1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

29-06-2024 22:13

240629-146tfs1dpk 5

29-06-2024 22:12

240629-14metaxerd 3

Analysis

max time kernel
24s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:12

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

AnyDesk.exemsedge.exe

pid process

4212 AnyDesk.exe
4212 AnyDesk.exe
4360 msedge.exe
4360 msedge.exe
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

AnyDesk.exe

pid process

4868 AnyDesk.exe
4868 AnyDesk.exe
4868 AnyDesk.exe
4868 AnyDesk.exe
4868 AnyDesk.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

AnyDesk.exe

pid process

4868 AnyDesk.exe
4868 AnyDesk.exe
4868 AnyDesk.exe
4868 AnyDesk.exe
4868 AnyDesk.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

876 LogonUI.exe

pid	process
4212	AnyDesk.exe
4212	AnyDesk.exe
4360	msedge.exe
4360	msedge.exe

pid	process
4868	AnyDesk.exe
4868	AnyDesk.exe
4868	AnyDesk.exe
4868	AnyDesk.exe
4868	AnyDesk.exe

pid	process
4868	AnyDesk.exe
4868	AnyDesk.exe
4868	AnyDesk.exe
4868	AnyDesk.exe
4868	AnyDesk.exe

pid	process
876	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.exemsedge.exe

description	pid	process	target process
PID 4604 wrote to memory of 4212	4604	AnyDesk.exe	AnyDesk.exe
PID 4604 wrote to memory of 4212	4604	AnyDesk.exe	AnyDesk.exe
PID 4604 wrote to memory of 4212	4604	AnyDesk.exe	AnyDesk.exe
PID 4604 wrote to memory of 4868	4604	AnyDesk.exe	AnyDesk.exe
PID 4604 wrote to memory of 4868	4604	AnyDesk.exe	AnyDesk.exe
PID 4604 wrote to memory of 4868	4604	AnyDesk.exe	AnyDesk.exe
PID 116 wrote to memory of 2320	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 2320	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 412	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4360	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4360	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe
PID 116 wrote to memory of 4976	116	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcc0e2877ha2edh4b3ch8365h86ae0b7343ec
1⤵
- Suspicious use of WriteProcessMemory
PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f81346f8,0x7ff9f8134708,0x7ff9f8134718
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1325929386194948988,17833837726163245716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1325929386194948988,17833837726163245716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,1325929386194948988,17833837726163245716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:4976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4340

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e2055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5af20913bc2b314c96e7e44a859bdfe7

SHA1
3cf429c0ec48d4da558ce0e1581463f6b5acaacf

SHA256
93315825edae36eb6b13b90c42e5f946ba51a08e8203a61ebb219e51e5e7ec25

SHA512
34ca03c177d1320fd9eb8394ff3b9aea49fd3d5e970cc804864d1c506a01c79f0acef53954e880192495a7f81ad1fbcc714c4487e68aa29ea46123e08faca2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
5fbf66de536497691c50e114d4a951f9

SHA1
a03c4b15e219e00028fd7d98f6b254cab4f7e86d

SHA256
323f0ce35093165e5c63b2fd98fa6931c92e466a472d4fb54b4c86821fa11495

SHA512
3dc4bbc59e1abcda1b510dbb58637c959fc9e43663aa2f03db7a4004b323af699c13adc53847bfd05e0a6adbe85b283eabbcbc01a8cb1b86682a5f3858161637

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0ccf4c456f2cf74bdbf402937fff385a

SHA1
276dd66dd70f7f69e8cc2449d809b827aa5d4146

SHA256
d979b0a49002ca9eec4ba3d34f01dc847981fe7cb3a2c12b5f719772052b788f

SHA512
f8e91e591ef2e7889c7eaaf2c602adc38679358ba9e5ef327df879cd75e92a2fdb40f6f4efbc0d5d5c0911a29e466185b89c9a338a9dff396b043dc16f34a516

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
9c36e23b25953bab79a138ad45b93633

SHA1
2d1c1030103c6663892f4ba251261a3609675bff

SHA256
50477d363b3f67d7b25582fd4ac6f57b50428d12faa697ab9a187fa4ce2556a7

SHA512
50d58c3d210d3187ebf3ed18038d15a0b7c2478ddb5ec2b3139b15378233e310bd9d3e194fa8389beeb74891880441069776e959d018e89d5d5f5f3f3da8ece6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
003d4135395378f3253c32b120955ff4

SHA1
62db3ef9733577850a71ff4542851ac161db3849

SHA256
05720c66168306cc4f5b2103720143ad1fbcc928b3cb7610933f16d5ad1ad9f6

SHA512
753698ea659a625a5d795a6c9cc6584ff0ba46af2688b3187c2b93484ce4bc54a9cbb61bf11ffbc9beec8a770d14cb32620195f11c74cff56f955b70df4d6422

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b88d217e4a29ec1476f2eb19e74a9e47

SHA1
c46e99a6a2ef39883d55eac038471893e931fcac

SHA256
981bc8166bb12409a5fdacf0e1ab0ecd66d6dc2260d12a38c7aad2fa0a505647

SHA512
27986df26bd91c9d33289a55c68671a76a72fc7866881ade817cc61d5fc3076e64bb3974d08ab92fc6801987d22684947d4e84e865632947cfabed743de9b1d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c3afd4681b9773a8baa6e1475a66aa7f

SHA1
1a554ac8114e092f604d52dcb1505a964159ece7

SHA256
2b08354e97252f1e0df4135acba62cbcee5c2feeb785a76c5af72f15ecfe82a0

SHA512
9b5f2456e1ade9811612cc5d5bb914c88e2960dcc4775555ff0787605ad4deb9ec268f437192b4e081d8843d4c3d37209d8c2bc00f3e392564ff5f401a8f7314

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
511cabd15cc633532f9f53f7998f17a6

SHA1
6368bf36d170899e626ef1105a8940464d7526ae

SHA256
361aab3f28b7d9f393d033092d3cf3ae34529d0d2880d9b91ba2f8215927cec7

SHA512
1820960206fa29ae88c25743c3d29bb42042811a78e1b608250aabf5f405883ff7c08be74234e519589c3126b16332de1e3ddbcf215fa14fa682ceb3266dc17c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
76fc98f642c8abb701011e4fa3bf2a89

SHA1
73b68911bd87af8a434fb2e73bae100aa8b041ae

SHA256
56bb3b1e3cf3c9bd99da6364727da888ad9ef08919654ebc474c09be3e96c0cd

SHA512
80abf36deadc67e9e7dcdacc1310076951f80abf0606d345a6b0182c43e637092dbc64e65bf0f08ba726abdcba5481f0645587bfe054f393cd0caaa5739564ec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0fe9333a4a96182df1f1c98671b39e38

SHA1
f0714ff081c86be618a846e5fc3043ddd2a4f8dd

SHA256
4492bb37e89d775978c70ab08d3c8369127cd9d4e9df9d2c6052f74c4e97285d

SHA512
1f26f3a5451ddb02e7c02a8efe6c217a8e829a575f1e0ad11c51fbea91b634dc356a84d9eeecbe0142e5128f326523eb4f72bb0532da35aab26c9bcb2a4158d7

Download Submit
\??\pipe\LOCAL\crashpad_116_TRFFTRFTPSGRNAZS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4212-12-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4212-76-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4212-132-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4604-75-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4604-2-0x0000000000744000-0x000000000197A000-memory.dmp

Filesize
18.2MB

Download
memory/4604-5-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4604-0-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4604-134-0x0000000000744000-0x000000000197A000-memory.dmp

Filesize
18.2MB

Download
memory/4868-77-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4868-10-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download
memory/4868-141-0x0000000000740000-0x0000000001E89000-memory.dmp

Filesize
23.3MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads