1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 9.9.9.9
Destination IP 9.9.9.9
Destination IP 9.9.9.9
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

2420 AnyDesk.exe
2420 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

4560 AnyDesk.exe
4560 AnyDesk.exe
4560 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

4560 AnyDesk.exe
4560 AnyDesk.exe
4560 AnyDesk.exe

pid	process
2420	AnyDesk.exe
2420	AnyDesk.exe

pid	process
4560	AnyDesk.exe
4560	AnyDesk.exe
4560	AnyDesk.exe

pid	process
4560	AnyDesk.exe
4560	AnyDesk.exe
4560	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2524 wrote to memory of 2420	2524	AnyDesk.exe	AnyDesk.exe
PID 2524 wrote to memory of 2420	2524	AnyDesk.exe	AnyDesk.exe
PID 2524 wrote to memory of 2420	2524	AnyDesk.exe	AnyDesk.exe
PID 2524 wrote to memory of 4560	2524	AnyDesk.exe	AnyDesk.exe
PID 2524 wrote to memory of 4560	2524	AnyDesk.exe	AnyDesk.exe
PID 2524 wrote to memory of 4560	2524	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
b026fc67a20ad23fa084314e67979b57

SHA1
d6282fb53e457ac6fde7b6ee03d0102bec0c3040

SHA256
dc1b5521f67b409778fec49ae8c527e5a3cafff6d438700637e41e02ad1de836

SHA512
1f4e14443a49d83188b9240ba09ab9589695ce2b4a364f3c64912601ffe2c8d11ae23c4bfee7d630de661069c5707d77edc4e44a65f7a7320fb505365c86e5cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
02046e96794dba8c037e23812f9a08c4

SHA1
844da5fac33ec4dba7aeb14f27cb7cf824545f2c

SHA256
a8e1afda35fadcea0a8daea9d94b9c7a6e45b820feeb52323e0dee305ed58a3e

SHA512
841e137ddc392b5bd88333776af7de669bd650b4168477dbbbdf4d44c5103da454a8b81784b3176babbd41e48b8d1ce3393e7ed7b66aa39ca392e07f941b6f5a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9164f347418e07c675913cc1acc29358

SHA1
c329be8d4d09c368f2b522173ecf8ed8c2ff9371

SHA256
0879eced8231147024ae4c33fb57d75973f448add9f06e5b566aa16f805dd4d7

SHA512
48c0f0bb9d29dbf8474c6c3980ba9fe2b9332a8609f4f66036d5da91e5477df0de7c1182ab12154769762f8864c80370d5f103dc9fa4ea36b3466f25294aefeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c7b5edb1cdb904be5cb2c75700fa71db

SHA1
dcfd85e24df1345528c06543a8a9bbd50480bfa9

SHA256
1c2d79229d620ca7c3372b3e9c58a54f4995a3e9eec7d0a2bef5fd05cbbdee22

SHA512
98d0566971ae512a1688755c5d32cfe40d738e74e4413709ae7fbe6b553ed0a219f2269bef69a6780d8164477d31629e4ae46e83caed669edb4d9943990242d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
12379fedff86c362db0243333ff449d8

SHA1
6bac5c9c92e243cd280f59f2e22f67d4c0695ad6

SHA256
d4d7bdca0bbe6597db5e413b2d16f643888ec7f7b13ee64ca5c9bcd175b2358e

SHA512
06f9734aa3cde5e02da050cda1cdbfff9c93c2de87763418959d99aed51d4639e2cd7565e0414d9465012916d4220ba8402269be0ce6786b396bdd6a014ac0b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d199b92b309792c895a8daeaecff72e4

SHA1
afa3a4774c289831d202e3eadd579293dc7bc3a2

SHA256
48f6cde4c036202e967780d255f8e15418574391c450cf8eb3aeb467c7f47458

SHA512
4203f6e7f24228f06d784cf94d3b6ca7029bdd7753f69f2a47e7a1418fc7263b1a5dfb53c2a2338493db77293acaa8981ca230bf0fadc7c9897895b630805b53

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
70d6061122e2ac2c5b4ad1d85f389d97

SHA1
746caff38df835eff805848508edc496b23b090f

SHA256
bf3cf6e85df2b44920e83cab8a065d25e64054f65295fff22fe7c1451f6fce48

SHA512
4f115fe4f5bdba5b072bf070f3f9208fe22c2f2f1fc558ee679c7f38127d24ca4028c642c0e9c9942ce9fabf58e5e592383cefd08bcf0d02ab403927c4af8142

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
16692e22b09b103956a023ce06a53de5

SHA1
df457e9e08b96500722df548015a7d71adfe055d

SHA256
69c9866c250b53441c8bf9ede987da6fd9c6fd2efe2bd7b10d1d635ee60566b5

SHA512
c9b3cc457af067e2f085d90cc0ea67b85737a2fe4662944abe015e4df39afa50d815d97461bc7b7d698bc05a4b96cbf2724301dc8b09da5ce0baf68e932b8781

Download Submit
memory/2420-210-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-243-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-136-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-10-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-162-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-59-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-153-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-87-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-91-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-96-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-224-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-105-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2420-213-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2524-89-0x0000000000E04000-0x000000000203A000-memory.dmp

Filesize
18.2MB

Download
memory/2524-117-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2524-0-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2524-58-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2524-7-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/2524-2-0x0000000000E04000-0x000000000203A000-memory.dmp

Filesize
18.2MB

Download
memory/4560-60-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/4560-211-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download
memory/4560-12-0x0000000000E00000-0x0000000002549000-memory.dmp

Filesize
23.3MB

Download

Resubmissions

Analysis

Sharing