1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1800s
max time network
1770s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 21 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3832 AnyDesk.exe
3832 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

3948 AnyDesk.exe
3948 AnyDesk.exe
3948 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

3948 AnyDesk.exe
3948 AnyDesk.exe
3948 AnyDesk.exe

pid	process
3832	AnyDesk.exe
3832	AnyDesk.exe

pid	process
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe

pid	process
3948	AnyDesk.exe
3948	AnyDesk.exe
3948	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 1192 wrote to memory of 3832	1192	AnyDesk.exe	AnyDesk.exe
PID 1192 wrote to memory of 3832	1192	AnyDesk.exe	AnyDesk.exe
PID 1192 wrote to memory of 3832	1192	AnyDesk.exe	AnyDesk.exe
PID 1192 wrote to memory of 3948	1192	AnyDesk.exe	AnyDesk.exe
PID 1192 wrote to memory of 3948	1192	AnyDesk.exe	AnyDesk.exe
PID 1192 wrote to memory of 3948	1192	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
9fa3ef25927a1ab89c55a1dce4a4154b

SHA1
be13ecac7b8f1252627ff9c6a198127ebc4c7a0b

SHA256
5f55c653e7be39c97c817d3f0584658dd1fc7a1c78d3a677415afb53f6bf8f85

SHA512
958e83ca833f2cc818d87711b96399d97209257cb8600817c238068ddab0b1313fbd50398a5505a258813da828cc7896d28bd3a8d9779113bc6d15664da9c216

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
458e8f2d376365df086695c094dadad1

SHA1
aaf71180c81174162df1f795de8461a60372c410

SHA256
4ed749850372d6a16f4dce532d165844d9f0ede3c3cc3935e11d9119df97976f

SHA512
3e974c9c3976c86d08d1e28079e06f90806a0bb68467f78e90c29ccb9877ff665db21ecba22e4c9c9a054a47e1cd8264b149cc7a2472f80437d8fa7e540274cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
120c771ec017b7940768c23368739c7e

SHA1
c5d0629ad0fcdc5700508dd884c2ee00bea5c37e

SHA256
459ebbed6e84e684198fc604b9e016ad2a19b5476fe1af54941b33209ea467dd

SHA512
c8487c9273195c55ce07df138f94dc9be77e6ed4faf44e00de887d09ff25f5260b75121abb155451c4c733214a3241627678352af8479d053b0f4b707dbe81ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
acee00c7d262b1d0cfc6b122f1a5832d

SHA1
8d90bd04962843c948a2924d3fc43913fd361790

SHA256
340f79c97304ee8b6e2de254f0b6c53166eba72c859bcba0b662981246fe0011

SHA512
e92b481a2fcddf503820864304cf0fcd1cb8cc8ccfdc50c18f7dc3846a796221842eba4f57eedc9edb739607326e17696d5e3f1fb8f1dc94943910a731f0df70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ec1ee57c76b8004021161f36aeaf8010

SHA1
c9241f6e0e3756f4a43940c6612920ab00157e75

SHA256
caa9e8dff3865414f9091cbdbd424c94b1041e6f52033b49c6f031e0fe35e186

SHA512
72f53e1962e412e13aaf291c4572d47c494dd10a2fd05f1e9cdf9b8cdeab6a102fd0cdd4415ad8951fdb06ccb7f11b3ca88507d495980b7b69d1e9b6e1b723d4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3870dc2c97a52e6a8e105daf8fbe9ff9

SHA1
cd1d8f5468161da518cf2818469c5cea7b969ee9

SHA256
c88caab40821954885b1e98d79bd1869c71a535154002110622c14f546125a50

SHA512
9a786e61ff4fd56953ba24d1a85768399b86096bf47c696565537899c4c99513b0caf5b5fe914c4e0e2e8ce999f44e8008f1109f78a313d052f4ec926ae1b8c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6766d6f03be4c16bc986f2f133cfbe9c

SHA1
6ba0e588fc299f4549d130e547729576e478100f

SHA256
01bf99d091d1deb8e8f1d84ed5b96d2c8a33b5926ec04ce8609e2f5f9f51f5b1

SHA512
397ca3d2e7e00bf0b5ca4ec0f1140895269cbb753e7f0d0448858c3421fa9cfb982e9de0f34953f1fe792c8e102060486c8332cc62f5386fea4aee730b24c133

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
959d2782b9337a024da95c01a64f35f1

SHA1
696ff257595294fd8be3dd40e8275e484af7c251

SHA256
442b3bd7be65993d3d73e0f94925493067c1a18d99921d9031a5f405297b0f35

SHA512
e9efc386c6ebb5338e36397da7852f221ec98c1b463759e599ca6fca0f7148f34304beff2cf4e009708bb317ca1a8970da6454b25ba8eca75f742ddaee4f8ffd

Download Submit
memory/1192-9-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-84-0x0000000000794000-0x00000000019CA000-memory.dmp

Filesize
18.2MB

Download
memory/1192-108-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-2-0x0000000000794000-0x00000000019CA000-memory.dmp

Filesize
18.2MB

Download
memory/1192-75-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-76-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-0-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/1192-16-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-137-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-203-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-85-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-90-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-77-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-19-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-126-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-395-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-155-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-370-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-359-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-206-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-217-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3832-234-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3948-204-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3948-360-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3948-78-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download
memory/3948-18-0x0000000000790000-0x0000000001ED9000-memory.dmp

Filesize
23.3MB

Download