1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1800s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
22-06-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 22 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

4208 AnyDesk.exe
4208 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

4204 AnyDesk.exe
4204 AnyDesk.exe
4204 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

4204 AnyDesk.exe
4204 AnyDesk.exe
4204 AnyDesk.exe

pid	process
4208	AnyDesk.exe
4208	AnyDesk.exe

pid	process
4204	AnyDesk.exe
4204	AnyDesk.exe
4204	AnyDesk.exe

pid	process
4204	AnyDesk.exe
4204	AnyDesk.exe
4204	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2428 wrote to memory of 4208	2428	AnyDesk.exe	AnyDesk.exe
PID 2428 wrote to memory of 4208	2428	AnyDesk.exe	AnyDesk.exe
PID 2428 wrote to memory of 4208	2428	AnyDesk.exe	AnyDesk.exe
PID 2428 wrote to memory of 4204	2428	AnyDesk.exe	AnyDesk.exe
PID 2428 wrote to memory of 4204	2428	AnyDesk.exe	AnyDesk.exe
PID 2428 wrote to memory of 4204	2428	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
ed301c431b9b3e17d99222a44bf9d05f

SHA1
26f0e0063c8dc59edda63df32684eb659c8ff6e0

SHA256
19474061f5b7572bbeac630d08192777abc8abb05ff1cfb613bf3037966db2b3

SHA512
f26f640b436037d617302c45b756ebe51b5aaab29d606b84f0065f53831ec9c090e7ef57938d9e5fd47e0c63fe4b8bfdf89f6fe3a811a67238dd81983e659558

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
eeb97824a305b38a6bb164862659b461

SHA1
ca8f3576724fe055321dc90ab38dd21bb1d83443

SHA256
54d57c4e53bb016aa219772caf82a47812a6cdf9e646ff0f571be4f7aa3592ae

SHA512
1b31427599aa131da75f916fd245f6f23a9ae4d61accae9ca70291f758e934e1486eb8ad389cf0b0cd787bce14c00ec6ac0e41bf69db079a66fd3a6a667448dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
53b54430be3c55f51f458db1b57df0c9

SHA1
239eb839be40eb3490e66c075b64b7aa641dbf9f

SHA256
c5d233a48b2d8fda894681c8ce02514b7ce2d37e5efe1ffe2ca5355235f366d5

SHA512
a3e6b258b9b23c01b1259c194b7745647d22e64162bbce21ce3e1842b25048cb514caa118a225971850c5981fea2d3a272a9312498b7c58ccebf3cbe52430f06

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
67bffef67caeaf66dbe86703226d705f

SHA1
5a6037667bd08fa07405812da3e0f89708989570

SHA256
72eb0973d25b2748aa65790061cf3da9f49ca70b7ef71023dea8ba4e6ea16a24

SHA512
5077fcfcd6b0c6fe1b1612a3d96aaf10e10768a571eaa45890baefcfe94eef61e5711c29795a202112d7505b87f8c8f88aac52ca316c04c806457aa2c3ed5dcf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
efc17663d3fdea422e359da7be89da09

SHA1
575ce30032423130287443a3e844d30e9f907644

SHA256
a9bfdd6343174e57a5950ce31908ade422413045813379cad4274e1b6bb12af0

SHA512
db17010861bdffa0aa4e16c1922c78735b874248755a9f5b1f8a8c9394a8712e025cbeb0476bcf8ffddabe62221113928f66b607251ac0f5d21bd813c09c5dbe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
19f5eb873022f7a96eee6e7d6c8aefc7

SHA1
4dbe1b0bffee4fb28e47628a9642a4f26e1ac80d

SHA256
1188dbb954d4896f0203a1652494485f862ce06f2c3dd37045ffaf1f61ba0028

SHA512
032ddff41e2d7c54d5d0c8bbe22a6df1ab1431a0f55d1df447ccf542415a536b8da0c3f3a864de848b73150e994e01f69cbf76fb6750e73ba92dffd321a4faac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c17a4a4299c5aa16f60166e295b9a22c

SHA1
1a6a1ac0e7be7d4bb11025c7b24ca8b3201fafd7

SHA256
15f1add3d174f54f432458180b5c3ecb541d1580a43ccd445883e13b0213299a

SHA512
e8e2ba4b8adcb24f136f71b6a6fc4eae1a76484e6873894d1180df016c0a5b532be81eec88fdef4f5134b08a3a818fa63ff3dce0830de4ff8f072f070765ec60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b5594f1ec4e2c0a11377fd2689401335

SHA1
c3f5ab4fc5bd360051867d7bfe277b2712f68334

SHA256
5e39713a57da6761bd9ddf670392ba32ce699d19bccad5a96ed0e0f9730f1b00

SHA512
d9a770ded034d2215c5e5ab0abbde343f1d694d762e8fa6d6de62e4da860f0f51ea9f6721640d60eb6e0854c98caf0195405a81415a77d4b5441b20d028a6732

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f1e9dde6a8abbf79e30bf239dcc386a3

SHA1
522d0bc76c8c818eec3f64fd9d241c5246d0dbbb

SHA256
41b29ae3d00858b9a29d0ff50661cd703419bd66bb72b1dcf25fe1bac8916489

SHA512
94dd46473e80f8597817cedd05fcc7d18fb3cf6ba7ba9b2aec5890712958665b46271b047c2f5d1b1557470e30821e01ed47d3a574e103b80df96d268e343016

Download Submit
memory/2428-2-0x0000000000734000-0x000000000196A000-memory.dmp

Filesize
18.2MB

Download
memory/2428-144-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/2428-9-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/2428-75-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/2428-0-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/2428-87-0x0000000000734000-0x000000000196A000-memory.dmp

Filesize
18.2MB

Download
memory/4204-77-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4204-311-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4204-12-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4204-193-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-203-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-124-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-10-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-145-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-192-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-89-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-76-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-206-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-229-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-85-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-310-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-324-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download
memory/4208-337-0x0000000000730000-0x0000000001E79000-memory.dmp

Filesize
23.3MB

Download