1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
599s
max time network
552s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

1796 AnyDesk.exe
1796 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

832 AnyDesk.exe
832 AnyDesk.exe
832 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

832 AnyDesk.exe
832 AnyDesk.exe
832 AnyDesk.exe

pid	process
1796	AnyDesk.exe
1796	AnyDesk.exe

pid	process
832	AnyDesk.exe
832	AnyDesk.exe
832	AnyDesk.exe

pid	process
832	AnyDesk.exe
832	AnyDesk.exe
832	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 1412 wrote to memory of 1796	1412	AnyDesk.exe	AnyDesk.exe
PID 1412 wrote to memory of 1796	1412	AnyDesk.exe	AnyDesk.exe
PID 1412 wrote to memory of 1796	1412	AnyDesk.exe	AnyDesk.exe
PID 1412 wrote to memory of 832	1412	AnyDesk.exe	AnyDesk.exe
PID 1412 wrote to memory of 832	1412	AnyDesk.exe	AnyDesk.exe
PID 1412 wrote to memory of 832	1412	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
576c89d18852f4f47606e52c96d540f9

SHA1
a4cb0b87593e04b3303be21bcf58ba398f02b5b7

SHA256
e453097c97cbf5ec3145311619b71d372748a3f5f72ee42f4b469a71fdb9e25c

SHA512
f2aca6308d4a4b32860364864a5aaf5e56fe928c8384b45b4463d3c5240f07d69cfb12d49c2b899ed40b529bd3cb5a4c8e04720678e3f2e15b7a4bd20083f965

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
63c11971ca91fdf0ead418a7a99b9337

SHA1
e2815cc3e7030f1d21e69a0b9cbb808cb403787b

SHA256
0aace585eed77af7e1b42e0e1ef78819ad1c985d4d73513aeb0d18f0cb69704a

SHA512
2557935828bbb93aae8a71c7ec953b179d1d613468b4dd84878ec616e81d44a3e1d5d1606c6c5a861e8c89ed6df157946118d06a9b6b2c9b3ad8492961afead7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2684150ec03e92b22de6506c1a69c947

SHA1
2510b02758d969ba8c169b877c6613314d483502

SHA256
9d32e617b96ae487c8ffbc6bebc9a7db6d64dea6c60da8edbf028f686a97bb18

SHA512
5200839ca06799ecab159288e4ccb0b353c7b759b6980b9564a913395caec43823842d16c0caeee5684aa42c08d7f86f471dd5ef1d182125ba7493a805510bee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b1d899e5db31ca83fedc49e7783882b9

SHA1
bc9a288e439d8042ba968c3f361559d06d31c866

SHA256
d32a509f54586309b67f76a13a7c8195f5ec23e0e38527e3341d6356c8b53391

SHA512
4d33821e898d40cd879e971c6d96f532959d85037e680a5f91a9420495241be822b068f47a84fcfdd8ca5ca28de31c716a98ee997f55fc637848f95b0a7331d1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c9cdbbbbe184f2f0a56e18541fddde5f

SHA1
6137074d3c368ef524954b75eb253663bc96df36

SHA256
6dcc53cb7097669b0146d558f6ea1c34ac0f0fdbb4cda2beb6787e4e5065c5a3

SHA512
fe1ecd18e93d165828e7595846fbd9f279c4930afb878fac6a5fbfc23f66a08773f77da4f332f1b548970cf389927bdfbdba312b8038babf682af18a1c3147f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f43d40a2fa82e1f77bf19b4da255ef9c

SHA1
c1715dc898bbaf9a54a1a93b59e0738d52303241

SHA256
c97d5554af66a5aff6c683ea5afb35a3a73f278c6466b9962634f942b4237ca3

SHA512
930a4078b534af898653dce039951a090ad64ce4eda4ec78f33afb8a19d499953bdb848d24464a33f6f8c84e67afccbf43a33aeefff1fb8a952cefca87e8d77f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
db7aa7dc0e19fe4f81434215a730ae67

SHA1
fa96543cd8d9bea4f06409eef8dc3c8f51fc0ba5

SHA256
745f81945a05b76795bd74ba0c393d29e16f040c50603143f7e73ddc09872e96

SHA512
474d9df4a83a33b5b10f3d66b6fc1fa7f88353d4100c20ad11a874a32d33bb3684977c72af766a671f7b1f7f9d92c56d7ec154b4a6f29236bebba95c685f91dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7d1b66f6ed5649ac1149915c2fb3d2cf

SHA1
e2ea29b4e66981e89630a26365ad2d28b2f13ea4

SHA256
49eee6e12e9c952e4e47e186535d62184cad60a117eb776e56c66f9ce3d589c5

SHA512
f49c2a827942a1bd744e892b319f026d00d935abda1899151de6a0fcd6a69c65aecb4c641ba8b561d51210b08ff03780128d57e8772e969803fb83570763c881

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
28dc818c06f1814bb8a60b07213b8b5b

SHA1
c16fb99d6907ade31ad8a8665c55a1db0751c459

SHA256
d90574e1ce8549b71a665f20d89ceacbc0843be99a94bdbab67beaac2c79e213

SHA512
1bc83f1ab7fd3b01e9b685bc943ab241db0cd041439cd9218a11ccdcadf22ef08da837b504f2dc5c31016883c8d57f7bb60da49dc809e921b6ab56aa7d0740f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1bd2f7cbf3c702399f351c505c5d67f0

SHA1
0532d13b4e4e538d0d7a7fee14d8c18218bebad0

SHA256
f1669d23ed3cd47032ad4b44525d0faaccd5b8707298d45ce49503733deebac1

SHA512
62101d54c6ccb8757d860753620e52ea6ec80ccffbab40b0dd3ba0b3803494bf59492e7608a4275b18a49cb2239108c0ddec7623144c0dfe4bf8fa5804cca98f

Download Submit
memory/832-80-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/832-10-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/832-356-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/832-202-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1412-0-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1412-78-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1412-2-0x0000000000464000-0x000000000169A000-memory.dmp

Filesize
18.2MB

Download
memory/1412-7-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1412-90-0x0000000000464000-0x000000000169A000-memory.dmp

Filesize
18.2MB

Download
memory/1412-147-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-127-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-215-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-96-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-148-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-201-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-88-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-208-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-12-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-236-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-79-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-355-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-358-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-369-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download
memory/1796-382-0x0000000000460000-0x0000000001BA9000-memory.dmp

Filesize
23.3MB

Download