privateloader | b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	AnyDesk.exe
544	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4824	AnyDesk.exe
4824	AnyDesk.exe
4824	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4824	AnyDesk.exe
4824	AnyDesk.exe
4824	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 544	3132	AnyDesk.exe	79
PID 3132 wrote to memory of 544	3132	AnyDesk.exe	79
PID 3132 wrote to memory of 544	3132	AnyDesk.exe	79
PID 3132 wrote to memory of 4824	3132	AnyDesk.exe	80
PID 3132 wrote to memory of 4824	3132	AnyDesk.exe	80
PID 3132 wrote to memory of 4824	3132	AnyDesk.exe	80

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:544
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
15KB

MD5
c4e2121430c9e8fe3cbe1a159d6ab373

SHA1
a1b6c9bc0545afd6e2cd1380c49fdd05816fdd18

SHA256
40d88bfe3e06724f5a222e45dd790ae70db84f06c155497274469963e25828d5

SHA512
f7dbfce00f35a4d81ebefc89e971036bccf20f660f93ac5c5009a704a832e2f06efaedf0d8b13c8418c4532b2083e2ed6846fd7949ca7ff07335a883c09a3a6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bf3261e81d8bdf5bc16d65bbc4749289

SHA1
a34f3042d8bcc62a8e274226e742f3726dab1e0b

SHA256
806b4298843d7b7f0d9e4aa0acf0f352a279e22536395d283060f8ea8d4b8c8e

SHA512
bd231836e468ab0449bafda29c3d305750ed312f6b7665648e3abde36f784f10a4a5d3df192675e9e91d93506bc01a53c932bd49e48827a9365d282c9a9f11bf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
9161000a40f7921c1a32841da74c3866

SHA1
17b056a331823b6244ffcef429c56c2ce6a087e6

SHA256
af720b2a32188f3c67abad0872045c844a100146525db24b63b5e310fd6af827

SHA512
bad4d0c1c47c75a18298ed3e980010c56080abb88ad064c6c93ee16127a5a0103c919c09747d34337c13904683f641ed2810fc1bd0d13dfea4d6c7d701bec285

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
e41ee98f25e693d348838c9e8712c1cb

SHA1
a90f34bc20c998ef3b883bafbbc4168ebbe0bdca

SHA256
3d9c6b1653299c42b983edee32bebfbd4348c7e60ab080f72600ea29174428fb

SHA512
ea8c8366ab0b1902b7cf76ce95482ab6957f3f98966e41c18ff4f1cd2dba894038c7ce78c9133fc5679de99093d386608c5741c4e499798082d47e469c45b04b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
8de8fc89da2be4215e5dfa0c997e77f0

SHA1
3557df07a7d459c6506763eb69130a7e7049d6c1

SHA256
dabab62439eb2686b581086c360eebd27a4d30d65b61983b37c48eac92a9e32f

SHA512
55c5405a668808004841a416ee88ed9f83950d648fc5a2cbd82fa131e28ac7f15ef26878f732db5d940de6988cade4799aca0de25f49e857a0a74270317784a8

Download Submit
memory/544-69-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/544-59-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/544-40-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/544-19-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-16-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-18-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-17-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-0-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-4-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-58-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3132-64-0x00000000000E4000-0x00000000009F3000-memory.dmp

Filesize
9.1MB

Download
memory/3132-2-0x00000000000E4000-0x00000000009F3000-memory.dmp

Filesize
9.1MB

Download
memory/4824-21-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/4824-60-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing