1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
6s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1212	AnyDesk.exe
1212	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1232	AnyDesk.exe
1232	AnyDesk.exe
1232	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1232	AnyDesk.exe
1232	AnyDesk.exe
1232	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1212	220	AnyDesk.exe	86
PID 220 wrote to memory of 1212	220	AnyDesk.exe	86
PID 220 wrote to memory of 1212	220	AnyDesk.exe	86
PID 220 wrote to memory of 1232	220	AnyDesk.exe	87
PID 220 wrote to memory of 1232	220	AnyDesk.exe	87
PID 220 wrote to memory of 1232	220	AnyDesk.exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:220
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
1769e270e8bbd16ccf1d9dfce237c3af

SHA1
63f10bdb85051a1564096cb4fd114010c4935a75

SHA256
a098961446c664ae0f4188429ec2ae044253e447cea71379967a01994f9ed1d1

SHA512
fd52d5eb8f45b05eb131585c6c41ee1ee5bb3e94f94628ce5a19f8df20183c7ab92d23f8bebacce0e19ca6af89af37d88ffe88892c42a0a110d79f3f7b374d58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
4718d32f580274fb1720d91a26ecb50f

SHA1
b75d2a466c336bc07a141919be2c1d65afd8e31f

SHA256
3a89e60efdad2260905ffe135f1cf529d0248b0bf2f50a8802241b0ccff10d18

SHA512
25b10289be6f9b1cf6456f33a58d350cc3f84b218e9639f3aae452f21d8d9e43ebf3f7f4cf939c7cbcf4c259f1260f574e19b2ed0d22b8654a18948e321a8cb1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9ca727ac42ec6002512cae83eee9d460

SHA1
a1735e116a2ebd8e81c9ccb38cf1e06d9eaead00

SHA256
3ab688fba230e49e181e45e8f93be8ed0ba627bc808aecf850e3383b8795bfef

SHA512
a4d23f0bb6573c97cf07573f06c10bd2e7b50603d535b2f6a766b21e8a59e60d3162b0087e1b65e6903a380e617b7dc2c42b3b25851e35da9ac07c4568a76289

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
30de18d0d2e2304f011f88144b97f41f

SHA1
7f14364433c9499d1a3cc34325ff3cf0288335e0

SHA256
edbbffac742bfca32b029be4aff218910f474b85160f15d10b820653fd15d588

SHA512
6eecb04119a3a2cfeeeceec98cc60a6d0e74d9aa8d25cac1c3371410d3a028caead17888d27a2c23106206bc6923f434029539618d7932e44107506357da89d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1df1dfcff57493009dfaecda932e2400

SHA1
9a7ef4ecd2a3491393b56a6293f7ab5dc82383f5

SHA256
0021be990a5fe5dfb2e328e734f6e0a8e59284fdd8d75d849f78c2294ef2dadb

SHA512
0a6b0391da30a9680c3ad20d31bf33fc5200759a5c7dfe878d4c5647b96a062480937c61105bd6407cc8bc2971987fc581cc04907ded9bd288e4a58daaab9a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
edced94766232a81e904bf631b13f8d9

SHA1
24c6c2668cb4fbea8e68dddd613f0f9cc0d3f155

SHA256
da22528aaf19caa2ba8db5717a97d6daaabb76858453d13b262e4d1d9d86d51d

SHA512
75ce37e15441541be5275150b2b961d18813ed6be34f16bbfcdd941a868785312953bd9698d0acd1cf6257147aa7f84c6e39d2ae597f21606c66c6b96cf6b532

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b2ef4eb2fd4c1c54474c570422b1e292

SHA1
df94965c8a05852361c162338db71ee84c1a4e8a

SHA256
344897430cfa03876cf2370d1bc0f3ac0dae36d58d2687fd7fe5da1238781a7c

SHA512
8e24bf4c5fb76182330d039869ca42039085c9b174feba3f00fd22dbbc08711143847d18eb95a85d0c7ce1986a9a726aac39ec4cf8a1ffe450c8e49435e9bc4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
54415a5532d79c643deda91d11b51b4d

SHA1
3f16e3ec187665a34c61210b03b8ef82ac90a548

SHA256
73eb712a7bb6ccb576bf3bd3fccb9eaf29e74ac5d306b79148a044590a280758

SHA512
f87268f33bfbb97342ee42e41956c38d500f89853840a80960291681494eaaa8e8b289fb8070c21738e8116c75119b722aac15f030aa8106be7ccdaaddcc3dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d41acb1768c086853d42988a251b8161

SHA1
31cb44cb810d6f58d9b6693941e5bf58560843f2

SHA256
e8fa8638fd8163b3227e45a93c74918ef7c09e4b4b5d8ae2dbb0a87eca5fe8d2

SHA512
23895cb5d7eb1875623f11cf9c87083d6ce3e8b008a7c62f6dbfd1436dedd7a4cb888b721b88e0995d9a1b6eaba596efc81e3e57173bff461502fcad6dd7ae3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d7d0a9ef8b6d36ae3adeff16670fa63b

SHA1
0e383f9cecf4a576cf59ab7e1fd4e7e8c5b5bb03

SHA256
1ac453b4e82547753e32c13d907d91815f9267137988fd29d418903032c51103

SHA512
c43b23fd15e45bdd1d797a4b0c8eab581b703182ef3cf2cb4b351f453ead94a50ef53374656d48575c4057bcbe6cf7a239dfb040b0e4cc4375fff36962859694

Download Submit
memory/220-2-0x0000000000284000-0x00000000014BA000-memory.dmp

Filesize
18.2MB

Download
memory/220-7-0x0000000000280000-0x00000000019C9000-memory.dmp

Filesize
23.3MB

Download
memory/220-0-0x0000000000280000-0x00000000019C9000-memory.dmp

Filesize
23.3MB

Download
memory/1212-12-0x0000000000280000-0x00000000019C9000-memory.dmp

Filesize
23.3MB

Download
memory/1232-10-0x0000000000280000-0x00000000019C9000-memory.dmp

Filesize
23.3MB

Download