Malware Analysis Report

2024-12-08 03:05

Sample ID 240510-way5ashd8z
Target AnyDesk (1).exe
SHA256 ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028
Tags
privateloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

Threat Level: Known bad

The file AnyDesk (1).exe was found to be: Known bad.

Malicious Activity Summary

privateloader loader

PrivateLoader

Enumerates physical storage devices

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 17:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 17:43

Reported

2024-05-10 18:57

Platform

win10-20240404-en

Max time kernel

1792s

Max time network

1795s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"

Signatures

PrivateLoader

loader privateloader

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe

"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe

"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe

"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control

Network

Country Destination Domain Proto
US 8.8.8.8:53 boot.net.anydesk.com udp
FR 57.128.64.30:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 relay-aeafd8c0.net.anydesk.com udp
GB 57.128.141.154:443 relay-aeafd8c0.net.anydesk.com tcp
US 8.8.8.8:53 30.64.128.57.in-addr.arpa udp
US 8.8.8.8:53 154.141.128.57.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp

Files

memory/3988-2-0x0000000000834000-0x0000000001AC0000-memory.dmp

memory/3988-0-0x0000000000830000-0x0000000002000000-memory.dmp

memory/3988-8-0x0000000000830000-0x0000000002000000-memory.dmp

memory/312-12-0x0000000000830000-0x0000000002000000-memory.dmp

memory/316-11-0x0000000000830000-0x0000000002000000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 35fe5490ceed160034fc81ba2ed5c5a0
SHA1 9ab8aa06b1cd125c1936908d14bc8e1705443c1c
SHA256 8c711f2b5c5075ed73670d2a68a849acf8eea4675f343a54839a034497b53d6d
SHA512 39277e39987ab31b6c04d99c9ac791b9106e6e3d5c346a9c45f91cc0a4ffbfeb8aafa0a6ff70b60407e99c0e98f70f4dfd908df88582acc4d4e5612514e52cbf

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 f071883ae77d9cf170888887be0df66d
SHA1 09c81536c6c9747fd372abfeb90310b9d0f98ebf
SHA256 00159b965b0c4a19259be92c2d990f68ff913996955f28ee4625487f738e7f4c
SHA512 7ab4502cac49144c6e529cad28422e05fece114f908c23a44bc3711bd88436ba58f40b1eb56fc378c28c65e1f9ebc60bcf0d7adefb8a702b9e58e7495f991553

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 aa29054953468e03021f5685dfdb0a2c
SHA1 aa0712e30cfe1d3412ba38cdd9a30ba675ba60b2
SHA256 7a40827d4639a09ebb7c90d55af74b284dce766ee9cd3fe647e6e763f1935f14
SHA512 3ee25912e47daef38e7ab21612b963b821d8067e905219ba31aed3e95ad45e834b941a2e0d0517472399b57857b2cfc9e7a2f7181bafe88f3bcd8b90d57f16b7

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 0c04ad1083dc5c7c45e3ee2cd344ae38
SHA1 f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA256 6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA512 6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 063ef813d04060ad70fa83a87e86f24d
SHA1 7528e160dd63650ccbaa57428ae6d60f82cca43c
SHA256 b8a17e01f89639bb49ae7b287e1afbfd9987d8a34c658d2a7c4ee67c905e167a
SHA512 bfd6b8fa72d2ac1e90d3f8b34775d68ae374041e6d12dcb74b82e8715ca7be07cab45a587f2df1ad6f8adffddfc755a9266cfdd387f8a7a3a0291b299b9e43f2

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 8775c32310176283f866204542effb62
SHA1 126e5330d85f954828ee26ba7c39c65adca7c235
SHA256 38c0830a612f1d7fdc2418a99ee8c56db989c296b375ad177c05156b93847c96
SHA512 cd768ee59747ada180253354408ce349bba0fe45bdd1da0a0bacf91fbc9ecfeea41fcaf93d3b7000a783814d06a47d6ffbbaece08f23459ca1a029c05849494c

C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5 37144333960a49540f7dc369f79c900e
SHA1 de20b86f33159d153cb60804b1bd8e7576d36a10
SHA256 699f5d37a2ebdf7dd573b64e50c2e8020aa5d1d3ce55d32466b808e2993069a1
SHA512 a16919d90630da722d6c991baffcf07c16770ca6f06fc13ddf59bb6b7481a919b42bbeffe74ac04ffea1f41baa7c16b2dcf892e5dc4ca8f7fb0057faf061b2fa

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 c569cb750c72751e3826a730a9f0b9f6
SHA1 2999dd4f5fddb9398ccf4be0e3bd54595aea97b7
SHA256 f4bff730c5a365c12cd5add2a76bb1dabb7ff1af82e7a46e48a6794d3f5c5faf
SHA512 d8c53cff87550b9e006ffd7282e1d4968914110185b668d378615fe0774e77165ba64a1ee024ff7e25a475dbc9d0edf40c6eb5634b28f4b31470799d8e940bad

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 fc62556fbbc8b06ec281127fdbfac72e
SHA1 a99f06002e79b8c361c48ed5a03eb6bee2b31f24
SHA256 fb9b287da6c0cea8d56cb168918d29f68d3c3bda6d0d7c2621db0efc64db4055
SHA512 42f08f1544dc1f4024f037e6540ea80ee45e7450b927b9939ad87e1bc948d5c199dc6ba32a562ccdd2b60df0d6b8b2c797b5745bd8d8ded9ba7398523827a969

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 339c635016a6088a066e59d6daa6efee
SHA1 2d8bf464011dc8c1738c2ad675c9fa98a1f2f00b
SHA256 2b6f9ad2866fec8dea388b68214de53405458c2fae5a86e59338d58723c4e54d
SHA512 e8e4c94fea6c214f5e2b00d6cf3e7d5f90f5c98097bfd1494ec9296852beeddebf6d2b057527019e01e4003d85c92b4f1d86b4d2322a4012b99bcc54361791bb

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 63f8d28a62a60e894d5a3e59c2ef4e84
SHA1 e7c48a22315be9964f1fd85fb162f3e86103c932
SHA256 321c866461bf5eae3e5ec5221180676112e883df7aba2c338f474d8bc5fce1fe
SHA512 5ed7a5dde991eb1c908c7ea3c07d7d4de42decb57760c3550157f8333f48f22471801dbfded2254dbdd03ca541e550a56c769ddc598cee3f6e36f33dce108da8

C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5 9c97dcd36c9c9a5c198b5f38b1e40595
SHA1 8017188705c4bee27a03b658f5c0cc4754d86119
SHA256 6ee28bd91f911a96825464dda3e026b88d69cc8095cb6a5f7064a2790d2880e3
SHA512 02f4da3acd3e16b4da6da6ef0afaa082806cf6fbc9ce34ded046c425e65b4fa90a7107d96532e5ae3fc14278aee31fcfb7268a62ed03b85f2d217a090449e6de

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 c280c63505731fde34cf799c50cbde4b
SHA1 ec58ae3923d00f253ef5f2e581f37e5fa289fc7e
SHA256 c8c0334d334bc2814875d20d832027f2f491b9e32e5fa53113dc032604eeba7b
SHA512 c7bf513691ef45201bac5609290e10016ddcc542157420baff1bea82ef07c0d0aa31c28b66c0a9fce589bd8936f8cf7252b68565cedb5c73103d5e8bdb3f07a4

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 de2d5ce6559a528a00fa4da0d8d286c1
SHA1 c8450cb3f013f01dbdaec107db597b5bed9f932e
SHA256 a69dad79b3f0553f40751b78161f75bafccb34428dedca2a09294b50b0361127
SHA512 a4cba94d1be6627de3280f5ab8a024eec64da6807596284ac2fcc0f2adb1f8a8336c497c57e031d3ae46d40d2dc3c1812b494434f61e8f85e9ba6161b3313ee6

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 e45cc7eea60c588bca8286845df27705
SHA1 52a99623ebc2c0ac2b81f847789428fd96c0b348
SHA256 3efdd36fc936c6912559dc08b89694ff38acd31fe430937f81aefe4e0962162f
SHA512 8e9c4eec0161b548e049c9aa72973dbc6134f44d84833b33f8dec542413c5d012844b93aa91aff133f6c764ee78de28fb3c5fcb7347a8478f56191531fbfe37a

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

MD5 1ce7d5a1566c8c449d0f6772a8c27900
SHA1 60854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA256 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA512 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

memory/312-188-0x0000000000830000-0x0000000002000000-memory.dmp

memory/3988-186-0x0000000000830000-0x0000000002000000-memory.dmp

memory/316-187-0x0000000000830000-0x0000000002000000-memory.dmp

memory/3988-192-0x0000000000834000-0x0000000001AC0000-memory.dmp