Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 09:24
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
AeroAdmin.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AeroAdmin.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
AnyDesk.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
AnyDesk.exe
Resource
win10v2004-20240419-en
General
-
Target
AnyDesk.exe
-
Size
2.0MB
-
MD5
bec8a2806dc3260c1d5f1f3d5a0c4417
-
SHA1
36a061d79f4e3ad833ef8c5989b01c7b00eed06c
-
SHA256
6de889f1309e30e024bd5dfcd4cde7a97c4c3d61e5324a09f356811d9db998eb
-
SHA512
087f98334fc2ac7235f7978cd874c09fe3660a041c28a73d65529d365feacf932979e0f6b56ea33e22113ac11148982b8fc55eb713cebad90b74271c2f78b212
-
SSDEEP
49152:H8NCer0ajCVzFuGuPgobZO2qwa5r1LLX38Iug:ipr0ajCVzFG4B2qw0XsIh
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2028 AnyDesk.exe 2028 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2100 AnyDesk.exe 2100 AnyDesk.exe 2100 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2100 AnyDesk.exe 2100 AnyDesk.exe 2100 AnyDesk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 888 wrote to memory of 2028 888 AnyDesk.exe 87 PID 888 wrote to memory of 2028 888 AnyDesk.exe 87 PID 888 wrote to memory of 2028 888 AnyDesk.exe 87 PID 888 wrote to memory of 2100 888 AnyDesk.exe 88 PID 888 wrote to memory of 2100 888 AnyDesk.exe 88 PID 888 wrote to memory of 2100 888 AnyDesk.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5f2ce51e1336ac1601b6401f64a921d0c
SHA1b12ae6594d7b6709e1184bd5ff783ee8e36ee731
SHA256e7853c1f49e6055a53ffb23a8911156e42886583725ec21a527758669467a01d
SHA512c5cbde8303376591d31660ba55ff1f0bb0bb7cd9f1593729b8218cd886354143abd2dd0c95cd93d59778005c5f3ae973b8c5e7cf4419ccd38751ef2227ec1cd1
-
Filesize
2KB
MD53525644e44664333d61aff74d273c473
SHA155871bc3f2d3cfabf854770d83041e366072da84
SHA256435ac4ac29038792ff60215103ec9fd496e27a016c2c64c35b4fa2aca60fef88
SHA512946dd211f2261f275ca70354e429d376f811065c59e1774222bb32711f5d0617d1fd1078139c500f123418191c3451df05fc5545c5ba6db828ced17909ab953c
-
Filesize
109B
MD589abbc654de86f4044c6bb0d21010ec6
SHA185572691ad1f3a7464f01284a30ba0cef17af487
SHA2568a454c46df86733acdcbcbbd04921e0290be576ae29e81e1ce7686044dd73eb1
SHA512493a165e0d9d650d0dc05c0d1d6ec90a3726934099741f9a9382c34bda1f369087544ba7844eab42c7340889609ecd96dad765ca7087f49b31dfa6482fb6cf46
-
Filesize
105B
MD5c4d35c04d9e7c2bacc059f0efa3fdc15
SHA1cdf1bb251b679c2fd0d527ac977c0d5b1a24fa34
SHA256f67f1f397055ead25622db60f255a1901fe10903fbdc4dfe94b17a1bfe4fa16a
SHA512853ff95caec4acbf54f14f1ab4a5665a4e01680b180d4e54180edabf67efebcc4c088322ead3eb5600a452e5e10d9444e19356307702b90900b67fada8e82a6c
-
Filesize
107B
MD5f25e48e1d9e1e1398bc5fbc6885570b8
SHA146557c8ebb9236af6c28c9bdd317d1d25749e710
SHA2560379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db
SHA51241e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7
-
Filesize
132B
MD5123c524682c9ff72ec7924efdb41b28c
SHA11e696d9f3e2bf149773186496c7ab9d5df35f9dd
SHA256e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6
SHA512676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD5e8ef4d56144554efdae70aa421dbb43f
SHA17003676142adc6d2942339e3f33aa6e72f54343e
SHA256d8de300ad70fd6f9f66777c43a4e50f429167369716abfdc47f106aaf3cc2aff
SHA51208f48e61d34f2d036e1ac21bcd125609a7cd4283e5835cec2c129cecb91e72e6ba049b59220e6ee48e5d9fbf3637089b48d88a56394937016e967271f1392fd9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
Filesize3KB
MD5055abb8e8b271b1e007dc1b283860f8f
SHA1917afaf04256a2c02c8639736ad41256983d1d4c
SHA256c7992c8e3eee8af07d302bf93f3d00c82cc7822de378f9fb7921cd45b0c15092
SHA51297f6449763479a3a52813803bb299a52a934d6a906506e3f9496353460e5c5b26636210c586bccd9677bf22b078096c7f262893fb7ddce85362333b91390c7f7