1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Resubmissions

29-06-2024 16:56

240629-vfpbls1frh 8

29-06-2024 16:55

240629-vfbqhsvbpl 3

29-06-2024 16:54

240629-ve2wbavbnr 3

29-06-2024 16:54

240629-vesmmsvbnn 3

Analysis

max time kernel
1791s
max time network
1796s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
29-06-2024 16:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid process

4488 AnyDesk.exe
4488 AnyDesk.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid process

3512 AnyDesk.exe
3512 AnyDesk.exe
3512 AnyDesk.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

3512 AnyDesk.exe
3512 AnyDesk.exe
3512 AnyDesk.exe

pid	process
4488	AnyDesk.exe
4488	AnyDesk.exe

pid	process
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe

pid	process
3512	AnyDesk.exe
3512	AnyDesk.exe
3512	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	process	target process
PID 4888 wrote to memory of 4488	4888	AnyDesk.exe	AnyDesk.exe
PID 4888 wrote to memory of 4488	4888	AnyDesk.exe	AnyDesk.exe
PID 4888 wrote to memory of 4488	4888	AnyDesk.exe	AnyDesk.exe
PID 4888 wrote to memory of 3512	4888	AnyDesk.exe	AnyDesk.exe
PID 4888 wrote to memory of 3512	4888	AnyDesk.exe	AnyDesk.exe
PID 4888 wrote to memory of 3512	4888	AnyDesk.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4488

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
2⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
27223cda2b245941666d348296114602

SHA1
c8912fe21729ef960e623a24aa11e9bbb4205800

SHA256
f2728dabb3f351ed8e9b1394ddf32c73d90c98a6f4f0a5e87d882950bbb22446

SHA512
b5be0e25c6652b629cbb89641f540f9feec9ff7191bb910b37492751999092bbfedf3aaf7e96a6f545542ca3815ea1aeed07b9ce7393893aef7db8cca5e2ec02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
6090a83d25d66c9802fa0fa2232230af

SHA1
e2a954f5eba4fedd3f70f71c487cf919a4f8ac4b

SHA256
a64973061729c94c0016a5508696bbc95653856ab862e4eb86f651c261633254

SHA512
e482ff3044ee44ef8412adc83409c7dc9ecaebed511be472816172c1ee538981b7740ada1f696d17d90e9b864c299c1b657e410bd91b5d5c99986afd89dc1804

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
798cb0c596a803fdf1b885a7a5025a44

SHA1
ac14ffc84eb9ab8b8f8ad34228215f609164fc94

SHA256
8f2e53c336ba55c89f9027adf446659a673ac13987751b4362f339a0f5814ae5

SHA512
b5a9906e1be72f9a03722963b4bec8c21b68d9d1ef70ce86a3a7e43d0159f19dd7087af8e08cf10f699d2ccd7c34f760b2bb2a1755ae4b077b9448e7d3153d3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
e1321a1051010aeed542f56007f52577

SHA1
31872994a73d67bc0279425cf03e0e390b81cab2

SHA256
f29c4bb813099446219758a4e3d9cf5b813605fc8b7a79a9677a639ebba99f5c

SHA512
8579cbe57d1b423b09c1a94aa9fba1a280db98521e8433991821501eb1ed30436e9f52ab0e4c61643102fd3a62ed6fd7c6ef2ed0987bbcc0ce63328f44d90112

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
701B

MD5
9ee9d0f2faa0c11491167885c1493d00

SHA1
b98f100033db3294beb7c30c772c5873c9b9f2ce

SHA256
206440d0b0befe771ac23a363da120b58d68b5b979c8d742605977289db94d97

SHA512
d4727722c77f0311457e8657215bcc6862fa81bf00ab6046bd960f8a728cf7a3150149d14b1de9de3b386b4500f3c896beff9d5bc6e986b2cd9e7f89ee14d8e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
f55bd014fa96c04d29bc70ab84668c02

SHA1
8e13aa2cc3be0eb6667e03e52efd6525c9dcf71f

SHA256
78c0b364e538e3392cf58aff17e1cec9e772e42ec564cef0e85fe7b3594cce15

SHA512
26027cebe2a8b8e1777519a9cfa9d95a9642d48f8b2c1dccb72aac47d2b5691d5c8681f4ca04d4d5516ad7d5cc46962b1fab3b9a0f6fd6290d96aecdac7be7f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
c562eb781966a0ce38539b183d8863c3

SHA1
7e52a4872e5f8e1130591f0fc67a2aba18ca47ba

SHA256
f2f4f833ec86939aa583074a9b3e51434bec90913b6a6b05d74b985837a598b2

SHA512
d71f0e81927a1caf2baa653bfd236e01250febb676b157cf4466e994468fe9b4fb898cc5b364c1d17f712cb19ce0147ba42660c3f11ebea3c2db7d730081e117

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
cc9119f724ce3ffb8af1581ca8ca8803

SHA1
bc90caa91a40e3e4d49649c2dd124335643d41ad

SHA256
178641b3a36878c927c951e190993632141435c0a2ade97edbe84fa30079c987

SHA512
36330b16387642296b0c5a00e095dbb80723c0751e3f32afd0e615597b0779a29c0e73e1964ebf238f03d63c8dc036712b6f785bedc9d23e1470c872cf6f003f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
0204385ee6060de085c624c995f653b3

SHA1
fc0724023ba39314b30ead26ea3efb2cdc340319

SHA256
93dcc7d4cca934fc0042dcfb8ffc2c34bfcceecd4e8281b4476c47b25ad36db2

SHA512
67ec8b2651ca0c2642c370b4ed945700c18307d33c8821e428a39d65c33003adf466a8731b10002c37db55c21a274aa6bf60a00314f1146dfc6c9cdedc45c4fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
5KB

MD5
a2967b959b44a842a08f3291a681efef

SHA1
600016da9c50d51ee01af20782aff7390b32c3fb

SHA256
65b9142383105178c754a433998964f7c21f5b17fc22c4f6b4460a0891440f08

SHA512
c5c14e8a49d7a9287f412798044e8297f7c16076cc1adad3ee62cc416d29e8da7fc1fc43b2a5313f2e76016738267d1d9ab2273d90c813b935338161043ca27f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
5KB

MD5
b04a996bba8f03c0b5b350e867e8245e

SHA1
f0b1b2e053532825146e4748835347f22598575e

SHA256
0a32616c4f11460f217b01d0e67976d3f3cc701dd99342baa904fa6871cf5809

SHA512
51561757781f422cf7e33214006772d34287c2e903fa25629dc95a14f23739721596575eff029cd164dfc54ba72995854100a23e1e28a5344056696bc39a3851

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
78ca5380ecec2e94d65f2e50928ab458

SHA1
d2f49080f2f82f46bcde9897325d4a6d84d7108a

SHA256
4ec1f634c2d2f6a4d160c6df18a4383a080b9b1e013a5f0242b706160021c5f9

SHA512
b8aa30e7759084b69d2826fad2fee28a47761275a542d32ecfeffff78b6c8e1a59ba0cfad679a6d24155bf2251a14bb1ea7a0320bd0cd109f70287df5a528fed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
8443ec97b983dfba73326dcadf663113

SHA1
8c6c35cd4d89706c9c9b71b0999dca5b43750265

SHA256
2add147d95995698e9acf8261939529e288789372f38f91bcf09e35d996b4fc7

SHA512
b6aa3485cdb4cf87ff19be53cacaf8e7c317f1a3247914ef450e867b9faaac2cc95f09c95e37d20132887773c6653fd26a4ccea8f1c565afde654bc92dbb8c69

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
338ba5a32ea8eccbcefa6f87a7e585a3

SHA1
8177f03464820f9a3d9606f061f662a737a17994

SHA256
4a4994903e294802423e238bd2d428bd8002b6342c679983f3bbab6b13292b8b

SHA512
c4e18732efec5bd9e726a13e6b7bea987e4f87d3a86f995383f6bef266e1a06191d99a60ce86534608c8a3b0ce35d5b67fee8e996f48387ff9cb4899c52015a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
57915fb462e7d65a2d14d2e7d6fb46a0

SHA1
b3a4ab2b96e6f32324d8290fa478c60e7c84c34e

SHA256
cca84fd308f69050bcb1ddc06fad32108832ab2d54fc3542172a3b396ffe0340

SHA512
cd829713ae82f30164c07e1edc09179aa2bb985872601549a25f1f80324d9bf2eb061982afea15fde9b305bdbf9484d7e7e04bc0d2723e3690ca1a297e929d41

Download Submit
memory/3512-229-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/3512-107-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/3512-11-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-125-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-106-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-261-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-153-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-258-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-228-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4488-10-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4888-184-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4888-0-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4888-9-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4888-2-0x0000000000DE4000-0x000000000201A000-memory.dmp

Filesize
18.2MB

Download
memory/4888-230-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4888-105-0x0000000000DE0000-0x0000000002529000-memory.dmp

Filesize
23.3MB

Download
memory/4888-131-0x0000000000DE4000-0x000000000201A000-memory.dmp

Filesize
18.2MB

Download