.49.23:443

AnyDesk.exe

152 B
3
78.46.49.23:80

AnyDesk.exe

152 B
3
92.223.88.232:443

boot-02.net.anydesk.com

AnyDesk.exe

152 B
3
92.223.88.232:80

boot-02.net.anydesk.com

AnyDesk.exe

152 B
3
85.25.103.30:443

AnyDesk.exe

152 B
3
85.25.103.30:80

AnyDesk.exe

152 B
3
185.229.190.236:443

boot-01.net.anydesk.com

AnyDesk.exe

152 B
3
185.229.190.236:80

boot-01.net.anydesk.com

tls

AnyDesk.exe

426 B
1.4kB
6
3
78.46.49.23:443

AnyDesk.exe

152 B
3
78.46.49.23:80

AnyDesk.exe

152 B
3
92.223.88.232:443

boot-02.net.anydesk.com

tls

AnyDesk.exe

480 B
1.5kB
7
4
92.223.88.232:80

boot-02.net.anydesk.com

AnyDesk.exe

152 B
3
85.25.103.30:443

AnyDesk.exe

152 B
3
85.25.103.30:80

AnyDesk.exe

152 B
3
185.229.190.236:443

boot-01.net.anydesk.com

AnyDesk.exe

152 B
3
185.229.190.236:80

boot-01.net.anydesk.com

tls

AnyDesk.exe

382 B
1.4kB
5
3
78.46.49.23:443

AnyDesk.exe

104 B
2
78.46.49.23:80

AnyDesk.exe

104 B
2

8.8.8.8:53

boot-01.net.anydesk.com

dns

AnyDesk.exe

69 B
85 B
1
1

DNS Request

boot-01.net.anydesk.com

DNS Response

185.229.190.236
8.8.8.8:53

boot-02.net.anydesk.com

dns

AnyDesk.exe

69 B
85 B
1
1

DNS Request

boot-02.net.anydesk.com

DNS Response

92.223.88.232

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
99546311266531aa8709e0b6cfdc4916

SHA1
ea03bbbeb5b0a11d074c94aca63311dc0282f353

SHA256
ccc93276acbb997c840984a7f09e666a9117c97263cefb89c0b766dd0d7f74a6

SHA512
53e17528975e1b136680958557c9a85f0ff28afbea21f36d2e6b04445e601b6ff38a96cab8cdb50b9c6ba9c42f5cd911e2a69c16cd2736d001049f3da7d22e98

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4a36158c43bd8c1a4dcdb3cd7211fc80

SHA1
95a59801f536868b655ecd96f0b8a810e16bc101

SHA256
c7b84cd3c47154275dfb578e3c3a610eeec97d520b6d4dc236579d7327785e80

SHA512
712cddddc06c0dcba87b3443e34484d85bc2e6c0370671b1ba01b6819f29c97ab6b58dd80bb08920d627a2bd7dcd840ad7984d6465edf348868ecf39285da172

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
bbe3a570ff39e349f63b8bbee6f400df

SHA1
1156a18caa1c11e17c6a57e8ef59fbb9635d3521

SHA256
50181dead8d586b60861228036331c3b8dda455696513820cb0e1a4014c41251

SHA512
f75d15dd70fc07b11f202e4afd371dfed4e7b950ce9017066da1504dc5404b8027c62e112b95574344eac6daa09fead2072eab5822b49933933fc5cb45ec8076

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
9bb75ba82f02b8fb721234ece8a168ab

SHA1
7a98f77f9e4d514e64699cf2783ea12c6a47921d

SHA256
6d9b0cf2f76d505109329565ca5fccbc86eeea41c48a8be07d55cafa1d981f8c

SHA512
78ee1364ab54f30c30fc0beb8a2e3854bdf8cc7cad32cf3fdba6b4a4df611128499003c80fcf8db4820af8bccc32992ba7435c5242951684c51c3184d78ed254

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
2d9c450c66306ab65446699564cd0753

SHA1
5567d5d350e64bd51e7037a163eb6269f5cd137b

SHA256
b16a778db2b92629abb1d3dbb036fc0a2e09df7a7e738f1f16ff564e2a9be902

SHA512
30fcdf527f4dc7cf2bdd871b089853716be7e375c21c9d453b2b9cfd27a6a2672dfa5b185c6ff425b01958962efb6290eb43e838ba4c50dac1bccaf8b353b610

Download Submit
memory/1748-61-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/1748-0-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/1748-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1748-2-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-73-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-139-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-202-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-195-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-90-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-93-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-22-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-107-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-124-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-62-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-146-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-153-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-164-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-179-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2256-192-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2592-24-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download
memory/2592-63-0x00000000013A0000-0x0000000001C0F000-memory.dmp

Filesize
8.4MB

Download