Resubmissions
28-06-2024 19:19
240628-x1xvlazbrc 528-06-2024 19:11
240628-xv3hwssell 528-06-2024 19:10
240628-xvvs2szand 7Analysis
-
max time kernel
1860s -
max time network
1847s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
28-06-2024 19:10
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win11-20240508-en
General
-
Target
AnyDesk.exe
-
Size
5.1MB
-
MD5
aee6801792d67607f228be8cec8291f9
-
SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066
-
SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
-
SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
-
SSDEEP
98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR
Malware Config
Signatures
-
Unexpected DNS network traffic destination 23 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 Destination IP 9.9.9.9 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3008 AnyDesk.exe 3008 AnyDesk.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2496 AnyDesk.exe 2496 AnyDesk.exe 2496 AnyDesk.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2496 AnyDesk.exe 2496 AnyDesk.exe 2496 AnyDesk.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3016 wrote to memory of 3008 3016 AnyDesk.exe 78 PID 3016 wrote to memory of 3008 3016 AnyDesk.exe 78 PID 3016 wrote to memory of 3008 3016 AnyDesk.exe 78 PID 3016 wrote to memory of 2496 3016 AnyDesk.exe 79 PID 3016 wrote to memory of 2496 3016 AnyDesk.exe 79 PID 3016 wrote to memory of 2496 3016 AnyDesk.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008
-
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5459419cc4fde98fca960c7581e6ece05
SHA1cdfbdfd81f8ad3b83ed57f8922c4cf2a799583c9
SHA2568a976fba5f91feda6acf1f1e20ca02a5e80f3f2fee5711c3801b2a73743c8d84
SHA5124a0307ffea0b9ac491285d7ee2ba3877b66f1f496b796ddfa04785ba2a34100e53ac122e03a1a47912e27dbf0bc99acce4673ba992cf0cb440f4e1004ae4cb9f
-
Filesize
2KB
MD553d92e6cfec691025f4c3825b260854e
SHA15189f5a56300a80520f69365e13222383cab926a
SHA256f7d16f4386c272ba0607cd8b7744193682368ccc7ccf97b083caae631cceda86
SHA51207e5d518e2939e8baec3795eab6ed51dda8c9148f36679456adc7629e5a717d57a7c85e27ef2198a6bf907dc51ce89bfce11277bd9163d5f84881bcd30450c0c
-
Filesize
424B
MD51795c85cfe5fc5e9010c64e3c5640499
SHA1275af59f171a757d6fd0c9aacfd83e9bd6d2dce3
SHA256743e6c8e1d39ce57d6e616811d90954aa83c21a442606bb300649464731932d9
SHA512a7ed89ba072e05bede45ef1b567ff1e619130e5f093477044d07aeb558bfa8589cb33cb061d5962d972d0fd36e14e23fc50f9dec80312dc32c41b0847d35119f
-
Filesize
424B
MD5ec49cb57f976e9564048f0e2fb4ef173
SHA143d5ed59d74ec8dba9f2027f94f5566aa5e086ca
SHA256ba1272fef6b12a8246c7d66acdb981c524e1e21e2e5e51ff8780fbc0e5e3aeb5
SHA512f6c46d91c5a54b90c9c6badda706726be6fd56b6c80c269c122f5fe36c9e3f09695e0a6c724f58dd34e8b0cc4914f1fc9ffeb7b33012f34b5a7ea2d4e65dca50
-
Filesize
1KB
MD59c83431a8ee48bc7d55564d57f9b43d5
SHA12a59f1eab79a2e0dfaaf5e34a2ccc2ec69b185e5
SHA256cdb455c3de802f8e9b6ad1ff20fddd0b31bee4c30c034bc965082ca4c46b7c55
SHA512228f37fe93686cc9ee7d37fe3dbd743b3337756926c6c8b792ba119d04b04acbb8c402fadbb2004d63fd7a7f95aafc07340915868339a52ce896cc82344c9a83
-
Filesize
1KB
MD5b0338fa6024cb7b0239a5edb8ab69230
SHA139ff01650a70a149df32992c8b3bde8dca8a9adc
SHA25676fed00509cc96d479416e3ae6da509017b0abb007f63212212a44b9eb45318e
SHA5128227641b052b530baa0b74ff11495e45a1c64ba1a8860844d19a7582f8121b7a90a9156a97d83491eaa52a05ebc9aee4f574c85714577148f397269f05b4e65a
-
Filesize
1KB
MD50753d5a42bd7fef9bca21ae929b23115
SHA13448be885613802cb469222ce68d4ac699da427b
SHA25633afbc44b778e6b0c09e3d68515e94ae23a957d7f4b12a2d865f0a2c2a137f0f
SHA5120060bf4f741f96bbdc74fb55e6c3e58fac5b7365b1b608d57fa3eb333efe1194dc403a8235636ca1cf3cdc3fe40adb8515263086ffcce825c3d55314bcce0980