1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

30-06-2024 10:18

240630-mb6fbszbjk 7

30-06-2024 10:18

240630-mb16lszbjj 3

Analysis

max time kernel
1800s
max time network
1767s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 10:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 22 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3708 AnyDesk.exe
3708 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

3560 AnyDesk.exe
3560 AnyDesk.exe
3560 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

3560 AnyDesk.exe
3560 AnyDesk.exe
3560 AnyDesk.exe

pid	process
3708	AnyDesk.exe
3708	AnyDesk.exe

pid	process
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe

pid	process
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 1216 wrote to memory of 3708	1216	AnyDesk.exe	AnyDesk.exe
PID 1216 wrote to memory of 3708	1216	AnyDesk.exe	AnyDesk.exe
PID 1216 wrote to memory of 3708	1216	AnyDesk.exe	AnyDesk.exe
PID 1216 wrote to memory of 3560	1216	AnyDesk.exe	AnyDesk.exe
PID 1216 wrote to memory of 3560	1216	AnyDesk.exe	AnyDesk.exe
PID 1216 wrote to memory of 3560	1216	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3708

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
3d9a3a3fe14942cf3773bb982186bbec

SHA1
88cb9e5450538834dde697b606d2d49d97c256b7

SHA256
03e809e2273bf165d036f7a3df095221e485e46eb9d27d9d2d3e6c4f3430e5f6

SHA512
1c0e27c08ce347a26235dec67565dcd7c446e2fdada16fb0f5e6e0e983f6080bce3c13c5ccbd7532637376b9b48a17f09b9002412378361c13e93c84c663cdd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
a6b6c5b8d88995b02a9f14dca1a0a433

SHA1
b3b9856cdbf3be0768c882101136ebbd2843b428

SHA256
90c30be98716f34421d4d615b64b4a9e2ad277d177e1fbe6c89cada4130d305e

SHA512
bb3956962f0099a68b5b5a0639abb8a0bdeacf6da1e762e37644c0e8a57ca951876b88382864e682c2abe604c3ff790aae816d031c078b3f3ed4713d3a8ee1a6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
4c036bf96deb9e0d2883e3e542abbe9e

SHA1
134232ccc701c2ff8add33fa5519793323ce90c5

SHA256
9303f003250868b2cae09c8a919096a66bb6beab857d8ff161d09dd10d641587

SHA512
ac485df2226a9e3a60c724d6bb849dbf75bd18b63e0c8231feecdc920ea43b19390591c55fe9390bb30b78ee7f55dcd3fe923e9cc7e85c821c194e947d9f7516

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
9abfa98c54bfdda044c7a8438426ab17

SHA1
19cce4f63101ffe76993b9b2d5ae7e8e88c5b2c1

SHA256
23cfe9762b7c275312c8d65918960a97e90d24440205e5be278089854b5564ea

SHA512
553f6e388ca114fab24de111c5ca9e8966923a999c8e95218ea867b32e4f93588497b5b26e74ea155256281651152d3bd81d7a5b6f5b988e2132264147931459

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
c9755c607f67abb352e843dbaad6744f

SHA1
25abde83fac66747743b98dd4d4e6c3579980649

SHA256
be7ea2359d2f20aa8f0d5a1ef35ed6aa38523102ebe79511a4501a7302aa8657

SHA512
bd7b17c8e85de0de742ad54af1c0738fefee7ddf2727e64de08d43c3ed8779d6132904d61959750221c080c44ef2f96f14dfc5f176b5c999d33e1d9c73e2de4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
ccd285dcc8c3a16983d9238bbf16bbff

SHA1
cf7f6797a4b6d099f6a09f959a6c9dbe492b71e5

SHA256
b889b9d3de551161dbdc5b27e0511086aba31f2c13ea63548e93734236b0b42b

SHA512
3a905303df2b83b723e162e088e1ae6194696a5dd64d96e408a4c81493c68b7465a23caa6b40b315c1b2420b6ffa139ba59e0652d762e7515c019b6d2af9df4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
0eca68a3db9817816b24de7ceface820

SHA1
b8b864fe068de2662a850e07c42fe7dd29a4f5bc

SHA256
d3ac7abf66d62cd4743731f8a9596ddbfd5dc4e4198502af663beaad63763236

SHA512
9ab2454161b9e90e251bb328d199c2d5dcbe47b08e85f9b237b55230dd9dd0976789437e9b50810bf38dbb520d168e3676a6b51a1bebebbfd31195bd6336432d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
432bc30e1c1b3c49d6e31d6935fb07cf

SHA1
0742e564a7fd705775f754648f93e85edb1d79ca

SHA256
cd5ccae0f13ef14d38c5bc26b4bb0f43351d16ff7e04ea4e559a9c2f1ac3b4d9

SHA512
427c262205f97d240f30d29f1c8c90625915013197efd54ceb6ba8731de4b7f8dea01ffd07b07d43fcda6392a201551cadd94f306392a0f6dacf936436e1573b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
aec885498b9eed3e82588ea0d3ed49b1

SHA1
5fae2ea8fa6f8620490d3a027e4c2feb8de4ef45

SHA256
fc32153b9fcc49aae14a1cd47f289ead3cc2d7769950b87590e8669835735fef

SHA512
6611284109a78fb246f6665341f021420d4de81985aa72553bec93c115669bcdcc23e583561c5f0c23c05604286f0b6b9c13d26b91c957d3fd2563e4be62d829

Download Submit
memory/1216-145-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/1216-7-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/1216-78-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/1216-0-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/1216-2-0x00000000006A4000-0x00000000018DA000-memory.dmp

Filesize
18.2MB

Download
memory/1216-90-0x00000000006A4000-0x00000000018DA000-memory.dmp

Filesize
18.2MB

Download
memory/3560-198-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3560-80-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3560-327-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3560-11-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-333-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-211-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-359-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-146-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-92-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-197-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-204-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-12-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-236-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-326-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-88-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-127-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-340-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download
memory/3708-79-0x00000000006A0000-0x0000000001DE9000-memory.dmp

Filesize
23.3MB

Download