1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1800s
max time network
1800s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
28-06-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 21 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3020 AnyDesk.exe
3020 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2896 AnyDesk.exe
2896 AnyDesk.exe
2896 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2896 AnyDesk.exe
2896 AnyDesk.exe
2896 AnyDesk.exe

pid	process
3020	AnyDesk.exe
3020	AnyDesk.exe

pid	process
2896	AnyDesk.exe
2896	AnyDesk.exe
2896	AnyDesk.exe

pid	process
2896	AnyDesk.exe
2896	AnyDesk.exe
2896	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3000 wrote to memory of 3020	3000	AnyDesk.exe	AnyDesk.exe
PID 3000 wrote to memory of 3020	3000	AnyDesk.exe	AnyDesk.exe
PID 3000 wrote to memory of 3020	3000	AnyDesk.exe	AnyDesk.exe
PID 3000 wrote to memory of 2896	3000	AnyDesk.exe	AnyDesk.exe
PID 3000 wrote to memory of 2896	3000	AnyDesk.exe	AnyDesk.exe
PID 3000 wrote to memory of 2896	3000	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
6KB

MD5
0202feaf2ae140c08ea2775f3fbfd199

SHA1
a03a8a2c488b45b0037959d24dd0846d35e6bb66

SHA256
4ef6b5adfd0c160e99283e8314b0c9fc13857ced9b5c490b80473be578166917

SHA512
c2f89a2108172a4e1826e490f8471263483fafb2ca0c2a92045edd478d3b17d48109d01fc79e8830217587b9e76525ca062b022f9c359d10d829c3fd4a7d2282

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
10KB

MD5
a2d12056c9096c14d4d6b22d6448023d

SHA1
e97cebd999a7e12c62f06d0a4e5e628d8170dd3a

SHA256
2cb43e194dddd3e7f7d8b2c485f9529f461e20b14e80599a9aa043295a1cb702

SHA512
e2f45e5ded8ca86e6c3f0595a27f7077c3281940de37f01acd51bb955dbf79784fe7e1f1cc5d8ea8bca99b717d98ac0761574490561a89d0578dbc0fb92493b9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
420de94e59188a4044de85568e2e386c

SHA1
03677e4eb16103c01751245a3e6d1822b4a9ffc2

SHA256
428544588dda5527201e901171872d8df241a08a1d03803f93c102d83624c36a

SHA512
ef04785a67689532c05d7453076dc7cd9f40bd8aad8688f0b5c6225350bfe54874c45ef95071c99000c68b0debfcd0fcbffcc6f4388cc9cd7825fb2e46fc5329

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
314e07788affd62d99771ec2a3c0f1ef

SHA1
ae2d15d5e2e6ee20ebfa794b5941cd8ad390cc63

SHA256
170fd566c8a795f3c7467d5e815fe8d55d7c1d60c3a9d900ed5ecdaedf7c71b6

SHA512
29cb0e4a03fb9c2a4fbc26f4a1b9b6b64fa0539998d6b91c59ba313319dc4c789d3adc526b09397614ba6dae54916d923dbe82b58b2bb891cb0325e6832f9d01

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
f3efef7ecf7c2cff1eeca8195c3b4ee5

SHA1
7b871a2a79291f54c1d2de407fd97fc68964e27e

SHA256
3954cdb182b509bb450125d94c53f69cda017953bcdd8f1581f0414c8b27a931

SHA512
9049635bec8001f523d491d06c2d01ba073703b0f824db59c7da6d6de6f0e766c9cf9bfeb11c3a03afc7027d74c461f0df6721e0c0d77587da7ef0c815f3222f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
68cf9e39c14cbaa81bfac4bbf5b0879f

SHA1
45ed5709eec5e95f6eea54a6dffd2bcee6d649a8

SHA256
5a0ea89d41fc1abe542c7651a7f8ebfbc10352c709067369b195603a1157c185

SHA512
8d0ff27576d30c4a592b0d2f14c5cb81683a0f12616fbe924d844c114425ac6af6aff51be9d8e9cb52032cd42e014717d13c1ad8a7fb15633536501be9e85cbc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
6c891a0b93c8d015eb01b9cb37e5bd93

SHA1
421e2a4c64e75260f447ec19b35b5d7922fec13f

SHA256
256877056c09b58417c31d7a57a3c40cb867da22322275d907f9f6bf6b9ff2f8

SHA512
efe86329c4172bc9acf65b6b3f5e4fd363bc874ee3e679b3a5565d8699bc7323e718f86f5d3ae59f6132ccd72ab6ac9b7e35d14e35a72d99181fcd937a9ab11f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
3660fa1dbdff493ad9f2f5cae7d27865

SHA1
2151d1c6e78fc94c3032ed4be77a5d7dfd7e9cd8

SHA256
58fe02d096d93b7cc0f9cb794d5c2e18df357152cb11ffe7292c89c63ba196e0

SHA512
2954d3682ca1debb07e7e56e5da65eec37122a04c361178ee9508c336dc40bf0ef2c0154e3fcedc5b5cc29f67423907515ef065ff57612a968ec88716f8ba9ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
6efcc8e6764969879c94a1cdcdb0495d

SHA1
00614d582b88f94bcd363eccc3c9d021ea0996c5

SHA256
f6908a8826bee98bcb1ea8fc3dbe5380ec2fffd6614e23509f8065e4289c88a8

SHA512
ac6c3332ec680c60520be98baa6801ad2ae38a669171f2bf50fd8d69a6b1eba2d518db4bc20818603c9547079ec74143d839bde83dde7049f6ef47c4c2854d2b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
ad10306007022503fdf963df07fef6be

SHA1
5f1bd40f000f8642873fd9a26a812b3176adc8ac

SHA256
fb03f807779e533aa812e3076219cebc5e4aee65530ca0d967e278409fbebeca

SHA512
4df50d0254ed51643934d14d702beb6561471ff9d125384cf5c4dd1e92cb8eb06631e5f57a0be60df7aed42be9f7d972131f1f1b5b6abb905ed94b9591bdfaa2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
e3d0506cd75be452902cb4490d781df3

SHA1
dccd1c3489734aade72975b45259f5c9688338db

SHA256
f73dd34ed3beb6eb6d5f1f7c44dd115487fa25fe4ffae58d7985ef7ed9a89ec8

SHA512
226ac4b48401bae06c462dd5e05469f595aed9f10a61e19fa565e0aaadc4d68a5f2f728ce0fae997df7c37a9f379512c773e94c43fa054e30bad83060843d7e5

Download Submit
memory/2896-79-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/2896-197-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/2896-12-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/2896-333-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3000-144-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3000-0-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3000-84-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3000-7-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3000-77-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3000-89-0x0000000000FD4000-0x000000000220A000-memory.dmp

Filesize
18.2MB

Download
memory/3000-2-0x0000000000FD4000-0x000000000220A000-memory.dmp

Filesize
18.2MB

Download
memory/3020-78-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-210-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-11-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-149-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-91-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-196-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-203-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-126-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-232-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-332-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-87-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-335-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-346-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download
memory/3020-360-0x0000000000FD0000-0x0000000002719000-memory.dmp

Filesize
23.3MB

Download