hxxps://anydesk[.]help

Resubmissions

08/05/2024, 09:08

240508-k3wdbsch6y 7

08/05/2024, 09:06

240508-k28l9sfd92 4

Analysis

max time kernel
34s
max time network
22s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
08/05/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://anydesk.help

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133596328330811043"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeCreatePagefilePrivilege	3776	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe
3776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 3472	3776	chrome.exe	79
PID 3776 wrote to memory of 3472	3776	chrome.exe	79
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 3296	3776	chrome.exe	80
PID 3776 wrote to memory of 4024	3776	chrome.exe	81
PID 3776 wrote to memory of 4024	3776	chrome.exe	81
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82
PID 3776 wrote to memory of 2072	3776	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://anydesk.help
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff2328cc40,0x7fff2328cc4c,0x7fff2328cc58
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1748 /prefetch:2
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2036,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4548,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4540,i,2791423715199975892,4507781712877742486,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:4524

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
aa94343f54735e7e5acc227696719b5a

SHA1
bc0e0197ba8990d05f10281b25108495c7699aa3

SHA256
8050eaeaf7f960f723558de5265d1521ca637a2a9375268e0232d2ea414ae37f

SHA512
593f32e238414129e896ec104ee02ad0fe3e24c70a70de5311aabf85a6b1d6c138c108b50165c5449c245ef99e8ff147de49d3978163a7fd4bb27464a0df7460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
9a0b57fdf0d0470d46eb7a9c925d3505

SHA1
bb6aa62bbb96ab0cc0c9b40ed3c4aab51c6be0f4

SHA256
870e1216dda9b13b03f2fd4a1c9821f392d6bb9b287233ac5a08b8f217b6248a

SHA512
b5bf2b8eeeaffd4fe0f2e3ce835eb4bd316e489702c61662ab7357535345910a07187984f02c0f086ccb489829e8f56ee471f555f5f09f5eae2aee5b99da3aa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
82ac18358e327382589c4e972d252f30

SHA1
5d1d1d11d755fbbcea3aced76d5b8efc47270fe6

SHA256
942480d1470de11ce5c1fd3debfa61268cd6c92972d72e394d6fcff4d4b81bd0

SHA512
20d087e8b3c6a7ad48c314a5061dfffef5597c4fae352df43e1f17f63fb68e3efb89571ba117bd43d9471e319cf7a88c07492b812e9b7cc436c7ea9d79360265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3664bbce74506752cbe754ab68102139

SHA1
d8ca7a5c8ea2226467e20ab3ed3624c06dd998f2

SHA256
d7a06c6faddcfc2b11217828e40b1f61f137da2e41b185fdf2dd89905f32ebc5

SHA512
8fd823b79e6da15a1b33b83b7fc8813897264a970928ab5ae6b530fe4e9903c804d00924a9aaf9be78f8b31833cf3689bab0e3804d47e4cb76891a4badfc7467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61619c7d657d47b1935b5ce1705f0b0b

SHA1
677d0b23294e96770343c9944c437087719ff171

SHA256
260994c99af8b7a3718009acec978cb6338cd7198f8043a3318178eed6b3b845

SHA512
a96be5f4217f428c3bb5bdb9e6610407bd4ac0248e044a58e2c47a43a8416add58865c1dd4e44a542625f511f0481fbd2fc86c0077cf9387a88089e523a218fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\temp-index

Filesize
120B

MD5
4eaba017a918eb3d8ba98450ba40f6cb

SHA1
dc157aeba26e40ee231bd6123dbaec53ee9fd91c

SHA256
b10eb7111586835bf52007b891c6813a8ec1d344911ff6e36a21dda98f55b22d

SHA512
acbab30bdc123a5e30a3f859914dd44a74832014c28b92ddbff7fb91b66e2ba964c2bc12b41e1af363daa9af81150f8d0ca19952808e9692f2bd7bac5174bbd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
77KB

MD5
ed082e38f90cdb653b24ce43859a80c0

SHA1
a3597ae677fe1ae5964952f2891a952e6125617d

SHA256
95402b2034e4facc2f70d4622c4a9cc19dc6fa866f7edfee25bc7fc2d1596e22

SHA512
29f256309d7646ee26bc25d731d885f4cf56be004d89da0d64ff5b3b35103f53ebc33263007a1846348a353451666ec5d00effe66ed111d1e231519cd55c756f

Download Submit