1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1799s
max time network
1802s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 21 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

5040 AnyDesk.exe
5040 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2460 AnyDesk.exe
2460 AnyDesk.exe
2460 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2460 AnyDesk.exe
2460 AnyDesk.exe
2460 AnyDesk.exe

pid	process
5040	AnyDesk.exe
5040	AnyDesk.exe

pid	process
2460	AnyDesk.exe
2460	AnyDesk.exe
2460	AnyDesk.exe

pid	process
2460	AnyDesk.exe
2460	AnyDesk.exe
2460	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 1164 wrote to memory of 5040	1164	AnyDesk.exe	AnyDesk.exe
PID 1164 wrote to memory of 5040	1164	AnyDesk.exe	AnyDesk.exe
PID 1164 wrote to memory of 5040	1164	AnyDesk.exe	AnyDesk.exe
PID 1164 wrote to memory of 2460	1164	AnyDesk.exe	AnyDesk.exe
PID 1164 wrote to memory of 2460	1164	AnyDesk.exe	AnyDesk.exe
PID 1164 wrote to memory of 2460	1164	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
72bef3ca29f498632f27302fc6ec3b26

SHA1
114adbf56b0690223144e85e4fce81cc0d8bf764

SHA256
af7d09dadee7e316b952c4e678420618d3d9079d0696953323a054c105265880

SHA512
598b46f4637cf1fa3a1f9ef80312dd44013fc526c7aa0018031af99cde9013190417185ea42d5e5bc86e55cc06c22bed5f8da703869c93a59d0978e16dad2f79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
b2f1fdbec8611e319454f1242d6fe5b7

SHA1
2e4cf0208a3474bc6435496f79e820bd3a3b7566

SHA256
4e7ada8229bff09ec2a4c8f3b0efd2555fd64aaa584938dd72579c3d0124f11c

SHA512
5b43b1a4bd9433772b16ac0cef25a225a4cbdcd9b0f2c125c5523aa68eb23bed65112c4324e3ffcbb55356af0bb03a342bcce85698b847f7186f71199c24e3e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
58c5de805699fdddc98328589b275944

SHA1
955d1f07cbb6b557064d8fee028f3740a07e8941

SHA256
47e4e098f47646e0249cb25e584f6a6e54f508f774e9e61da09d36c43b6bec78

SHA512
4c5e446a506cbaaf20cce85ec232ce54fd358a9a804332564ad8aed37d0d1dc7da33516e67830b0be44b53fe61d87d165a48096eca412dddc67edfce137852f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0b141496406b75a23effd2ae7e54819b

SHA1
86125de91a1e681d43c152fc6ee82b3701be8115

SHA256
6600d1da11bed096e998b7af5f161cf2cbdbc4252970f6f1d953164e0c935af7

SHA512
717d4cc89c93836c2d2324c58251d2f60d7d29a4df84f2e0b5cba77160a051ead4f08423120c12bff38799e1522ba16dac891f93c57c11fde1f0c4233f26893c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
98e61fe59166933e1db0f57d813d76d5

SHA1
c0312ebcf564bb167abcd909fda7be139910f6cd

SHA256
a0b52eff7f3f783f046bf29d0c656ab6e65d6493e7c758e70a17212e0aca9b79

SHA512
0790ceed416584d848a6cfe736184483dde6100b6ce1dae779da84ccb5344fa18af09d692a159fe0d99a3ae035e5baefd5dd43b7c12a13997853cea7c5974e63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
dffb643a02c82ce127c4fc9a7e503779

SHA1
24c9a1262a2246ba8fdf7bf969e85b0a4dcd1af0

SHA256
3f97c35d9c35bd8c8c77277ae00207e06591ac6d7dab7d232e888ea8b7505df3

SHA512
a049cf71560b2c4a94e9c342e6dd6c734d8acd60d56512bb7f17ecfe859f400d8d981117a6663a16cac409710a4ee1860e91037c1e8c8a442143fe454d4551ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fb11d211d65ae5edb2a7d20815fc970c

SHA1
a244a79efdacc928c1896c47a849547266fb8a98

SHA256
030c40157b86580efcbc5bb77971690531ef80219de177348d37e3baf1920788

SHA512
dac2130bc571d6af25f1ac4f3ed517c72c1d1a3f7bcef6f48b42514259952b82486fea34679cbf30321076a7c4c27fbdb37d56266e684ba9bc3ba732dd8b7d24

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
84df0295c970105925c644809c92527b

SHA1
e6c481db98614d0760acfe166b3e5f6b10b21ce8

SHA256
18aa0e10cbbdaf748ca41bd56397485876d610942c7eb4c480a1dac88885e06f

SHA512
409f0968f10be88310a82fc4dfbe4d47b9a84d74a753d69ccb29027669880bb32174f669546f29d525891f4b72b9fd5e75e8a740293fed887ccbf9ef8d8a4bb2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0c5ae4c17d91550e02d63cee69b4040d

SHA1
96f018bced4c305f75ce2f6859c4a9123fe181d5

SHA256
bfdf67966728a203895de1f2f016da460c9597f56bcd4c92a7ec379c2f588dee

SHA512
ec1b276c45c3766ffe7ac8bcd13f02e4e15c618507ecd0a8d4c191d066c098d08396c083b3b2025d040d01f4b4fe94770d2404855be3408c43452dae97f902cd

Download Submit
memory/1164-78-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/1164-5-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/1164-110-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/1164-0-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/1164-88-0x0000000000974000-0x0000000001BAA000-memory.dmp

Filesize
18.2MB

Download
memory/1164-2-0x0000000000974000-0x0000000001BAA000-memory.dmp

Filesize
18.2MB

Download
memory/2460-12-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/2460-324-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/2460-11-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/2460-201-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/2460-80-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-86-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-92-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-111-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-129-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-143-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-150-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-200-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-79-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-207-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-214-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-231-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-323-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-13-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-334-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-337-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download
memory/5040-360-0x0000000000970000-0x00000000020B9000-memory.dmp

Filesize
23.3MB

Download