1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

30-06-2024 12:15

240630-pey7ja1cjk 1

30-06-2024 12:14

240630-peb21a1brn 1

30-06-2024 12:13

240630-pdwd9axfjf 7

Analysis

max time kernel
2699s
max time network
2689s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
30-06-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 32 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

3940 AnyDesk.exe
3940 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

1696 AnyDesk.exe
1696 AnyDesk.exe
1696 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

1696 AnyDesk.exe
1696 AnyDesk.exe
1696 AnyDesk.exe

pid	process
3940	AnyDesk.exe
3940	AnyDesk.exe

pid	process
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe

pid	process
1696	AnyDesk.exe
1696	AnyDesk.exe
1696	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2492 wrote to memory of 3940	2492	AnyDesk.exe	AnyDesk.exe
PID 2492 wrote to memory of 3940	2492	AnyDesk.exe	AnyDesk.exe
PID 2492 wrote to memory of 3940	2492	AnyDesk.exe	AnyDesk.exe
PID 2492 wrote to memory of 1696	2492	AnyDesk.exe	AnyDesk.exe
PID 2492 wrote to memory of 1696	2492	AnyDesk.exe	AnyDesk.exe
PID 2492 wrote to memory of 1696	2492	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3940
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
338c43403ae93dcbdbc341657fffde29

SHA1
0362d839666698d2953d8fab3d3eaeae84f5e04f

SHA256
e920a447840f784b468b1d7c514f8f6860538138d5f6211ac3c551c5eb18c48c

SHA512
5c97d22892d2a12dccdd83aa468fda714e9aea6ffdd04d44e838f1ffcc6f9a01ba59f2ac30e19fb7ee533caa1d66361766984055c9ad3c5818a12e564225db4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
ac9a20e003190fc03dac7171ce63ec07

SHA1
6f338b15c7d493e5cdf4b695df23b7f53ecf6b7b

SHA256
58c18f214ed4fe7e7a440d2f5f67d1f8ce5f2d3cb661cce0c95ce06d163009de

SHA512
7957c7c9015d2fdfbffa50c3ab95026b371f8df55875d18f0928d4e8fefb981ca5f39825ed595e01a5d77676d1f4472ffa26892f7c97cd43f1a906677bd51a2a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e2928de8f3a4930ef78544f0783b4bec

SHA1
1e1f7b469534cc9a9af42b9425daec65fdbd5547

SHA256
2d353471bd13f5b3b7d6e78295451d8c0490c4045c2bf812d0390a64ded53992

SHA512
76cb87cd17982e28be9bd35670e611ca698dc93ecb6204c4d92514736467793be95775b5cef6ea78d68332caba0be89d28509e0063d9622f6aea36a41255ce63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
89d634c9e9e9d7a04cefc49aa5429c19

SHA1
54de1b3b87d6857823e9b9d007d4385a86c98e27

SHA256
8d9551e8581bf84357c5f2a56cda176b1b8c0afeed5b4bfb47e948490ba1eed3

SHA512
f505fead8e51af057caf7d804105791713f4c584f3e51b92fca13be7eebc42c093ac899a0e1130e28cbd5c46c0c917c5f6fa8cea663cb3dc26a6c2bc73e5f158

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
603b82249bb2d72950ec25597ceef3c7

SHA1
15afbad052bf9b0fcb4474f00720df6e6108b210

SHA256
bbcbf48905531df80ea677f683015aded64239d9d4fb178cfdce5b8275d931af

SHA512
6c8e4e522cd312e9cc7fa8b0fd88f9aa7ecfa26b59bdda1e17adfaa28ca99476f1044b9ccf449483b7203f38db4c69a80436a235b781ff241a8dbe98ed3b7f0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a141efcbec7980fa363e11ce3bee1271

SHA1
13f14682a047b0c83fffb90f9d5c4848a3c9e5b6

SHA256
9d53ff4351ff270d5cf42ec8ed2d5067a84a9fdd4e23bc7fa3388b1fcd6b2a8f

SHA512
4a53d2f0d6a290453766d7727f812d320c79bc0326dcff683e0314e7f14969eaff7fa121d6210966afa15c7ca44fa9af0622ffe96bd0647a26f1d9f25f785037

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
36bf545a13d13f0e633f58c3f5f23e4e

SHA1
08cbfae722bb4af05934eefbf73bb8a63bb12ad0

SHA256
50e6a0fcc8d6dc4aeb835e3a5edc687c02eba38eb5094a87612603699cc06849

SHA512
841b4a48f5ac152e485d19a6668fc07e9c3dbb5c1397552d9a29e685d434060ddc4462421563c617f9b5ee746384112fda6e2b32f265e796a89a218a2df9eb21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
25ee7dacae7133b8e343caaa870b1ecc

SHA1
c6f6080242ff5600a2bbd6c22259bfe9ad36067e

SHA256
a50af91eed2be964ec0265e279b6f1fedabf0a40528b03087a0fdf4f1c4376ad

SHA512
146aed7693544938391e61895da34b8caf14678010378b900999553906e870236be44674e6ed2d231476cf7389103e212398dc91f39c4a531c7def8c0f0583e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4caa1f0bc5979c544fced6c5f8b325b0

SHA1
50784aee2a6a2aad771a49fc6b2891ca8dcdb46a

SHA256
55334a0396b133a0ad95d7cf6857efec22368c5d3ae57ce03d8df7cd2b416846

SHA512
4f47cc5fecda967395d386da5cf95c930b094ee989aa6e9af5d80d1175d23d39346cb35242f023088d2e44cf0adf352e1cee7b61059094497d85fc5e23be7230

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
83ce1c0bdd14fdd3075a9010c0128cb6

SHA1
ae6d4656c6ed115b2495c4545ae47b92e08e4212

SHA256
088aeebb5a2f6aa7587aa1495d117ab340f5fb732851818adf50a9e494c470c9

SHA512
c635a5445d9a32fd316c39d25df5be79df0ae34895022b26480e1b051b7d1b950dc33c5c087a027cb0b8a11be082b548ff86d0916aa4600cf64ceb567ec69403

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a4d38e7f7f949aff0effb98db9e742e9

SHA1
07af4d93ed1f285b805857481a57cd42b64805c1

SHA256
22726327355882e8654591a1d7fa889f86f392ab39e0ac43b3ab718a93e34acf

SHA512
dd7f4a80bd6b7637c4e0fede17c100abe93d1d903c44ea2012054700e5983c20273442f0ab510aba3cfbec892938b33a47953f2dc5e225d68ba0a676a34d8bd2

Download Submit
memory/1696-12-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/1696-78-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/1696-342-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/2492-76-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/2492-2-0x0000000000044000-0x000000000127A000-memory.dmp

Filesize
18.2MB

Download
memory/2492-0-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/2492-142-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/2492-7-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/2492-88-0x0000000000044000-0x000000000127A000-memory.dmp

Filesize
18.2MB

Download
memory/3940-143-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-90-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-124-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-86-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-10-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-185-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-192-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-209-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-341-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-77-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-352-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-355-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download
memory/3940-373-0x0000000000040000-0x0000000001789000-memory.dmp

Filesize
23.3MB

Download