1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 23 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3008 AnyDesk.exe
3008 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2496 AnyDesk.exe
2496 AnyDesk.exe
2496 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2496 AnyDesk.exe
2496 AnyDesk.exe
2496 AnyDesk.exe

pid	process
3008	AnyDesk.exe
3008	AnyDesk.exe

pid	process
2496	AnyDesk.exe
2496	AnyDesk.exe
2496	AnyDesk.exe

pid	process
2496	AnyDesk.exe
2496	AnyDesk.exe
2496	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3016 wrote to memory of 3008	3016	AnyDesk.exe	AnyDesk.exe
PID 3016 wrote to memory of 3008	3016	AnyDesk.exe	AnyDesk.exe
PID 3016 wrote to memory of 3008	3016	AnyDesk.exe	AnyDesk.exe
PID 3016 wrote to memory of 2496	3016	AnyDesk.exe	AnyDesk.exe
PID 3016 wrote to memory of 2496	3016	AnyDesk.exe	AnyDesk.exe
PID 3016 wrote to memory of 2496	3016	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
459419cc4fde98fca960c7581e6ece05

SHA1
cdfbdfd81f8ad3b83ed57f8922c4cf2a799583c9

SHA256
8a976fba5f91feda6acf1f1e20ca02a5e80f3f2fee5711c3801b2a73743c8d84

SHA512
4a0307ffea0b9ac491285d7ee2ba3877b66f1f496b796ddfa04785ba2a34100e53ac122e03a1a47912e27dbf0bc99acce4673ba992cf0cb440f4e1004ae4cb9f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
53d92e6cfec691025f4c3825b260854e

SHA1
5189f5a56300a80520f69365e13222383cab926a

SHA256
f7d16f4386c272ba0607cd8b7744193682368ccc7ccf97b083caae631cceda86

SHA512
07e5d518e2939e8baec3795eab6ed51dda8c9148f36679456adc7629e5a717d57a7c85e27ef2198a6bf907dc51ce89bfce11277bd9163d5f84881bcd30450c0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
1795c85cfe5fc5e9010c64e3c5640499

SHA1
275af59f171a757d6fd0c9aacfd83e9bd6d2dce3

SHA256
743e6c8e1d39ce57d6e616811d90954aa83c21a442606bb300649464731932d9

SHA512
a7ed89ba072e05bede45ef1b567ff1e619130e5f093477044d07aeb558bfa8589cb33cb061d5962d972d0fd36e14e23fc50f9dec80312dc32c41b0847d35119f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ec49cb57f976e9564048f0e2fb4ef173

SHA1
43d5ed59d74ec8dba9f2027f94f5566aa5e086ca

SHA256
ba1272fef6b12a8246c7d66acdb981c524e1e21e2e5e51ff8780fbc0e5e3aeb5

SHA512
f6c46d91c5a54b90c9c6badda706726be6fd56b6c80c269c122f5fe36c9e3f09695e0a6c724f58dd34e8b0cc4914f1fc9ffeb7b33012f34b5a7ea2d4e65dca50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9c83431a8ee48bc7d55564d57f9b43d5

SHA1
2a59f1eab79a2e0dfaaf5e34a2ccc2ec69b185e5

SHA256
cdb455c3de802f8e9b6ad1ff20fddd0b31bee4c30c034bc965082ca4c46b7c55

SHA512
228f37fe93686cc9ee7d37fe3dbd743b3337756926c6c8b792ba119d04b04acbb8c402fadbb2004d63fd7a7f95aafc07340915868339a52ce896cc82344c9a83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b0338fa6024cb7b0239a5edb8ab69230

SHA1
39ff01650a70a149df32992c8b3bde8dca8a9adc

SHA256
76fed00509cc96d479416e3ae6da509017b0abb007f63212212a44b9eb45318e

SHA512
8227641b052b530baa0b74ff11495e45a1c64ba1a8860844d19a7582f8121b7a90a9156a97d83491eaa52a05ebc9aee4f574c85714577148f397269f05b4e65a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0753d5a42bd7fef9bca21ae929b23115

SHA1
3448be885613802cb469222ce68d4ac699da427b

SHA256
33afbc44b778e6b0c09e3d68515e94ae23a957d7f4b12a2d865f0a2c2a137f0f

SHA512
0060bf4f741f96bbdc74fb55e6c3e58fac5b7365b1b608d57fa3eb333efe1194dc403a8235636ca1cf3cdc3fe40adb8515263086ffcce825c3d55314bcce0980

Download Submit
memory/2496-194-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/2496-76-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/2496-11-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/2496-316-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-200-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-207-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-75-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-82-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-350-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-329-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-92-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-326-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-125-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-144-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-315-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-193-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-12-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3008-229-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3016-74-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3016-2-0x0000000000A04000-0x0000000001C3A000-memory.dmp

Filesize
18.2MB

Download
memory/3016-9-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3016-106-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download
memory/3016-86-0x0000000000A04000-0x0000000001C3A000-memory.dmp

Filesize
18.2MB

Download
memory/3016-0-0x0000000000A00000-0x0000000002149000-memory.dmp

Filesize
23.3MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads