55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	AnyDesk.exe
1656	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1348	AnyDesk.exe
1348	AnyDesk.exe
1348	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1348	AnyDesk.exe
1348	AnyDesk.exe
1348	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 1656	4724	AnyDesk.exe	84
PID 4724 wrote to memory of 1656	4724	AnyDesk.exe	84
PID 4724 wrote to memory of 1656	4724	AnyDesk.exe	84
PID 4724 wrote to memory of 1348	4724	AnyDesk.exe	85
PID 4724 wrote to memory of 1348	4724	AnyDesk.exe	85
PID 4724 wrote to memory of 1348	4724	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
4b52f1c441f7dcfd0421e06afd9423ca

SHA1
b46043ff970ddf61d53165dd305e9dbbdc8b7932

SHA256
d07bfbb3afd85ceec08262b12013477196ce6e1afe3da89cf034425cb4b7096f

SHA512
ce37e509d13eec5c999234f9318a89b233e4aa684d21184efe8f1241d34fd039702da84d6f0f605421515f39c6024ebaf378733bb314694e32853b9efd0eb492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
b225b3ef04e453471b528f488908f805

SHA1
277b4df1cefb18c85061372c09c15ba9b870d980

SHA256
0c47b70e064f8cbdc454fcc8230cdd7b7b5c2d1b447bd17d69ea01717242c561

SHA512
eb0eef1b354e60dfa0866d1c0dbdfc1cffb1f7d39a2f44128e6c9c5f06dad1583ba4bab35dc0941a9e807e26534d9875b4f2e2d83147d8f8d87200b771dff4d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
73db3dd6d35b3b80cf54d7f5cbff6c5c

SHA1
00daa90aa9f148ed18318683fb2197a9b43ae386

SHA256
a6892ff8e745fffe256719cb91ac7006d40f0bb7f41807f054bbb85b1e57d62a

SHA512
d9feade8a923f7921f5ca42846c528868bce0603a498b5941f6ed2d5d546884dec9fbceb6b14bebf3e306b92dfd19f70aee49f29883654e9f597b16d741fb746

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f7871e476cbb891bf0f946c6706b9127

SHA1
bd7b64bac0c6f334f585cc17581a657adc42bbcf

SHA256
ad0ce78227d8e6934265e05815b2e67dce9f71e97547bd04324d60a953355219

SHA512
16d3ffae0db59f2b8259f9a5c90262135712d914299c8e9e3419dd8ee52a9b75039a58a425bc8f3ca46f032dd85b06db10e84a2d67cc5cbfc9aa37847822c028

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
03a20c126d98581a04001b813ce80353

SHA1
8fd57911fa71e1b725961efa61a4e422f50c2d5a

SHA256
69be28b0343c792de32bfac3ad9ff328a322ed2fce347de1ea10c0dd296f4fc5

SHA512
182bf6da1e71383ad4714e6aae49e16f1cc3a703b15f07edf58d33151f643be9bc22eb87b09d2b8d94fdc42912f8e1715e71f6831ce8390c828a34d0ce8abb2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a9d4445d36d94eea77df53f8c7556762

SHA1
ec2741d3d84416f1629b285ca7325c87b231932a

SHA256
f3f47461cbe6818e2c1f39b95999ae9b4db90a1c851e9204b0c520edd4d46c0f

SHA512
77da7ed8ab7a50fca63a3b99473c1da739ab55d1e17ca591d44b20c6e410d58717191510eba25a0d9c55932fe7a4d9cf3b364f0dc5257a3dfa80ebc99cf3d671

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f0c642e0c2afcc56b238eeed42db9b7c

SHA1
85e51347a4d2c2ac56ef1e1c9d8645ae72ff94c1

SHA256
6c09bfbc70bb5734063ea3a77a6b4d68c785dfa84ff417e9020ae5c74f14aa49

SHA512
39ed4256a4b784555f92556e0fd05d0ea3b0fc161553a5c58733bd7113cd217881bbb0e8074233fc936a2c4408ec3a1245f34340b19f26bb4d7b5885a74977e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
75b59ae61b867f26b550c3978097c922

SHA1
ee742272979b7e157c5a6995dac01901ba8c1f42

SHA256
136ec16a0b8c71b85c2bc98bee186d690c93317ef061b10ebb630f3cad9b6ef4

SHA512
30b4e89c4b1b4f9b45976f16ca2a215466e2544ee7c35381a4782f59fe7afe9c40234a15ce8ea3a3388e4f2799d048d14d638ee0e7c8201d473be327eac024cb

Download Submit
memory/1348-15-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1348-11-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1348-81-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1348-197-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-219-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-210-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-137-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-80-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-12-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-87-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-196-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-91-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-159-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/1656-126-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/4724-0-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/4724-105-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/4724-89-0x0000000000F34000-0x0000000002173000-memory.dmp

Filesize
18.2MB

Download
memory/4724-79-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download
memory/4724-2-0x0000000000F34000-0x0000000002173000-memory.dmp

Filesize
18.2MB

Download
memory/4724-8-0x0000000000F30000-0x0000000002667000-memory.dmp

Filesize
23.2MB

Download