0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

Analysis

max time kernel
84s
max time network
65s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21/11/2022, 16:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

9a1d9fe9b1223273c314632d04008384
SHA1

665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA256

0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA512

3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
SSDEEP

98304:6+NmU7afvNN5+N6F8c5AvtfXmJ+PigmgG:6+NmcaNNH8UotnmL

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4224	AnyDesk.exe
4224	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4040	AnyDesk.exe
4040	AnyDesk.exe
4040	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4040	AnyDesk.exe
4040	AnyDesk.exe
4040	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 4224	2700	AnyDesk.exe	66
PID 2700 wrote to memory of 4224	2700	AnyDesk.exe	66
PID 2700 wrote to memory of 4224	2700	AnyDesk.exe	66
PID 2700 wrote to memory of 4040	2700	AnyDesk.exe	67
PID 2700 wrote to memory of 4040	2700	AnyDesk.exe	67
PID 2700 wrote to memory of 4040	2700	AnyDesk.exe	67

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
bbd037e2a25a6f623ab9b2bb2b759efb

SHA1
10f7f85181d5b82bf9bc459e296003e4d6d3a909

SHA256
be1ad433ef4026c4774d1b81a176bb1d8f366f8cda7082d277929dbbc0f7414b

SHA512
26223c0c957a3bee83759544a6856dfd174233c935a3818250c8dd457f6607368e193f15a11a858062e6e5ea31515c603212e033d57169491ec6925c4a9adf7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
bbd037e2a25a6f623ab9b2bb2b759efb

SHA1
10f7f85181d5b82bf9bc459e296003e4d6d3a909

SHA256
be1ad433ef4026c4774d1b81a176bb1d8f366f8cda7082d277929dbbc0f7414b

SHA512
26223c0c957a3bee83759544a6856dfd174233c935a3818250c8dd457f6607368e193f15a11a858062e6e5ea31515c603212e033d57169491ec6925c4a9adf7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9f0a4358881bb1de2e9601f2ec4b2946

SHA1
3e95f392c7f902d73d1566f5b447e2df5f21da20

SHA256
410f62d7d2d69e74816f682fec62278aee155a88122442022617db254b71e84b

SHA512
ea3e13e82af1475d3e8f48f4447529106218c29261983953139d727a091f708e36110d53c7f710b70bb45f6b1fd4f01a32421f055fb66ee8faee7a0f4b852739

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6dee5580c4281a4907d8c982f0a31222

SHA1
ee3cbe6d8d3be041299f5d5bc8c22729805f51d8

SHA256
820223450482f41020aa23ee39c12812943964b26731184cf232394b43a6f9f8

SHA512
01952ac51081331370a7154997983eed0d3b0beb7d8d82c7759476f903e9ea06a0c2a8de32450b68cc1d5f1144e09a9fcf8bb824f074e1b45572958f30d7afe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3cbfa1d3820f1f0f1e315ec3b38df8f8

SHA1
9d10c2432bfc2090c546eee4876415b600fa6c46

SHA256
a444a348d7a60fbebff7b96243b1efb128a6b5c3b26f4c780e29652210477d80

SHA512
7be4b546caaf35331787122093620d507bb0eca48e9fc7078fa2f39f42041ec6451a8d4ac33a02cbb16234e648400fd792892cc30df0151a307b9d422f74d0b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6dee5580c4281a4907d8c982f0a31222

SHA1
ee3cbe6d8d3be041299f5d5bc8c22729805f51d8

SHA256
820223450482f41020aa23ee39c12812943964b26731184cf232394b43a6f9f8

SHA512
01952ac51081331370a7154997983eed0d3b0beb7d8d82c7759476f903e9ea06a0c2a8de32450b68cc1d5f1144e09a9fcf8bb824f074e1b45572958f30d7afe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6dee5580c4281a4907d8c982f0a31222

SHA1
ee3cbe6d8d3be041299f5d5bc8c22729805f51d8

SHA256
820223450482f41020aa23ee39c12812943964b26731184cf232394b43a6f9f8

SHA512
01952ac51081331370a7154997983eed0d3b0beb7d8d82c7759476f903e9ea06a0c2a8de32450b68cc1d5f1144e09a9fcf8bb824f074e1b45572958f30d7afe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3cbfa1d3820f1f0f1e315ec3b38df8f8

SHA1
9d10c2432bfc2090c546eee4876415b600fa6c46

SHA256
a444a348d7a60fbebff7b96243b1efb128a6b5c3b26f4c780e29652210477d80

SHA512
7be4b546caaf35331787122093620d507bb0eca48e9fc7078fa2f39f42041ec6451a8d4ac33a02cbb16234e648400fd792892cc30df0151a307b9d422f74d0b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6dee5580c4281a4907d8c982f0a31222

SHA1
ee3cbe6d8d3be041299f5d5bc8c22729805f51d8

SHA256
820223450482f41020aa23ee39c12812943964b26731184cf232394b43a6f9f8

SHA512
01952ac51081331370a7154997983eed0d3b0beb7d8d82c7759476f903e9ea06a0c2a8de32450b68cc1d5f1144e09a9fcf8bb824f074e1b45572958f30d7afe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6dee5580c4281a4907d8c982f0a31222

SHA1
ee3cbe6d8d3be041299f5d5bc8c22729805f51d8

SHA256
820223450482f41020aa23ee39c12812943964b26731184cf232394b43a6f9f8

SHA512
01952ac51081331370a7154997983eed0d3b0beb7d8d82c7759476f903e9ea06a0c2a8de32450b68cc1d5f1144e09a9fcf8bb824f074e1b45572958f30d7afe8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3cbfa1d3820f1f0f1e315ec3b38df8f8

SHA1
9d10c2432bfc2090c546eee4876415b600fa6c46

SHA256
a444a348d7a60fbebff7b96243b1efb128a6b5c3b26f4c780e29652210477d80

SHA512
7be4b546caaf35331787122093620d507bb0eca48e9fc7078fa2f39f42041ec6451a8d4ac33a02cbb16234e648400fd792892cc30df0151a307b9d422f74d0b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52813f1f30f7305283b659e44733b295

SHA1
c5b36fef5522d8e1324a12e27f6492329a3bc6c2

SHA256
d42b6c9c65e5cf6b74a84bc5ace8c40fc1dd3e6ea75012f301fa167862097efd

SHA512
922ef0f1dc15ab0bfc6001bcf7290ef74fdb4d3e480aab3765edc212a31a8ba7a21d4ff6278ad32990ccaf91a2d00a46f22386af0e34b5c61e2bea29dc814fef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b9307880229cb05f33549e3393b50e8f

SHA1
892d4c6c9be7028569c75cfb2aad9d933400696c

SHA256
445402b1cb1cded5784799a2f6e9aff99e576eb396e24bc8fa9e3769e177f810

SHA512
201dd54b5c7cc9d032183095547a9103a42f3fd2b7686524c093f64678c98457d47ffce1fe236a05e8ad71af544ba1b71cffc93888445a420ac3bf354741fc1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b9307880229cb05f33549e3393b50e8f

SHA1
892d4c6c9be7028569c75cfb2aad9d933400696c

SHA256
445402b1cb1cded5784799a2f6e9aff99e576eb396e24bc8fa9e3769e177f810

SHA512
201dd54b5c7cc9d032183095547a9103a42f3fd2b7686524c093f64678c98457d47ffce1fe236a05e8ad71af544ba1b71cffc93888445a420ac3bf354741fc1e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c015b0861ae3fdaa7cce23fdf2f61c44

SHA1
2b6e5cc94a21e65ff8ec9a858589ef59a1bcff8d

SHA256
53976d4b6717504623cbd853965c2895641724e8726b6bea0b1b428f2af91fe9

SHA512
418f2edfac5ea1cd2b7f45f0c0287623c79656a448949d6cb1fd741a467c8e60be1af9d48e700f9b76eb7df4cbce3221a6387983406e065458d06e9a83749aba

Download Submit
memory/2700-155-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-165-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download
memory/2700-131-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-132-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-133-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-134-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-135-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-136-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-137-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-138-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-139-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-140-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-141-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-142-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-143-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-144-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-145-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-146-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-147-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-148-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-149-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-151-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-150-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-152-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-153-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-154-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-129-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download
memory/2700-156-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-157-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-158-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-159-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-160-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-161-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-162-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download
memory/2700-164-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-130-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-166-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-167-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-168-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-169-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-170-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-171-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-172-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-173-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-174-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-175-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-176-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-177-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-178-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-179-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-180-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-181-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-128-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-127-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-126-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-125-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-124-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-122-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-123-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-121-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-120-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-116-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-117-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-118-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/2700-119-0x0000000077A60000-0x0000000077BEE000-memory.dmp

Filesize
1.6MB

Download
memory/4040-352-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download
memory/4040-227-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download
memory/4224-350-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download
memory/4224-217-0x00000000001B0000-0x0000000001209000-memory.dmp

Filesize
16.3MB

Download