1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
69s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 09:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3668	AnyDesk.exe
3668	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2668	AnyDesk.exe
2668	AnyDesk.exe
2668	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3720 wrote to memory of 3668	3720	AnyDesk.exe	86
PID 3720 wrote to memory of 3668	3720	AnyDesk.exe	86
PID 3720 wrote to memory of 3668	3720	AnyDesk.exe	86
PID 3720 wrote to memory of 2668	3720	AnyDesk.exe	87
PID 3720 wrote to memory of 2668	3720	AnyDesk.exe	87
PID 3720 wrote to memory of 2668	3720	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
bf77ff4a7eecf92310a6063c12b651dc

SHA1
a0f2feffd519217ad81def8f1214f1c7525cbaad

SHA256
74b0f4c0498daf24969fb5971bf8eb5fd0f483c17a44b3472fcec5b4bfec3181

SHA512
cd0aaf0261746b78d4c41a64fc9b4378ff65b677d2cf9ba77ea2f63776f96c1f2a2cc3194554bb59d4b88a92e677d38f17416084afb7dacee6fca118c4106cf5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
0b043f8139d633a67435b96f46f85891

SHA1
c10570c5b2ed47423e5a2459fc4e1e83ea07f44c

SHA256
e2873f970969699e0675b1a8f35ee71a963f9614884f913aa208d20f4e54314d

SHA512
0dae2e090c3cdb5f1f014534c51a982490aa7e29e3c4eeba29fb04ebea04c900b6c14cc4ef1e38ab9c6ade98d5ba72893bd45995ed9d7b9dc486f5daafa4098e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
516c7cbc7ae86ae94949374e32a74635

SHA1
c63056c458a150f3dab887dea2e8d8568562edba

SHA256
799f42eacf7ab049016413b2b5a4a3aa130ac2ef9da44e31620c4a3ec5a0d9ec

SHA512
8e967c03b5a9daa0b5cf7cc950baf90e611e0f461fbb443bab4f2e7020c56d203b39356f35b98181b4021f1bfdf863e066663023245439e1963a5f3ffd157b26

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bbacad1f70e7855f45d9075a43f4f7d2

SHA1
927cf49fb9ff727b1f97144928d19a279941d9a2

SHA256
f2c3ac0f6b2ddfd76f489b9371ce4c1a933a485a6a0f3fbaf1dda9ea87785957

SHA512
98157fc456446fec3f3e8bafdb4db3372e328100c6d6e88c4137ebfff8a9b4625156acef92198007a61ac4b37288be5c3370c99f6041f11eee14890be6d2bdf7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a3b42c4aca6fd53f97d0628ca4df3d1b

SHA1
7774ae200497c6fd6cb01fed534d094862da7215

SHA256
1ab0417d4bc683ad9434aac9a66fee36defbd25e9a32615b29f0798292ec91a5

SHA512
5b9e75757dde03d8e0f5546e6d75e3ad4143a42a4acc9f26d9fa66c556d550f0c0d6dfc5fe524aa396c936d3840c8d279ae2d3d1cc1d1ba51c478983c4b1a4c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d764289265e5e63974294c07c74e0a85

SHA1
dfce76fcb51545797a8fdc2554407d050d4831a8

SHA256
173bd720c18bd32c08d512f2a599abfd4c5de6545dad85938ec2059819dfd64f

SHA512
72fc84ad0a100b2a230bff3e9f3423129518ed349cab84f6d44b5fc4cc5d4b520e32d31fda56ce324cc786bce1d2a21440b07f2d6086a18620974ad5af928e31

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2197295772057610a71109fe71610aab

SHA1
e1c22cc2c06b54251dca7f4e50901d362caa8d16

SHA256
28b9ee06b8f2ca50422dfc86461eea422743e9234f7b545505f251786086af4f

SHA512
47b120aa5d632245b61705e25bdc5aa4ca0f7dedc7b90800ea704ca1a87344f0f3f634882644b887bf98998537c7dbeb945443e572a0b5718d70291055b4e8de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
edf651df56c22f5dfef7b9d3e777597a

SHA1
fcc56afa19706d68d629435868a006c7d339e752

SHA256
b7bdfdf0fa293b40efb74c3ca872b72b511c9d0609e260b24cd7aa66c944d207

SHA512
56c8395f4ee9a702a433647463e88042665bae527f30f1d0670cc72810c347a310c230b4b8fbfe92c6c15a0c3eeb7c083f564c6a4629038e74e7e2b74b3768b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e1173fea1e3ecdbaec9311c5afefb054

SHA1
2823907151918cc9042490b66733164eba62a158

SHA256
6bd2c166b85a32c34a74a0149fdeedcffd1ecb6a33de5c0ba92d8d7def4f74c8

SHA512
d12c456be79a2d7fc1064743880bad6580afb88f3a8a001f76e06dfe2cb860b39668e779ba17dc1804e97c71ea9628a22c92adee763a8d3d8f4def58ef04c6a5

Download Submit
memory/2668-12-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/2668-77-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-89-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-76-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-15-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-83-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-87-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-124-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-135-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3668-153-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3720-75-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3720-4-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/3720-2-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3720-0-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download
memory/3720-105-0x0000000000A30000-0x0000000002179000-memory.dmp

Filesize
23.3MB

Download