1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1799s
max time network
1799s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 22 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3116	AnyDesk.exe
3116	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2476	AnyDesk.exe
2476	AnyDesk.exe
2476	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2476	AnyDesk.exe
2476	AnyDesk.exe
2476	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 3116	4952	AnyDesk.exe	77
PID 4952 wrote to memory of 3116	4952	AnyDesk.exe	77
PID 4952 wrote to memory of 3116	4952	AnyDesk.exe	77
PID 4952 wrote to memory of 2476	4952	AnyDesk.exe	78
PID 4952 wrote to memory of 2476	4952	AnyDesk.exe	78
PID 4952 wrote to memory of 2476	4952	AnyDesk.exe	78

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
982fbf2fa2f450d206c202c40bcd8c7e

SHA1
062f978dd50621b1c94407ce6b26ff9b7391e682

SHA256
c449ffbf0837808074d692ff6f716962b88c8932dc88dded4bdba06ec97e8816

SHA512
25901e32203f50f0bcf460afb3cc4a279380d545d27161fd8dc2465161557f2d64d639836a10a6781725c44ac98b134a01238abcce1d7ce91d32a77aa745dbfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
aa189b95fe0d9f835049d3ccca705121

SHA1
3c88c093f9fbbef8384be54fd3bbb3769f8b4958

SHA256
5de3fa2f2ca1aedaa41d81239ee28c06a74c5db836125667d87d2d4c2e874948

SHA512
715a1a72fdaecb339637a7712c10760f70d9d93bd6fa2b084b91e1ba0f58797b259c38e9cb59a034932237c8410d4fa5dc85f782d89ecb8f8c798df6ac658e45

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
74760fb58661dc400c2c6ba91c53ceb6

SHA1
80e47fc7d7934a4ef065db98fe7533f41d609a76

SHA256
89b85884cead2edc198e88c6b41e7d525c6e2a7c5f812bc3b88e769e125adc32

SHA512
77785f6b542a5e134ae6e8565c158a544c4fced38736c515aac29f6ddda171999b905e6ea6046d3ada94833a3a8d267e231b104e20adc18dc0b21f8ad78e1ce7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
14f0f13fc898fb2cc6fb9669c0c2f424

SHA1
0ad76fb3a9710c3b18ed1000609d6bd3398b9b8d

SHA256
549596a3992252d646279ae888347d0ff3407eaad764e1995f752c49e2c19d3d

SHA512
a126216c7b8c3ed8d79c709766d6d99caf28810eb9824115774b31a1f3e45a8897cd2a95512400dc48dc0543382a34911b0c4d1ed92950852553b901e7967d56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
188f3a79a5c6a55b60a7b0055ecc5789

SHA1
77fe16ee4affe96d9eb6f8826412efb5586f0966

SHA256
05a937487914813e7c9ef90dce4b26485cd684497273bdf969fea1698cdfee38

SHA512
3eb3e237aea39ed6e0110c50115fdd273e09b68e6d11133f30e78e4f337ef5daf8c69b25a502bd1fe99f80802598cfef9f23caad4c580e92fa7e0a22575caa85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d6398b235accfed7733f4a940f6e951c

SHA1
5517ae8b2c5bad1f29c90e8256c27ee0c4b377d3

SHA256
87eefa3ba22dfc2e2208bb98a3e5e849f62f530d389cc1c8416af520dc1b63d4

SHA512
97aa5fb607e6fa33bd19d52fde863a5275970beff97e462bc85470a269b60485d4ea88bd5f485af06ccdaaa31091f260ac1fbcb77fd27e56417e2891662f5458

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
62a1426ecb0dff8ee686672b4e4ed53e

SHA1
e2030c8ef878db354cd717a9bfd804cf58509604

SHA256
be87b0f8f8d81dce93d50a47ed8e097bc3ca9104616be429bc033d0a6fa0788a

SHA512
96e298e025372eaee63528e30f9a4bafb7922a712aadeddaa1478ff6d1d393b1c0373345752855c1382572d12df011a5496602e783f83680d3c3a783f1874023

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
466e4a52d5d78a409685977276a4ec31

SHA1
7bc28bb32ba8f09713c5b3009f52dfc151add7b4

SHA256
cb94721afdd6778b9f89ddfcf54084c519532889ca64eb364765607921d2b930

SHA512
f39ce61d61342522686fc385683f75fa92e3d1071eeb8fa6c2dc26a34ae0856798677ec16cb320cfc71155f9bfd57575350bd0b5549787427a0da7bfbbd61d43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f99962e3fa05ade2230682e7e04fa613

SHA1
1a0723338ee226e01342c3ee98fc4a45aa286e14

SHA256
05787af0d72f9e723d46c0aa5e1145046139fc6014eb5bdb53044cd05a3922cf

SHA512
41b7dc9e67e428ef0be1e41065391505e1ba36e56a3d79137a1e6aaecd7b660bcbc6cd199a80658e6a80ac179f99ef7b41a9172dc1cbe41f6ccd8bb4fc08ea29

Download Submit
memory/2476-76-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/2476-10-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/2476-191-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/2476-321-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-82-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-143-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-352-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-75-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-334-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-92-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-12-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-122-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-327-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-320-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-190-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-229-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-201-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/3116-204-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/4952-7-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/4952-0-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/4952-74-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/4952-142-0x00000000006D0000-0x0000000001E19000-memory.dmp

Filesize
23.3MB

Download
memory/4952-86-0x00000000006D4000-0x000000000190A000-memory.dmp

Filesize
18.2MB

Download
memory/4952-2-0x00000000006D4000-0x000000000190A000-memory.dmp

Filesize
18.2MB

Download