1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1799s
max time network
1749s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
24-06-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 22 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

1284 AnyDesk.exe
1284 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

3288 AnyDesk.exe
3288 AnyDesk.exe
3288 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

3288 AnyDesk.exe
3288 AnyDesk.exe
3288 AnyDesk.exe

pid	process
1284	AnyDesk.exe
1284	AnyDesk.exe

pid	process
3288	AnyDesk.exe
3288	AnyDesk.exe
3288	AnyDesk.exe

pid	process
3288	AnyDesk.exe
3288	AnyDesk.exe
3288	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2684 wrote to memory of 1284	2684	AnyDesk.exe	AnyDesk.exe
PID 2684 wrote to memory of 1284	2684	AnyDesk.exe	AnyDesk.exe
PID 2684 wrote to memory of 1284	2684	AnyDesk.exe	AnyDesk.exe
PID 2684 wrote to memory of 3288	2684	AnyDesk.exe	AnyDesk.exe
PID 2684 wrote to memory of 3288	2684	AnyDesk.exe	AnyDesk.exe
PID 2684 wrote to memory of 3288	2684	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
505c3e60010c3f0c0223e8fae65e70a2

SHA1
4c5b39ee46649dd397af83b8411e424705c1740b

SHA256
59647646fad393283c636b755e86b52d420a129f4ec79fb1e23f11c35648a10c

SHA512
017eff89aa3b413510b1b709bffe5eda19901a2ccd9c13d5c025ad3b08389a9561decd46082dc2bb179970d1449333a3b1fde24d69befeb346534c95a2a6b2cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
1eb94e328fe227cc4f7f9ac887a456b3

SHA1
1b6c400b0251e550c963da5f0b020f25d4d1ed23

SHA256
d94bb3391322ae56b77fb753b12cd69e1276b89c29300958bfc219c6f2bea03a

SHA512
dab5a3cbb1145242b05ae2cd1da9df136285d04cdb6ed85fefead4b68e58e3f48e6581941f6faef91abfafcf2dc7eb939624d253166f6293808836ca08cfea72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1f15f19849043c1a74c446eab47a74bb

SHA1
f0d694d68f08b08aada29289c2718ef5482ef046

SHA256
a0d7c9db0c2bc1c98c5fc276b77272422991045a2482b81f728b1fddc4906710

SHA512
0d30b11533d9e15f3402bb6df835a22b867412b13f7a69fb57d3bf6c70478fbf0742e873dfce60d11351a78d0f650cba4b9779e19775021d69853fa19f5af0e6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
95789c90b9f521217412faaebf3d82ad

SHA1
bbcdc827df7bd4ba26415ecc2301ec0cd664c028

SHA256
dfc99f8450a655171221005143191aaf1f31cf687a2bd35d9b7f1f65c795661e

SHA512
6e1508b72e7faf29eb4ef269a5d85ae771568035a6c7f1111d0b44294452b27288f30cf1b134c8cd895ecced0cecaf9351f334cf6b5095379697102445909eda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
63f1fa113deb87a0c9f1e144d886096f

SHA1
9b8b28201be1f13edef4719925093313faa88097

SHA256
841c708d2c7567204ee7cb88539050424730688440aeed1a98c84df7920d194f

SHA512
7c2d3b9ba896f9c64284c9f0a834538dc40b4518a6e87afa8f6601c6716d5cef9e108c61277619fe75c538e7d92516d7fa59af198e4790ea2fffe649d8f20e96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b257c0ffdf0a068ccfa81f0a55733b2c

SHA1
aa457fd170f009b87e7f20377365090cf339ad35

SHA256
701b8da81deeb69ff9567779d5de6b9125d8d38834e11ad5a2c5118f2d52351b

SHA512
52424e13ff6e9cbe9fb56a3afda6ca9e9225006ae0cbec60a81c2638ec37d2fbc654d31f4f9c0958603be8c611747db0f7af0dc0c08c746b612cdab13f035911

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
bbfd5f9b6e52659d4a3e01f54591be25

SHA1
c5e4bf544c3dc2bd2d1fb3050a6065768a6a1de6

SHA256
3f94e7d2e5d125ad5c8bc2bbc449bb5cae36b4f174fa154fc8633c083a54a63c

SHA512
999a31c6495478e8f681f6f1f331cc303c741b9f742df532a00a73a992ed6dd7767ade260f0aa8626ccf5e7bc9f77857baecdf9b66cbced7510ea3b16f2bcbfc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10f1876b651fb6033d8fffd7685dff79

SHA1
72bdaa9661fd252d56c90e5b8c73088b97702c00

SHA256
2169633507c112a9115751b1527a70ae803143ee0d0ce5ae1ac693c029f3320d

SHA512
692d6a0423ed50b6f3191d62f775d04954ffc1bfb78ac1474804d1f65116e220ece20bbe8822a887db0c86b87ebe5f2452ebdbc41e396d644f23bdbefb853d03

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7ebe3e3df3e2c9a789f41725fb0bff6b

SHA1
33d3ac796f865da5ee36c699dc2f3671c5671e91

SHA256
c19bb13ccd7c625541938df3226a7be5d4f460056547a98759a6a95cb6316e9a

SHA512
fb2e2f8f22fabdf8cc72e2e63d330aa8289acd9fc045708a45adf8d8786f9fd09e3a12334e386fc1b218e652af61a1eda8f9a58e0595377ed78b4747b734b15d

Download Submit
memory/1284-125-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-144-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-358-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-333-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-330-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-77-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-12-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-86-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-319-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-90-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-206-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/1284-195-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/2684-7-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/2684-143-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/2684-2-0x0000000000054000-0x000000000128A000-memory.dmp

Filesize
18.2MB

Download
memory/2684-1-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/2684-88-0x0000000000054000-0x000000000128A000-memory.dmp

Filesize
18.2MB

Download
memory/2684-76-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/3288-196-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/3288-78-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download
memory/3288-10-0x0000000000050000-0x0000000001799000-memory.dmp

Filesize
23.3MB

Download