1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
599s
max time network
567s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 7 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid process

2336 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2616 AnyDesk.exe
2616 AnyDesk.exe
2616 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2616 AnyDesk.exe
2616 AnyDesk.exe
2616 AnyDesk.exe

pid	process
2336	AnyDesk.exe

pid	process
2616	AnyDesk.exe
2616	AnyDesk.exe
2616	AnyDesk.exe

pid	process
2616	AnyDesk.exe
2616	AnyDesk.exe
2616	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2056 wrote to memory of 2336	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2336	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2336	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2336	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2616	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2616	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2616	2056	AnyDesk.exe	AnyDesk.exe
PID 2056 wrote to memory of 2616	2056	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
97abe34427d97e7359f7e625eb51a96d

SHA1
9033fb3ea7b71eaa5da5769a86bd342d59e69dc1

SHA256
c2628d90143c5a872af1d6a394f2ca5632bb67d80f8e649255ccc7203aa9e66d

SHA512
7e82389694422ef96d102c223a705ae1b19e73e40a7752487a1419fb4a482f7c09e5cedc430e19ce5fe4a2f0fef772cf5d8460f415912248b08ae619233fecd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
0d3d7231549b24d411f6d707bc4099c3

SHA1
bce037e655db9d1a3828d094ce1d97ad82e898dd

SHA256
6fb1e5276ad4bb3e5b40d9a7d2e8206271e602ba4e31451cf2cf0f9a0fdcad68

SHA512
7cebe422b60501451da31f3a472de1e4a315ef7e33baf24e759876163f724bc0e7d313c4b82984e706f913e42a9434c381fe3fcd3b695cd0c760f09629281299

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6bba9ef030e2e05709b381121becd3ea

SHA1
655c611ccebf5dd1a667d3cd896e4d7eb755e36d

SHA256
8123975907f5be2f400ae32e208d04675ba26e3b6c046bdaaaafe10c9409729b

SHA512
3e0ee016d84b2afb7967bb1fb5d6b8fa064953d281c4f4e6deb2d519af5989fb1cfd147eb1223e9ebed9b7f576f78f560963cdb886a50ec4f8fae4d8ea6de87a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f31259444510591f370c6c355f3fe4ee

SHA1
f70ee308f13efe2be04aebd49fcb6c4886441e9f

SHA256
c5a9eaca196fcf4cf6122260a5b205bd22955c950ed5272125f8df34a4bc57ee

SHA512
41e8c8e049c1479f6827a253f8ec24370dca1b2f989416cea173c26db7bdd5365b48f67a8ecae3161c41c6b708534ee2838a48ee5ddf1106321d4930d983d1fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f20d15cc8785600a593fc242a37b3cd9

SHA1
5952db6bc50b4ad10add4111e78a8f608381ac67

SHA256
2add385756d519926e902d797a105acb1c69e9b72556409b60e68d18ce614314

SHA512
b8ef59b775f96eca02b740cd47d98784d5c4850c310d50054fa1efbf04a1cd9c7675d203229455a598c5b50982834ddc5a535f4c63200852c5249782f0afed6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0e4cd882208761bf510bdb676b442f11

SHA1
2405a2f21e867511620ebd923c14f3fdaf2b339c

SHA256
eeae161011cf94c5ff95ad92126969c0c63f1e1f997dcf533f16aaec72785234

SHA512
f68e4bcf0aaf09d2148823c708053abba016849a7288f13481d939130fc13d6da43ef9fe3a4a90fec22078c568ac7417a969322d64a23659b4c07d76475b815a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1879d49b705beb6d09dc4d3e9afca7fd

SHA1
0fa0a380385754c9278853e5aa44b1940e959f56

SHA256
8b6659e2d7f2b94bfd1d942ccd0bcbd659072b845cfc452131d2e3b1f5968d9d

SHA512
fb6e128c87b72f596e6d9e8b86b2ab84a56af9b5e6204f694eb413c04a8a9922d6e9847ffbb2b3dc1232604c213916ac79b6da3a4208c691656898b7834d15f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a197ecfb215936f6cabbc2f6f5fb9d4

SHA1
58db64ba0f9d1cfeb61319c54987ffdedd78a265

SHA256
a53d0f110d46f4743b041b54274565c1dc3fff1e9e810ca0759d02381b870847

SHA512
ce0acb44474fc9955c27b32eb17af8bdde820ee3db848d9ab475e439d89aaaa29417d667828ba894ce19c545bc37af8d59040152b31925369e223bcfaf6b98ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8112c18f148dfc96b57b7ecefb3bce76

SHA1
07583c0703237a3abe7e3c67a8ddd1935acdca6c

SHA256
1fa1f941a580be4cffd56dd5121e3e91ff28d92a641aac9484ee053425e00c9b

SHA512
99490422bb0e5e958cea6463bc5653276b655af2d82c8ac54bcd40a970c466b3838b3301c708ce46d82dfb5b60299b6e45e0da73790d3efd0a1bf63038a33e18

Download Submit
memory/2056-2-0x0000000000944000-0x0000000001B7A000-memory.dmp

Filesize
18.2MB

Download
memory/2056-127-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2056-0-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2056-7-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2056-95-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2056-107-0x0000000000944000-0x0000000001B7A000-memory.dmp

Filesize
18.2MB

Download
memory/2336-96-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-162-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-103-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-109-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-116-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-10-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-348-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-145-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-159-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-258-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-169-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-186-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-221-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-239-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2336-232-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2616-226-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2616-222-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2616-97-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download
memory/2616-12-0x0000000000940000-0x0000000002089000-memory.dmp

Filesize
23.3MB

Download