1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

04-07-2024 20:46

240704-zkp6xszgme 6

04-07-2024 20:45

240704-zjqfaszfqc 7

04-07-2024 20:44

240704-zjenssxgpp 3

Analysis

max time kernel
2693s
max time network
2697s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

7^/10

Malware Config

Signatures

Unexpected DNS network traffic destination 26 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9
Destination IP	9.9.9.9

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid process

1656 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

2108 AnyDesk.exe
2108 AnyDesk.exe
2108 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

2108 AnyDesk.exe
2108 AnyDesk.exe
2108 AnyDesk.exe

pid	process
1656	AnyDesk.exe

pid	process
2108	AnyDesk.exe
2108	AnyDesk.exe
2108	AnyDesk.exe

pid	process
2108	AnyDesk.exe
2108	AnyDesk.exe
2108	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 2436 wrote to memory of 1656	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 1656	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 1656	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 1656	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 2108	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 2108	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 2108	2436	AnyDesk.exe	AnyDesk.exe
PID 2436 wrote to memory of 2108	2436	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
c3fd35b553374c12e9bd24d2650c97f3

SHA1
9050eaece6e87c6d0f95f01a2732bc6ed6780af4

SHA256
0b987aa3890588518faaf07ca3e9520550a7ad060f6874ccd82d61f281dd504f

SHA512
f7f1e21eeeb0ce78b6d111b79b481cf902b14fe2ee4c4996b191eb8824690f9adbca93016781b75d34e8857167b5eacc4062b80d0b0e6ed5f0844660f162f154

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
18cb212f9cf5109246c649a56be71544

SHA1
030ab7708fb9451c6196aba5a29057af558d20a2

SHA256
f12bafc7c01d0edd8cbff015eb88c809336dea5414faea33d41e1375b8da5faf

SHA512
f576715978e9a558305b73f8b0dbaf1c7d4fc2eeda08e65b252769979fb5b7348ef1af658dbb328d58b3ec8a81c066c8b7efb32a137bf3643c91fa8eab86ee43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
323a087f5357c6b2c667c42a2c6d9b1b

SHA1
f8d8c619e0bda182dbd23bac6a5cbe45bdf74ec5

SHA256
6d974a79544210a2775635ae8b5205230518157e8f0148f7e5d7c3c5fcf7bcd3

SHA512
2bd0ef809502193c3987225c90fdf1b548f84845511949f4b9d0184f26102bf515e13be499d1698fa9f13743c81a723653acf68422c151d74430f1ffd7ec4ce8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ae20c232a1e475690c50eb1acfa9bb65

SHA1
144aa7f88beac586f0838f864c92802d6af6ec11

SHA256
b2d67a69b9c56389fc19a2e439748168eaa59a2cde4f0d1e28e7712d395eff38

SHA512
d1eea38248f11f9712d2f78aac595493d545a9d3dbd744ebe267a9679bd1d9a51e77bff6ef1efe805008148cec366ac77c93674d095fbf033d02a93f1c7ca681

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6df1baf639428b044b4e02c8b82156e1

SHA1
adb0a39ad6e214f94d9865cd0f332748b883d6da

SHA256
91fa51b4f7de110e53cc700129ebc739f70ee36359b535ae62fb842350bb7604

SHA512
57b46f56d8ea7155777469397c8cccd558e516bd492b017a831ca40a7ef9219480166cee049f49254dc97d6121b863051260757a7a5a8f032ae48fbce15c2d9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e9d7f90135f53eb98876be8adc7c155d

SHA1
0656091101da79adae113d5f2529e75beb02aab0

SHA256
7b6d365075bacc80121e991d817aaeed4457b7fbc294591f72f4ff223b0dedd2

SHA512
ad7c39824a0e9cb8e3bbc9c3ff4460efea12d2c4af52a2a94aab9871cb2744b8e71dc5be27f4051bda5b3a2a7358db8ef9939a935cb3252e0791021be88a08f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ff4c366580fba71c37de9ba8662cd21d

SHA1
4b2a5074991fa822f027642335f182c7d6fcc190

SHA256
a5e6d39f6d203bfa09a3c22bba30559728c6989f5ebf9920a7b63ae3f53b1c88

SHA512
33e240431ce74ae4248198d87c97eb33a1f9deaefcf908741114f048ceb5742741a922cb2c4c95d644e2744bee02538f8075a4e82afb04f8c8f9b7167df7b69f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
88e848925b7ab685f1ea478e6ec53f60

SHA1
f842673912c999a063836d0b13570058d002dc8d

SHA256
f74afb7461ab4cb38317b31e7820caa7fbc4854fb40fb693a4f50c876f54375c

SHA512
4cbcf2ade6fec75752ab5de1e6424836a68146567c55eda690cf72e2646dac3c70d93881c37350d1b78bf9eb478b07cee7ff4116cc65a683dbfd76bb68862264

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e097f2f9c5ed94ed5aa8f16960a74afe

SHA1
ad740e12d316c3a22ce0d449cf46815c4baaaabf

SHA256
a0e8d546cb879ee4b837f2b6822ed91fb6f2afd8cbdc3f8cb13cffad2ad9cab4

SHA512
eb8df058dae897bc3c8d1309a014920204dfc03d06f1b86c2bc87c0a3fbd422efa5186031577529140712251513a03c3365615e7de3cb7137dd3ccf0974395d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b04146efe0cf8e6303c84a168c20c1e7

SHA1
accbaeefee1e985bda7563724c4cea7a9f72172f

SHA256
370035f822c1adad06dc95372eec96e30e592b98f9c32b2fd6d3f8c9407a3fff

SHA512
50d4b42c76857b1104f18a42692ebe5143ec16f69260b103b0b72d6dcb2e06cd11cc2f0e2ec1bf35e80461d68a2714ddffc821a8e295d53113f1423b01cd3c01

Download Submit
memory/1656-106-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-228-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-11-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-257-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-99-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-245-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-238-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-235-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-188-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-112-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-119-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-172-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-165-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-133-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-155-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/1656-162-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2108-13-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2108-229-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2108-100-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2436-128-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2436-2-0x00000000003B4000-0x00000000015EA000-memory.dmp

Filesize
18.2MB

Download
memory/2436-4-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2436-1-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download
memory/2436-108-0x00000000003B4000-0x00000000015EA000-memory.dmp

Filesize
18.2MB

Download
memory/2436-98-0x00000000003B0000-0x0000000001AF9000-memory.dmp

Filesize
23.3MB

Download