b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

General

Target

anydesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1812	anydesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1436	anydesk.exe
1436	anydesk.exe
1436	anydesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1436	anydesk.exe
1436	anydesk.exe
1436	anydesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1812	1960	anydesk.exe	28
PID 1960 wrote to memory of 1812	1960	anydesk.exe	28
PID 1960 wrote to memory of 1812	1960	anydesk.exe	28
PID 1960 wrote to memory of 1812	1960	anydesk.exe	28
PID 1960 wrote to memory of 1436	1960	anydesk.exe	29
PID 1960 wrote to memory of 1436	1960	anydesk.exe	29
PID 1960 wrote to memory of 1436	1960	anydesk.exe	29
PID 1960 wrote to memory of 1436	1960	anydesk.exe	29

C:\Users\Admin\AppData\Local\Temp\anydesk.exe
"C:\Users\Admin\AppData\Local\Temp\anydesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1812
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
b882778bb30567be84c72e7996e4ec47

SHA1
476781d727d9ca7e9c8c6ebe123562c6e46c2c85

SHA256
da3293d85626b21aeb149fc7f9e287b03d32383ba6e9ff1bd247ceb0b40c24c9

SHA512
74dfa6cda64687ea8d179790e35428e94d8ff16f1365309edcb70763765c05341e32eb74c6df959a6466e6836a4312d691f774280a8f6d105bbb70cddd811b7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
b882778bb30567be84c72e7996e4ec47

SHA1
476781d727d9ca7e9c8c6ebe123562c6e46c2c85

SHA256
da3293d85626b21aeb149fc7f9e287b03d32383ba6e9ff1bd247ceb0b40c24c9

SHA512
74dfa6cda64687ea8d179790e35428e94d8ff16f1365309edcb70763765c05341e32eb74c6df959a6466e6836a4312d691f774280a8f6d105bbb70cddd811b7c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6acd7b0e158c6b17999b42d278590823

SHA1
497a5def19f54a33f25cd8b98e9d00b148db5251

SHA256
53d22a57b4ecb284fb9da33c963f7b169ff7d5ea6fbc0051f3c7e0afce65a0ac

SHA512
0037727c2de4a841e2137265a2031ed1f6c8bb241772a9e2b12f465424af02c58b0aa335889bc2131369b1adf60ccd7c103e213a1eff0b951a9d6515a0b99011

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
4d85511aa9b6d0456257f4c5d86964ff

SHA1
2c0b19f4f6a846f23142151c38b0eeb6c4886bbf

SHA256
f3c4229b1db93c9e65cfbad0dd66db4c75236df7dc5b028f7774e6664eaf8071

SHA512
34df440f1672f91ff37bb535b9d2c411e47fb64783f4474036c49b70ad477ca00763efbef5c93fc3ecde6eecdd06cc5dc8662b1a092b4be021c793c95f556506

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
2e91e799d4f95fa161daf1df2af60728

SHA1
fb43c1047f871fc1c5e2f8dc733dbf627b460340

SHA256
ad142180245b89da0f9f4dc8fce0d34bfa3e271a317caf07cc1803ae1e49d22e

SHA512
50a7e770eaa248a93b7b2ddc4c920188244ee0e61bfaf20d5182a55f8ee285081c85af1a951a46cdab3d5bb10ab3cfc4d1f16132bb7d7b44cd22306ffa32cec1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/1436-73-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1436-64-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1436-169-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1812-62-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1812-71-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1812-168-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1960-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1960-58-0x0000000073D21000-0x0000000073D23000-memory.dmp

Filesize
8KB

Download
memory/1960-57-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1960-55-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download
memory/1960-167-0x0000000000800000-0x0000000001412000-memory.dmp

Filesize
12.1MB

Download

Analysis

Sharing