Analysis
-
max time kernel
1795s -
max time network
1799s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win10v2004-20240611-en
General
-
Target
AnyDesk.exe
-
Size
5.1MB
-
MD5
aee6801792d67607f228be8cec8291f9
-
SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066
-
SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
-
SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
-
SSDEEP
98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AnyDesk.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AnyDesk.exepid process 1232 AnyDesk.exe 1232 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
AnyDesk.exepid process 4860 AnyDesk.exe 4860 AnyDesk.exe 4860 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
AnyDesk.exepid process 4860 AnyDesk.exe 4860 AnyDesk.exe 4860 AnyDesk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
AnyDesk.exedescription pid process target process PID 3332 wrote to memory of 1232 3332 AnyDesk.exe AnyDesk.exe PID 3332 wrote to memory of 1232 3332 AnyDesk.exe AnyDesk.exe PID 3332 wrote to memory of 1232 3332 AnyDesk.exe AnyDesk.exe PID 3332 wrote to memory of 4860 3332 AnyDesk.exe AnyDesk.exe PID 3332 wrote to memory of 4860 3332 AnyDesk.exe AnyDesk.exe PID 3332 wrote to memory of 4860 3332 AnyDesk.exe AnyDesk.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1232
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵PID:2236
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵PID:2868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
385KB
MD51ce7d5a1566c8c449d0f6772a8c27900
SHA160854185f6338e1bfc7497fd41aa44c5c00d8f85
SHA25673170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf
SHA5127e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753
-
Filesize
10KB
MD59a6c6b11d67af77eef7c9474cdd5de8a
SHA141e3e40df02a37857bde6256021d474abbb54f08
SHA256e35371f880930666834d31d6884a5c2ba8fafdd52a0b4dac1f5d14a522a09da1
SHA51285490b08d90592660ae1c9530c9d012681153c5f2cd827b4e3b98f988ee5fde906eaf5b1853c47294a7098638a3b4c9aa4bd915a2256a82e781d9bbefb6e6eb6
-
Filesize
2KB
MD5cd39f44f2736009ecf105b4ea91a15c7
SHA1cb61a2a9f93af0c5b7186ae97f2865375eec04cf
SHA256e3e7a0d7a2ac69dbb2cc62a8a132846e14ecdb6fad3c36b49f39af3fea8011a6
SHA512c0d952ebd0c2a6309fecef21eb7b689b3e58d35f19d1eba59063e1331b8695912a536d26328db93d095363af20602bc68f9fae6704b1af55e354139c77ad25ff
-
Filesize
2KB
MD52f5b9e278fd5c9c6634f2e789a645d30
SHA1b4f5679e052410c94119492de8d0446a67dc8d29
SHA256a7f9a0371610f5dbba431773ad59fd2968fd009235a120d423a31f185e48a147
SHA5125caa8273beca5494e9573c52d95bd81cfaadc41fab67977d6f524783551cb2448b448874408576cd22a80076f76f7d1b2da8ee122d331adc285c3904326b6661
-
Filesize
701B
MD5ab23d88c7da4a48fa58ef898a77b79f2
SHA153b35a2b4c194ccf7d716b85c10a381b66385e39
SHA2561df6b71bcf4ecbb6e37e6f3a99633f6977ec9a439e91b4f90e4913f584a271ba
SHA512561f03e8941c99420b24ab30327b7143c1571d5358117ead904ac28cafe138bade0f802607f62696ecacdd819d55006f893f5e01d6304b0fb454259f4b1cb796
-
Filesize
758B
MD5d638e5be89a79915338f1bdbe59b05aa
SHA1d04fcbdcc379cf7c82f50217262eeee857b4e5fe
SHA25629c0fecb99f6515099821462c6e3b3e3c2664f0d3ea1df5e9ed7c8326cb95313
SHA51275119afca04bfb93b19c39bddf81c5a11effddb17030eb362e9f3ca6f3fe77342f82b9aa68f8e3a615358bab78fe270d08b189373ee4d034677aa1b98b322dbd
-
Filesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
Filesize
424B
MD59bcf3d6ceb92a12d9b72d633e36bd146
SHA19cecbbc7fd847c5c74acf07ab4c1951ef3fd23d4
SHA256c7b4f100abcecfd85e4913c8a565564fbf65c9ef7778b79de4fff5e8a2a567a0
SHA5127cb0f468fa409c325b1d324e7ad5a99d4688eb1b1d85b9712113aefffba5602134fca9df5505b8b5fe9c714a17c90ae7ca6f63858afe379efcb4e2fa7b664c92
-
Filesize
2KB
MD55f2e1ac082f458d7df73db0171fdc73a
SHA150dc72ddedc0bfee9b5e1c9e9125059af85e60cd
SHA256a4d4cd73407f9c357c06018775417f8cb8c70d8dc54c3a9942f56bab51fe09f0
SHA51205bb98e97cf6263a1048db447561f9b87f1b8fb1bb350a0a7ed5e8c8822cb9cc53e9c825cda1afaf518a58cfc39f93c9ec6bb0df578956c809933b34872c9236
-
Filesize
2KB
MD579bad84ac4a39159d0b47c738661ddd3
SHA17e5f2cbe93d6d71e7db854389788f474eb95fdfe
SHA2564cb80e84359ea82c16fcad93192df6515e38d086c3b1f619297a09e463f68875
SHA512e004c7c5415f89101df638f71f2f80caaa8d8835ef9178f5523d3dfed95d0214d48ba7a20da1ff70ce63b618b05a3927a609e7acf5b40baf800170883db8574b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
3KB
MD5b70ab09325d3d45276efda253a41998d
SHA1f6f68c6f614d8e54d61551809fb7ae204fcddb35
SHA2569948f0d01c6d0ed4f9ced93d917ccb62258bb02d00d0baad9303c5909fd89b36
SHA512dcf50b1b07bc913189f9b377a65fcfe6cb8efa918e19fc121ec9d6758e5a00327462fa87ad6a67eb9b653c8c7ed85cd64169e3b27d914ddd2854011d25ec67f8
-
Filesize
3KB
MD555519e42dbad43c0f1512ca08f301711
SHA1712f6212944a458a56f4999a29927b77630d5a40
SHA256b62d4ddf53d74bbf9d73e6a0c8e9d365b8ed7c47ce6ac77bad7fc07d770c5385
SHA512aa3d10b4d5af4e5a5fe1fde0864a86e68af32fa835780e6914c5c1c3b5f4fdc76a74b89d884711971443eb90bb0c45330eeddacca4cb2ca91c901dfb04257031
-
Filesize
3KB
MD530d2b73757396925b7207f7460284279
SHA1c8468c46a09f865667ac975701b6e34554f7936f
SHA256eaf59d4348a348c33bae03cfd0235690af2d8f1873e1d2ef8bbb53c0a6142f1f
SHA512816023d4bf5652bf320b9a9d4d4a8f1dcda37de6d83cfc576b5465878c4e90b09233ecc3849470a185fb29def0075f8b9dc45469cbb2f911f1df075af4d7ded9
-
Filesize
1KB
MD5f2b0fba22f44cf44504f9ba900a7dc38
SHA1c6a8890eae7f4c322f26fbfb15f877c9b06487ab
SHA2564da96caf2ab2501429ad79231878db85b3163b842d858bc670521a2e62c43665
SHA512c6075556a69fcd4e77f4c7d6ce9845a6600316a50cd1b2cbc0b507146a679c6acb75fb7973829ad8f1e4011563403f8435c403e04096c2757717877e7108dd3b
-
Filesize
3KB
MD5e034e4d755783466896e86d4e42b1728
SHA1efd7269a673f4a9cd50ec4ddc591b5a5f4fd08f2
SHA2563b1a7d88d85f0baca859ce50f55d86b6102b98041ea437a824b8a01a3e856d5e
SHA512f7b77a609cfa32c59ffd9c28dd88b99e9bd8a2ddafc8f5692949ed6dd997a98ba3c25412c3ff8c9a1b1bafaa90f774fedecb3926d3ad290a280cb6d86475f2e8
-
Filesize
6KB
MD5336ac4f55e53d132bb443dbdb2b827da
SHA11e725ce3d8ac4da35d5cb8e002923844b76933ef
SHA25610f00060c5c4ff32c0834514d5a2c6a1ee924ca4b97720b3b4cdeeb8feab11db
SHA51265354a7a2b2c8a289a045e5383dfe6dc558011e926ef40f1668148b44ab0bcdbe5636715c67e970389877cff96f97b35ee8dd4fc96973d464b1706c0c9a4ed43
-
Filesize
6KB
MD566dc7748fe651f472a0f65dac7bde6a9
SHA11cd80e39e3b4cacd4d9316b11b961e9e54d600f7
SHA256f42d70f7b6052a740bf34917c3faf49cd9b6b5bee641ab6cc32a7d3b30299f71
SHA5124eac17e8e33bb378da0d1d7d2406069b734c172035d2dbcfdde3cd615bb34fbf53836cfc1918a6870cd75944b0999cebaf59f7ca9350059ab5f7404307dc04bd
-
Filesize
6KB
MD50a9b9879c9b4fab1c3a2dbdd10e5a7f0
SHA1123785a1e546bde8263d671da8a33ea02c5082b9
SHA256e5bee25940f08a31fada4bd88775587ab90c265403f6ca727cb245b2eefdbe23
SHA5126c2abdda87640e19e581a4230f0cd7c29566dd11717bf8b46c4c10d72af925a2d729885b1053d27a9c85dfe3727a1871381672fe641d7f8ac3580879c616907a
-
Filesize
6KB
MD5a76f961d9d4013ae5201a47da4a3110b
SHA14ec0a027aba4d8ff541a37439c60ed57057bdbdf
SHA256cbbba58359e65eb006a60a80a5a170f30263621da4c9f5893722242556a43a3f
SHA5125427878ea7a54ade4ad18c12342d6f0481f9f45a6e1d7e656e0658dd26a468d44bd58a3cd2828191ab831ee31a84c3d97fc364da936fe9d12ad3abe5a8706d40
-
Filesize
1KB
MD5af82c5058a5a0307975a040d1fb34ace
SHA18d33cdcb9d8ef2473a0a8c2ba862be70e1fbc2d3
SHA25690c956ea93e8a8c2829a3a5af2040031a0a146562c09acfec7339da5212595fb
SHA5127ee5ba6eb5154add2dc4e7cfa871e8285729c9903a68c748ceeec74d8d0916e111aafc7c7c6ff569bc8ad09ca04c743d0ca23d59863a0f7af3464986597ec665
-
Filesize
1KB
MD58438287108aa817a655d2080a101699c
SHA1a05ff2f020dbc3be35686bb275d209f02b82f53d
SHA25658b99839618eae5794daeaad065880e464027276a8a9b27f03f1bcd47f0a253c
SHA512d7933e74db372865fccce6cc1574ae3bbb1bf42bbc2c6c8442c201af1033bafa84b85d203ab51b7a2f4f40e7c886157a78fb6b1b47e27fc2d539ac23aa7c5d9c
-
Filesize
1KB
MD5b377c8ea106780546d33fa8dd9a4f7de
SHA1b943df8eab0c67eded6cec18e211d58b8201ea3c
SHA2569f29e496cb1d008eb6dfd270b551d2751615cea02640f7d5def3a20dd3d159ad
SHA5120d8da09aac83536e797ff0f2f8d22ba08f1b130ccee010a8c0ae7d9b690aba760b3c67b2ccb3eb2e70fda25fac926118de68b5e662a0315eadba82550e1d1dff