b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Analysis

max time kernel
1791s
max time network
1792s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
02/06/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	AnyDesk.exe
2764	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
112	AnyDesk.exe
112	AnyDesk.exe
112	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
112	AnyDesk.exe
112	AnyDesk.exe
112	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 2764	232	AnyDesk.exe	77
PID 232 wrote to memory of 2764	232	AnyDesk.exe	77
PID 232 wrote to memory of 2764	232	AnyDesk.exe	77
PID 232 wrote to memory of 112	232	AnyDesk.exe	78
PID 232 wrote to memory of 112	232	AnyDesk.exe	78
PID 232 wrote to memory of 112	232	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:232
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
daf5e01df9a787c5c02668eee5f29b84

SHA1
ca7619e34e46e6b00ee68adff47e6cff6476fefd

SHA256
7f1e13671b66c3605676ff4f07843deb68a9898f9ad216d32dcd537c085592ae

SHA512
c1739692b9bee71a56e2a7a75cc6386cd5dac1438a423d11662ca93d6044d207ff6678ac0d766186d662f5d1ed63b7e47c81fa0926705488c0d15f9848cb3d34

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c2ad157cf52d74ee55f9e11bb9556a75

SHA1
632291649f35f9fde4cf656c6d5a9d062b66306b

SHA256
d7ab2c103ec7c384079a89c3754ad413764807463dcd2474b473e9883931a564

SHA512
ded56170097093360daed35f289ccdf139337db4eaa9d768ea02da7727679b49f7d4dc69f45928c4931789766428f5eaeb7b6de0eb360036c0db4798fca3b8b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
fa7cca73bf0672452d9e537c5bc09d9d

SHA1
3ef01d97dfbc69babf239151768f70656912f9c5

SHA256
06b5a1e4244ad01e156dbd31878703c2baf3937ab705ae00d3b943f4ad300213

SHA512
daff89e08d96825be27d49607c4472b2635a18695e74a3c252024404959d5fde02daa952643ccebd0994aad4ec856794de44d4751a3646373b9b578d3a55b162

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
228B

MD5
dff7a9877fd0a61d979c059b63adea92

SHA1
2185feea22298c17753154930acc457a3b75b7e7

SHA256
56c5b65f7cbf9ca00efd948b68aa334a139063e563cff0050642135ee1014147

SHA512
504542a8a76f5c48a9772bbbf816648c9a8937a720617fa3b11a1ba2ddb8fece0ebddb55ac33900911c4304efcfa936d0ba1f3fdee1ae1afc89af10d262c657b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
328B

MD5
e6225788339d104820d13c4d06529781

SHA1
6ca7ba4ce8d2f9a05eb6e049696a26c82dca1105

SHA256
4fb49672c829864dc3479c0e4a66f9c267831307da66d1c361d378d27d55af17

SHA512
37d9e0b8123f1b693edd387196580bddecbd537133b9728202fd380b85a86967eae7a2cecf5f2683bc6d6cb89bd753a352d76191fd4cf011b2dabe430d5c6397

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
328B

MD5
2d7b1955f7a5b49c1f66a9a970395d6b

SHA1
3bbd9c67b9b043bc2fb1a50e9aeeed7b2253d5bb

SHA256
5a67ef454168d94f8b3f4d9eb0c3366f629d06856ba31b8e91c83151c35ed6c8

SHA512
3340ecc622329bce9ce7b912447c10d7fe69cc126142b0e78224e81beb8c6239e512df73b3d17244dee193991b7ac4601947d979273453117f444f3ac2fd14e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
328B

MD5
0031a85e1eea81aa8375967ba78edf4e

SHA1
3adcf3dd71aae0fa8c1c7ce5d2903ca2f1e7499f

SHA256
18746e12d6142a5cb5cefccca5e5b56ab8ae95f74c1498a4d008d8d7a7dc75f6

SHA512
164ddd849584c4c8cc4a68e7ae4938f7c34816d78a038c4f8fed65731efc6d6e71e79e118bf70410716b15e63bc25769f0237fd2c3d417bfb28a60eb2c20e227

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
4e2c450f8608a6c5c588263cac6c77f8

SHA1
c59aebcc558653ee9af8312fb15fa8fd8a8251ca

SHA256
7a050c423d52bd434e450dfdc9d68f859dc5594f60cb77e9e56064a1e4b3fd4b

SHA512
f7fd266041d7bab9f6b8c437eceebf7a486f0058ea60001de3b49a7c8e07fec838703e1c89269f1032d4f982e4a5400c7aa7153596196aaa37067c580181419f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
8de8fc89da2be4215e5dfa0c997e77f0

SHA1
3557df07a7d459c6506763eb69130a7e7049d6c1

SHA256
dabab62439eb2686b581086c360eebd27a4d30d65b61983b37c48eac92a9e32f

SHA512
55c5405a668808004841a416ee88ed9f83950d648fc5a2cbd82fa131e28ac7f15ef26878f732db5d940de6988cade4799aca0de25f49e857a0a74270317784a8

Download Submit
memory/112-41-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/112-19-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/232-18-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/232-62-0x0000000000744000-0x0000000001053000-memory.dmp

Filesize
9.1MB

Download
memory/232-0-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/232-2-0x0000000000744000-0x0000000001053000-memory.dmp

Filesize
9.1MB

Download
memory/232-17-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/232-16-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/232-59-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/232-4-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-60-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-67-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-70-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-40-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-21-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-87-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download
memory/2764-99-0x0000000000740000-0x0000000001352000-memory.dmp

Filesize
12.1MB

Download