27e9254ee7fb8ad0a65e299e42b60d81166f3b956c817d0148b0b9ee2b2d3c89

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

2.0MB
MD5

bec8a2806dc3260c1d5f1f3d5a0c4417
SHA1

36a061d79f4e3ad833ef8c5989b01c7b00eed06c
SHA256

6de889f1309e30e024bd5dfcd4cde7a97c4c3d61e5324a09f356811d9db998eb
SHA512

087f98334fc2ac7235f7978cd874c09fe3660a041c28a73d65529d365feacf932979e0f6b56ea33e22113ac11148982b8fc55eb713cebad90b74271c2f78b212
SSDEEP

49152:H8NCer0ajCVzFuGuPgobZO2qwa5r1LLX38Iug:ipr0ajCVzFG4B2qw0XsIh

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

2028 AnyDesk.exe
2028 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2100 AnyDesk.exe
2100 AnyDesk.exe
2100 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2100 AnyDesk.exe
2100 AnyDesk.exe
2100 AnyDesk.exe

pid	process
2028	AnyDesk.exe
2028	AnyDesk.exe

pid	process
2100	AnyDesk.exe
2100	AnyDesk.exe
2100	AnyDesk.exe

pid	process
2100	AnyDesk.exe
2100	AnyDesk.exe
2100	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 888 wrote to memory of 2028	888	AnyDesk.exe	AnyDesk.exe
PID 888 wrote to memory of 2028	888	AnyDesk.exe	AnyDesk.exe
PID 888 wrote to memory of 2028	888	AnyDesk.exe	AnyDesk.exe
PID 888 wrote to memory of 2100	888	AnyDesk.exe	AnyDesk.exe
PID 888 wrote to memory of 2100	888	AnyDesk.exe	AnyDesk.exe
PID 888 wrote to memory of 2100	888	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:888

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2028

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
f2ce51e1336ac1601b6401f64a921d0c

SHA1
b12ae6594d7b6709e1184bd5ff783ee8e36ee731

SHA256
e7853c1f49e6055a53ffb23a8911156e42886583725ec21a527758669467a01d

SHA512
c5cbde8303376591d31660ba55ff1f0bb0bb7cd9f1593729b8218cd886354143abd2dd0c95cd93d59778005c5f3ae973b8c5e7cf4419ccd38751ef2227ec1cd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3525644e44664333d61aff74d273c473

SHA1
55871bc3f2d3cfabf854770d83041e366072da84

SHA256
435ac4ac29038792ff60215103ec9fd496e27a016c2c64c35b4fa2aca60fef88

SHA512
946dd211f2261f275ca70354e429d376f811065c59e1774222bb32711f5d0617d1fd1078139c500f123418191c3451df05fc5545c5ba6db828ced17909ab953c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
109B

MD5
89abbc654de86f4044c6bb0d21010ec6

SHA1
85572691ad1f3a7464f01284a30ba0cef17af487

SHA256
8a454c46df86733acdcbcbbd04921e0290be576ae29e81e1ce7686044dd73eb1

SHA512
493a165e0d9d650d0dc05c0d1d6ec90a3726934099741f9a9382c34bda1f369087544ba7844eab42c7340889609ecd96dad765ca7087f49b31dfa6482fb6cf46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
c4d35c04d9e7c2bacc059f0efa3fdc15

SHA1
cdf1bb251b679c2fd0d527ac977c0d5b1a24fa34

SHA256
f67f1f397055ead25622db60f255a1901fe10903fbdc4dfe94b17a1bfe4fa16a

SHA512
853ff95caec4acbf54f14f1ab4a5665a4e01680b180d4e54180edabf67efebcc4c088322ead3eb5600a452e5e10d9444e19356307702b90900b67fada8e82a6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
132B

MD5
123c524682c9ff72ec7924efdb41b28c

SHA1
1e696d9f3e2bf149773186496c7ab9d5df35f9dd

SHA256
e67a68c5e7fa7d227a2fbdd50789472dbbf58471664b1d9b776a579de2757ff6

SHA512
676e5e2c4ff76b1942c1013a7ee9cd88b42424798e07c699c0cb534575bf4f6908366fe9c9a7e17d81e3f2209bf3fd7dd31463cdab5eea5d19475c10c00f696b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
e8ef4d56144554efdae70aa421dbb43f

SHA1
7003676142adc6d2942339e3f33aa6e72f54343e

SHA256
d8de300ad70fd6f9f66777c43a4e50f429167369716abfdc47f106aaf3cc2aff

SHA512
08f48e61d34f2d036e1ac21bcd125609a7cd4283e5835cec2c129cecb91e72e6ba049b59220e6ee48e5d9fbf3637089b48d88a56394937016e967271f1392fd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
055abb8e8b271b1e007dc1b283860f8f

SHA1
917afaf04256a2c02c8639736ad41256983d1d4c

SHA256
c7992c8e3eee8af07d302bf93f3d00c82cc7822de378f9fb7921cd45b0c15092

SHA512
97f6449763479a3a52813803bb299a52a934d6a906506e3f9496353460e5c5b26636210c586bccd9677bf22b078096c7f262893fb7ddce85362333b91390c7f7

Download Submit
memory/888-25-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

Filesize
4KB

Download
memory/888-3-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/888-20-0x0000000003C00000-0x0000000003C01000-memory.dmp

Filesize
4KB

Download
memory/888-19-0x0000000003BF0000-0x0000000003BF1000-memory.dmp

Filesize
4KB

Download
memory/888-18-0x0000000003BD0000-0x0000000003BD1000-memory.dmp

Filesize
4KB

Download
memory/888-17-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

Filesize
4KB

Download
memory/888-16-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/888-15-0x0000000003A60000-0x0000000003A61000-memory.dmp

Filesize
4KB

Download
memory/888-27-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/888-26-0x0000000003C10000-0x0000000003C11000-memory.dmp

Filesize
4KB

Download
memory/888-45-0x00000000061E0000-0x00000000061E1000-memory.dmp

Filesize
4KB

Download
memory/888-31-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/888-30-0x00000000052C0000-0x00000000052C1000-memory.dmp

Filesize
4KB

Download
memory/888-28-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/888-29-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/888-33-0x0000000006100000-0x0000000006101000-memory.dmp

Filesize
4KB

Download
memory/888-39-0x0000000006150000-0x0000000006151000-memory.dmp

Filesize
4KB

Download
memory/888-38-0x00000000061A0000-0x00000000061A1000-memory.dmp

Filesize
4KB

Download
memory/888-37-0x0000000006140000-0x0000000006141000-memory.dmp

Filesize
4KB

Download
memory/888-36-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/888-35-0x0000000006120000-0x0000000006121000-memory.dmp

Filesize
4KB

Download
memory/888-34-0x0000000006110000-0x0000000006111000-memory.dmp

Filesize
4KB

Download
memory/888-32-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/888-54-0x0000000006180000-0x0000000006181000-memory.dmp

Filesize
4KB

Download
memory/888-53-0x0000000006170000-0x0000000006171000-memory.dmp

Filesize
4KB

Download
memory/888-52-0x0000000006160000-0x0000000006161000-memory.dmp

Filesize
4KB

Download
memory/888-51-0x0000000006270000-0x0000000006271000-memory.dmp

Filesize
4KB

Download
memory/888-50-0x0000000006260000-0x0000000006261000-memory.dmp

Filesize
4KB

Download
memory/888-49-0x0000000006250000-0x0000000006251000-memory.dmp

Filesize
4KB

Download
memory/888-48-0x0000000006220000-0x0000000006221000-memory.dmp

Filesize
4KB

Download
memory/888-47-0x0000000006200000-0x0000000006201000-memory.dmp

Filesize
4KB

Download
memory/888-46-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/888-2-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/888-44-0x00000000061D0000-0x00000000061D1000-memory.dmp

Filesize
4KB

Download
memory/888-43-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/888-42-0x00000000061B0000-0x00000000061B1000-memory.dmp

Filesize
4KB

Download
memory/888-41-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/888-22-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/888-23-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/888-0-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/888-88-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/888-21-0x0000000003C30000-0x0000000003C31000-memory.dmp

Filesize
4KB

Download
memory/888-24-0x0000000003C60000-0x0000000003C61000-memory.dmp

Filesize
4KB

Download
memory/888-14-0x0000000003A50000-0x0000000003A51000-memory.dmp

Filesize
4KB

Download
memory/888-13-0x0000000003A40000-0x0000000003A41000-memory.dmp

Filesize
4KB

Download
memory/2028-116-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-98-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-128-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-89-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-95-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-92-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-104-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-134-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-131-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-65-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-113-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-108-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-67-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-119-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-122-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2028-125-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2100-70-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2100-68-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download
memory/2100-90-0x0000000000BF0000-0x000000000145F000-memory.dmp

Filesize
8.4MB

Download