privateloader | b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Resubmissions

03/05/2024, 10:21

240503-md6twaed45 10

03/05/2024, 10:18

240503-mb2r5sec74 10

Analysis

max time kernel
1793s
max time network
1798s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4568	AnyDesk.exe
4568	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3980	AnyDesk.exe
3980	AnyDesk.exe
3980	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3980	AnyDesk.exe
3980	AnyDesk.exe
3980	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4732 wrote to memory of 4568	4732	AnyDesk.exe	84
PID 4732 wrote to memory of 4568	4732	AnyDesk.exe	84
PID 4732 wrote to memory of 4568	4732	AnyDesk.exe	84
PID 4732 wrote to memory of 3980	4732	AnyDesk.exe	85
PID 4732 wrote to memory of 3980	4732	AnyDesk.exe	85
PID 4732 wrote to memory of 3980	4732	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
1a8f6828eab8b8e24bc25b44b7a5df74

SHA1
62c9da73d2f4a3cf3daea809fe81a80c070939c4

SHA256
5eef757cce5922a9b5e41f826c910231ffbd29c1db95b77fe0086fc63ad4afb9

SHA512
1435003f108aa05593339348445932f2ae43b0b4ce9eace4636956f66b76de0f46bea93bb1ad50c5ca9b86586c13712f8cdc06ee46b7703fea2cf421a732c82b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
65943ec07824237f3947f9c825d04806

SHA1
e50636671c6cbd144fab5330a2fabd4fe17a69f8

SHA256
f972c41506fc6295965e3676cfd927771dea6ae46b8ece5059b4200c659870b4

SHA512
8c6fa266e919159ab6064c882917498c444f020e8c64ff7ca4c94966a087510348660fb497504d7905751ef9dccea272c16f0cdf7d7b80cfef0a9fe476fff799

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
a32f44329b55e93fce5262c37574ed9a

SHA1
322cdc3ce59eb687a3a37eb4af208541ad0ecfa0

SHA256
f9af06b91847d4cb86d53b12e08b28f7719cdbc76a7c65cba6c8c22260718f7f

SHA512
561ddb1a223e0efa1e3e47e71781bb03293d959b6e1612ee04ab6932472d2d61839f9bc8febef819a73c0e7598eadaa6afa851e1356be99c499a89a7ec5bb6c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
330B

MD5
638f568f93d51c8a16e8e9c55f0cd5bb

SHA1
98759f58bae675af49dd0e101c9c2a8c9fa72549

SHA256
6656be9a11febbfe8814b0554b9c429b676441ed091cc70346c7b14bb14ab1ee

SHA512
44a4c8df2d25a289cb4c033c5920b87dccfa1a21c3a22f2df33e90eff2223db13926c8669a7d99f9b9da58e6bab39d94ae1d09b1721cb44dd806a8ceca80ece2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/3980-19-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/3980-41-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-43-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-20-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-73-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-70-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-67-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-40-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4568-63-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4732-0-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4732-2-0x0000000000934000-0x0000000001243000-memory.dmp

Filesize
9.1MB

Download
memory/4732-4-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4732-62-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4732-65-0x0000000000934000-0x0000000001243000-memory.dmp

Filesize
9.1MB

Download
memory/4732-16-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4732-17-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download
memory/4732-18-0x0000000000930000-0x0000000001542000-memory.dmp

Filesize
12.1MB

Download