1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

29-06-2024 16:56

240629-vfpbls1frh 8

29-06-2024 16:55

240629-vfbqhsvbpl 3

29-06-2024 16:54

240629-ve2wbavbnr 3

29-06-2024 16:54

240629-vesmmsvbnn 3

Analysis

max time kernel
1791s
max time network
1798s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

4804 AnyDesk.exe
4804 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

4512 AnyDesk.exe
4512 AnyDesk.exe
4512 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

4512 AnyDesk.exe
4512 AnyDesk.exe
4512 AnyDesk.exe

pid	process
4804	AnyDesk.exe
4804	AnyDesk.exe

pid	process
4512	AnyDesk.exe
4512	AnyDesk.exe
4512	AnyDesk.exe

pid	process
4512	AnyDesk.exe
4512	AnyDesk.exe
4512	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 3756 wrote to memory of 4804	3756	AnyDesk.exe	AnyDesk.exe
PID 3756 wrote to memory of 4804	3756	AnyDesk.exe	AnyDesk.exe
PID 3756 wrote to memory of 4804	3756	AnyDesk.exe	AnyDesk.exe
PID 3756 wrote to memory of 4512	3756	AnyDesk.exe	AnyDesk.exe
PID 3756 wrote to memory of 4512	3756	AnyDesk.exe	AnyDesk.exe
PID 3756 wrote to memory of 4512	3756	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
d756ff8b21c61f379a41477b67935841

SHA1
966e2c249a8e521fc37cdaac2b2a00cb61025a74

SHA256
aee982360a2ca2081c29787b5300219d831892f7d2c6bad50d161b072bb1300d

SHA512
50a6c7891ef3ab7c730a9d6d93f5c3fcbdc56f7500e8da584fe90e0343876831e81ed5e7d91d46e33dd2a541f7e10e85f35c62446f2c1f60f18ae23cb7799c38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
e27c277c02eeae31798b5f3f540d8c98

SHA1
d02c6b50a843307d352e4b4dc9d7765a4dbbce88

SHA256
5b1d5d91bc5f1f395eab0ca701073b37d67dad2acee97d8c74c7630dea126113

SHA512
fb3d1232f010faa8e2ac82a04005351e266eeb5df54834b8271c15099e680cd1970c31ff6c03311a8a6b34372a4c655c00825db12f8118c51c3ac2d5c96527de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ffa18b8b2f400dbd445085847574d317

SHA1
d32bada03aa36e975d6f4b6ec13c35b9205eb62e

SHA256
80fde6b93922a396109301d2fc5873a709949c10bab9a163855d13442e278344

SHA512
985141e2f5d9161c414188e6f9b6ff39f9f274767dfcce0b2319d64a3c04608ae5baa1752d429dcc59993559fc3ee79979eed66c2d6d64cd4e8d31928e1d19d3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9c0aa95ba6fe2f9a3065662ac5630bca

SHA1
420bfbd7a8f41e9e29b802bfed42b3ac9ac35348

SHA256
87483ed6518e53ff6f005298f402442a81a43201d16841351a556c95e13d3e94

SHA512
f48932c7fa68ad20eebaaacc6183a184a6ccab5ca8d6620546d99ce1bc9515ec4f9dd5d1597dcb40344312c866423b01ca29748f23dab46759abf5d10a326a17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
700B

MD5
c3f7d9987f56f9f95322644c60ad0e33

SHA1
ba544c493fa472a4ad109e7c9ceefb18d6bf651e

SHA256
024c8e25a440af83585ff6cf1ff326856752375d1c6b14043e46e509881a7408

SHA512
65e2ec03393f97a39f8532007588796e1a37805a2ec9fcfe0969e17eee5040d2ff691396db3a9badb4937660269ab253469fecf28cf397844d9a241824282d56

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c3ef854261ff611029bbea99f49677f8

SHA1
327b1c7c0d9a7c34463c04799f6fec03f5474049

SHA256
27f3813b0393bff476a45e4560d489eb62252d26caff02d4c7791a080a59f08b

SHA512
d69fb1473f2e69d4391df627b01454e341362cb21e514b743da78edcf641e1a2af2122fb6a00f9180e882ef45cadc8a655daff8a26e96109291baeebe05264e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
612eaddd7a81e248074e276095535da5

SHA1
dd60723e652c15824ace4e3c40496721776c7a0e

SHA256
d354fd9ffa9bebcca3c021cdf561c1736c3d6fd42245434a3664f5050f51657c

SHA512
5c5b30270635c018b6d1748c131ba401748c168ef3fc2c595e392ab89f6fcb58e47d1dd85243a66d1b343ca9a8eb4c63b649a4f9bad08399f381f95889b0a258

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
ec0b9ea2b993f5eef4dc9ad9c8ca275e

SHA1
bc203209bc0cb0e11416c684626302d78b2e9e71

SHA256
195d77cbd538cd7eef3eebdc4a40d51ca332749ca2ff471ea994ab6593f938ea

SHA512
9bef57d6fadf1342e8d2b419495fff45c4e013edc8dce888f10efeaee35d16d307f64902007d1a68c96568d6efb0bae7bb4d31fb35509c899b5c76a50d136b73

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9bd448e7ef0891683a9e3e90d8bb67e1

SHA1
b8233e5f109ba42c22094174b7b074615c2ee6ec

SHA256
a7fde54a6538fd5deee11915f66f9097b5c1cfa7ec14e9823301f25e7467e77f

SHA512
b9c5f625dd9f28b727893b590543ced48527dc5903cb2d74f8b5f95eebcf7674a43813710c5f2595e81ec9c7a379ecfec05c7d99d0be432c72f31fedea70a022

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
72d0710d7b9779f2de427aeafa2d179d

SHA1
0a413e403e8acf0729062e76b43af4a9d98b4873

SHA256
ae1162262159f01e41f9db29543e8768dfcd2d02c4a692f4f6f83fa505f0e0d2

SHA512
1bd90b3ef6c9e1e6f348e67cbf432cb785aeb4b7425fd8cbd52ba0c47f8bbac429d37b77b2a3347a0e656edb1a661a72e80d2e14c36c7fdf034a89830a2c24dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
af673871bc3517dd5f1ea421e9d42b57

SHA1
3173a3e5650e397e991cf234a3322e55e4cb60b4

SHA256
0cb98a726343604f500bebdcdead0c4f2882949865274d1a762cce329505e3a8

SHA512
2fd0520b00855fbba53d85756849432342cdfcf556a03eb86cea1d1ffe9fba799b6dbde5cd016120dd8993dcc7bce9be415329d495da22c3341bfc8fc6e6baba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
73506a4fc17c56b17f76a4d3c2fb8679

SHA1
beeb98e88d1926036124369a1d965665e45cb332

SHA256
2b6009bc53f1f699b8c8ed7c89e5931911241f150a80eb4a80df6011b72785cc

SHA512
6fb42f122143d4243b6f807b9524ef72a8f0ecb124f82f4959896d5c039c4244721122fa732e9a6b86ff5b76231ece8e573420d5342bec858405088d2550ae28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7eeeeed0597bf554d110483068d8d3aa

SHA1
190d6e77b7a0454c265d9468ee547b8eacdefee2

SHA256
53ebcf95e2a13464cee18b109524a5693d9eb9f57706634024de8fdaf2bf8c09

SHA512
38f299f80ddbaf175ba6e3515a28315e1c2ade23b3ccb79428e6ba59db23ad1ea96249144b7199bbad0d27303f089cf300eda8798eb2415c64ad2cd3ed5dec85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
52329b646194359ba0eb921fc9f2b2f2

SHA1
acb6c1d68d3a4c8db6875ae73c3e4c6c53d91be7

SHA256
cf54a51db73e64d45e7e183f6596e5caa1a7e11755b9615e73096adf0f5f46ec

SHA512
820750e55f5b48eca49ca2c126c3f08145b331ccf345b7129cb38952411025e7be0b10da60138f07b0802b3d97d8df282e2ea8e5d7fafdbf65ae91e68e3e9491

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
adfe4b24bf8de9a47f9833b42af261cf

SHA1
63c934172d0740dfa8f53d2b27026852014069d7

SHA256
e18b80dddb5e5588a06cc777f3478be1a3b7965f70ab27de21a141628436789c

SHA512
46581401c1fd79c126e69fd20b5a6bb9e58226ecc5b16b1a0bfa96554ba852d63a5d7be04689e1b81095b66e1c29f6332975bbac2bdc319e3d82710baef31698

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
de68b189c8cdfafa494b5cd3e299e3e2

SHA1
4e24ab984f2805318cd6373df63b3a07d1258d47

SHA256
33076d7e321c511d457604cdb445844ff32cecb4b0b8f526b6b01aaca92b4548

SHA512
58e0eac343d7c3b68c60587fff3aa2d229f3a8be2ddae30578692402dcd0b0ce01094bac7d7fce4bd176b00800def0f9b0fd3002574d4100aa9e21decd48820c

Download Submit
memory/3756-7-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/3756-214-0x0000000000384000-0x00000000015BA000-memory.dmp

Filesize
18.2MB

Download
memory/3756-211-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/3756-2-0x0000000000384000-0x00000000015BA000-memory.dmp

Filesize
18.2MB

Download
memory/3756-107-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/3756-0-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4512-109-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4512-12-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4512-213-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4804-10-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4804-108-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4804-212-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4804-249-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download
memory/4804-258-0x0000000000380000-0x0000000001AC9000-memory.dmp

Filesize
23.3MB

Download