580f6a285c6c3b7238bd16e1aeb62a077ae44b5061a2162e9fd6383af59028bb

Analysis

max time kernel
157s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2023 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

fe61cd9e702ec1208c13350c00f0732c
SHA1

379520c1ad0541d5a30f214e15b7c8bff6766f9f
SHA256

580f6a285c6c3b7238bd16e1aeb62a077ae44b5061a2162e9fd6383af59028bb
SHA512

504e581026719b31555f0131bbaf9d5655c8955d9382cc53688873295d393028987032bdfccef09cf42e16ea51f8f8bf91543585b2754d5827d7b29325540cab
SSDEEP

98304:RSExf+1CnXTxQ9LDj6eblG+L9nDHPdQod:RScf+8nXdQvPtL97dPd

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4792 created 4528	4792	svchost.exe	86

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4600	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4528	AnyDesk (1).exe
4528	AnyDesk (1).exe
4528	AnyDesk (1).exe
4528	AnyDesk (1).exe
4528	AnyDesk (1).exe
4528	AnyDesk (1).exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4528	AnyDesk (1).exe
Token: SeTcbPrivilege	4792	svchost.exe
Token: SeTcbPrivilege	4792	svchost.exe
Token: 33	3680	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3680	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
1564	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe
4600	AnyDesk (1).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2452	AnyDesk (1).exe
2452	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4528	1564	AnyDesk (1).exe	86
PID 1564 wrote to memory of 4528	1564	AnyDesk (1).exe	86
PID 1564 wrote to memory of 4528	1564	AnyDesk (1).exe	86
PID 1564 wrote to memory of 4600	1564	AnyDesk (1).exe	87
PID 1564 wrote to memory of 4600	1564	AnyDesk (1).exe	87
PID 1564 wrote to memory of 4600	1564	AnyDesk (1).exe	87
PID 4792 wrote to memory of 2452	4792	svchost.exe	102
PID 4792 wrote to memory of 2452	4792	svchost.exe	102
PID 4792 wrote to memory of 2452	4792	svchost.exe	102

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2452
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x2f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
03f3279be05045669053bd32e6a09b22

SHA1
1e72a30178bab1e80827d8e4c32128a0e3e4aec4

SHA256
e6f8112497b0eaed95e1982b3247078a69d09854b6f21d7e14a9e46368af67cb

SHA512
1f73198f2a150b9e7c2b43e64b4d93acde57dc4c3ef9b32a3af2acfe60366a1e9bf62f631b4031a596bc0a17bcc671cf6a87cb49ba8ef9c78c60ec456eb7b289

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
06049fa117ac6f11bf71235fc22b334e

SHA1
3211d828e3f1db39ce865a4e73b6fc0edebac5e4

SHA256
46b087a76badb3032fcdb50dd761376919f2934b3047a2ad3687f72387febfd2

SHA512
0c894d8d1948f640c929197408e92961d5434d034adfb17722a98fe225114df96b9d15e10e7b364fd26e688ef5ca7fb19e66c4ed7c3585b26f90ea93f5da2d75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
6953c3a7de5b6c713b520fd181fe1ec6

SHA1
02fb0f479d9da86129f42efa5e062793286e4d66

SHA256
d20281511b2b10d5f25cbab16fb8f5b4359198d0a7eba8022f3f8c98edbd6c06

SHA512
fc2cb39fe0c864014b9ce2b018af689a50519416ee192538fa758c52c38dd8a55bc41206b4483bd401213dca91fab36ff24644c7af6c3a19814fa450a251919a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
62a207714c59c8e78f3035edef198648

SHA1
42b7b0d620f73ace55977117a955b0e6a0bfebee

SHA256
a5b9aed5ac20764847e817eaed366e1b81fcacf708a01206241f663f977b3f26

SHA512
ee83e5db069a4d5f4bf6cbbf2d2e0a6f4105ba1dae277640e0ce1e18f9d92c675b38e7e3be307a96c5b48f45dfcbd5ee42ba730ab4914cbea4d72e3e1919d337

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
748165a26c6cc301cb44964ea0692364

SHA1
b5af749638eb503760d3b5892da9023aa750ebf7

SHA256
90bd6240f4863be7f3486f6ea0325e32c896951bb0129b054caf3aa4fa01261a

SHA512
55a03272233d5f4a77ab32a245f7f1f87761e1ae05993968c30397cf1e9575d8eaad3619bc4b5560e6dfcea3de5236b3dcaf68023af0cf23692693bf9c8cb71f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
102ebe6d14a31d159015cebedbb6fd04

SHA1
3ef7ee3864a116aeecb7830cd096b80f47ad70c6

SHA256
a990bc1c06a4cdcdf00612549e0bbfe73c035a24c4b56838c827367f9ad028ab

SHA512
00524574ef65beac54fa84b653b2baa725f30ec0491ce0cb4da77e6672f979b38171163256da5332aa8983b8609c0da22aa9e7fa86a4b2a546538013b05002c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
2850730d17946ea2c4e39e0efd7fe8d8

SHA1
fd43da67506f60a8823ef1b54d3f06ed5e2bd2b8

SHA256
fce852e59595732e3b65c0c5826aa214e30937bc50840dedf36dc92587933b82

SHA512
d1deeaa25eca571b4e7d8f6243509c8c8fdcc0fd431cf67c8258956ef3db56ca5568074a9aab8aa8dc7bafc41c387ca20c819949233c5b6dce4cf65c794c7979

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
668B

MD5
eafa2d5ea847504d30dc01532a5c6364

SHA1
7a88626ccea3b7c3ef8a62edd238e41aab1226f6

SHA256
10999c5d495a2b324d78bd7bcdfea037ab93030f02115099c8b59fc4f0ea4b2c

SHA512
58b44d5a512e26f5f6991087f16678c0331251af415ece73b249ae975bc522cfdd848fa8cf31a462ded25c1f7a64015f555923a4dcc072606769c28775b55e5b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
732B

MD5
073fbc13294ba473f996d57293e426bb

SHA1
771d34cb42c3a6fa6f246fc49fd31221adcf3997

SHA256
9018bef29a64f187fffbcc172cd471b0a4fa1fe15c826baa419cfc2769295893

SHA512
e5883c84154533bc30acf6874c5bb51c9395eca43b2e38039e780f3d20bfde1afe9ec8651a82930dd6580613bde831637e1adff3e7b9edde3c3583b846d88e9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
779B

MD5
c6bc7a45207474962443e1101959d0f5

SHA1
ef8b268e232aad3fde06f1e6fcdcd92a4791d45a

SHA256
a8bd41a7f715acf3a396ed21fbb6c2f063646e99fb0839c337b905530434c023

SHA512
e9a959a24c2553fbb8b8e9055841febe37d4871aa05718c398f4d78fdd0cc247972856d354a20444f95684d3e1c8bbd64fe85f5cf5440e7b0ba1850a3fc9590a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
848B

MD5
44aedf5ed46a27e04b5851bd25cdeaca

SHA1
f33fb57ccdf2842434f05dfadafd89cb5dbf6800

SHA256
c7410c48fb6f4d6fc39f168e82caed5c9a6ec5c10bff32b685e46f8feb84a2f6

SHA512
9b66b175ddbf1d8e987e49d52114e05500435995413d77467dfcbccc9b8a2cd92a5eb50171155def2e7687ce1724a50605a5fc5c77de383285f3a77910b669dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
551c493dee34919aa7a781364831ba52

SHA1
c3672cf13811f582e2ebd6d359c04d5cf5d91a92

SHA256
2c94634e20f3bbf05610b4f0a1c8649c4c16f7954bae16af384af1c264d15146

SHA512
32d53891cd001006d90404a4537c3dac261167561f72cddf664d449aaf40723b9cb1874d1e9e3a2f32c545af8813592b71defe58574a556ac14b058b33306e65

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
30e7baf6b0dbfd1460a4e0001e3d893f

SHA1
5e72c74125b9432357ef0a7ef39fdf377bae6c30

SHA256
8e21366b518c2ea933fc3ce4357031f52c713b4db59f53965e6a64f1006d9b72

SHA512
acaf596b68bd2846c26a445489de4ffb6556ba6f66583d02b1672ef51eb655dcdeec54aaaf6821ee7526089d3b39481fc6a1af9127dcd90399614daeb07f5983

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
30e7baf6b0dbfd1460a4e0001e3d893f

SHA1
5e72c74125b9432357ef0a7ef39fdf377bae6c30

SHA256
8e21366b518c2ea933fc3ce4357031f52c713b4db59f53965e6a64f1006d9b72

SHA512
acaf596b68bd2846c26a445489de4ffb6556ba6f66583d02b1672ef51eb655dcdeec54aaaf6821ee7526089d3b39481fc6a1af9127dcd90399614daeb07f5983

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
aa92089a6a6567522e95ae83a74e6b6b

SHA1
c884bc93ee8fb1f17ec70bc7ccdc56797f65ac3c

SHA256
e23eac2ab6f731ef7df0690b3c957d5d8837e5a0cb8265b07ab189db35e38182

SHA512
701d21b619a9dfe2759e1563d4ab4bb094526fe06824c0718bc9f051f676d390fda49022503e7ca559ffb7a48e211b33273878c054025c83a4e38a2b68cfce7b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04f8ce66c232a59f17a4ad5712c2ea6b

SHA1
f63266854fadc38f341e4d876d6e13dac9fa69fe

SHA256
fc95de8c6bfe6536278f6f81ae863e0a692d13692463b8c1a713d5ee24ea6b96

SHA512
8bd26691d948a3e4dfceabc351cc81dca4054f5487e77e6359d1af59cdc8a6aedb4a71da8fa970c9e94599aa8c67c09d2620caed9f2dca12a066725592f4c07d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04f8ce66c232a59f17a4ad5712c2ea6b

SHA1
f63266854fadc38f341e4d876d6e13dac9fa69fe

SHA256
fc95de8c6bfe6536278f6f81ae863e0a692d13692463b8c1a713d5ee24ea6b96

SHA512
8bd26691d948a3e4dfceabc351cc81dca4054f5487e77e6359d1af59cdc8a6aedb4a71da8fa970c9e94599aa8c67c09d2620caed9f2dca12a066725592f4c07d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04f8ce66c232a59f17a4ad5712c2ea6b

SHA1
f63266854fadc38f341e4d876d6e13dac9fa69fe

SHA256
fc95de8c6bfe6536278f6f81ae863e0a692d13692463b8c1a713d5ee24ea6b96

SHA512
8bd26691d948a3e4dfceabc351cc81dca4054f5487e77e6359d1af59cdc8a6aedb4a71da8fa970c9e94599aa8c67c09d2620caed9f2dca12a066725592f4c07d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04f8ce66c232a59f17a4ad5712c2ea6b

SHA1
f63266854fadc38f341e4d876d6e13dac9fa69fe

SHA256
fc95de8c6bfe6536278f6f81ae863e0a692d13692463b8c1a713d5ee24ea6b96

SHA512
8bd26691d948a3e4dfceabc351cc81dca4054f5487e77e6359d1af59cdc8a6aedb4a71da8fa970c9e94599aa8c67c09d2620caed9f2dca12a066725592f4c07d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04f8ce66c232a59f17a4ad5712c2ea6b

SHA1
f63266854fadc38f341e4d876d6e13dac9fa69fe

SHA256
fc95de8c6bfe6536278f6f81ae863e0a692d13692463b8c1a713d5ee24ea6b96

SHA512
8bd26691d948a3e4dfceabc351cc81dca4054f5487e77e6359d1af59cdc8a6aedb4a71da8fa970c9e94599aa8c67c09d2620caed9f2dca12a066725592f4c07d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
04f8ce66c232a59f17a4ad5712c2ea6b

SHA1
f63266854fadc38f341e4d876d6e13dac9fa69fe

SHA256
fc95de8c6bfe6536278f6f81ae863e0a692d13692463b8c1a713d5ee24ea6b96

SHA512
8bd26691d948a3e4dfceabc351cc81dca4054f5487e77e6359d1af59cdc8a6aedb4a71da8fa970c9e94599aa8c67c09d2620caed9f2dca12a066725592f4c07d

Download Submit
memory/1564-133-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/1564-135-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/1564-132-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/2452-168-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/2452-171-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/2452-172-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/4528-138-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/4528-165-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/4528-145-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/4600-139-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/4600-166-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download
memory/4600-147-0x0000000000DC0000-0x0000000001E2E000-memory.dmp

Filesize
16.4MB

Download