b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2023, 00:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

anydesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	anydesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	anydesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5028	anydesk.exe
5028	anydesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4564	anydesk.exe
4564	anydesk.exe
4564	anydesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4564	anydesk.exe
4564	anydesk.exe
4564	anydesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 5028	2180	anydesk.exe	80
PID 2180 wrote to memory of 5028	2180	anydesk.exe	80
PID 2180 wrote to memory of 5028	2180	anydesk.exe	80
PID 2180 wrote to memory of 4564	2180	anydesk.exe	81
PID 2180 wrote to memory of 4564	2180	anydesk.exe	81
PID 2180 wrote to memory of 4564	2180	anydesk.exe	81

C:\Users\Admin\AppData\Local\Temp\anydesk.exe
"C:\Users\Admin\AppData\Local\Temp\anydesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\anydesk.exe
  "C:\Users\Admin\AppData\Local\Temp\anydesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
ce2d73d24074f6898511da53990b6a20

SHA1
3a8c21fb5b005d58cd5f072e321fddfa722689cd

SHA256
8ec8478062678264f9aee12b1a8bca5e41e65396bde0c94f6c186c32d8f2635f

SHA512
5e7f4188e1d6c3964f72535697dc9462c36e124cec5a8eec3ac7f5bbcb5e87e02ba893cf3743d6753a7a2947d10f1b8163b6727fc9314b57e2c9f0a4b4596f64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
ba9b3fd569d696becf7f484cf58779d0

SHA1
5ea741a31685f039a0c2ca30b55989f60d76ef85

SHA256
093d50df9dde48f6776fa5214b2834fbce6ac618f052b73e269ef757e9bdea33

SHA512
e27e74c72b58bd0e5d8e1bbdd9e47cd3f1f92e638b524e6069e64f8559a91c47744c411fefd5066f0e343610c05e820b04b33d9f2177f0ddf65c35d7f86b306c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
a73f1db79864cd8d04ebe46ed4557b89

SHA1
91c953a7a05e697228609d3e15ccbad980cd5f8f

SHA256
74387f0b5b023621f2e0c0b9618326bf8d7f394c46c86d78e105e22610112c5d

SHA512
4413cfd1deaf319bfcf33ce6607ee0718cdef7d1b8e3a59ec1639b6906750f6876f91a7ee2005b6f022521b3bc059611d9292eec44a0dd758529c3d7ce2c1dd4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
90dbef5865c3897e1adcb4a0bf5b2a71

SHA1
d4793226edffc54fe0005c5b090dfc4a20ec8c26

SHA256
f2df6674ab29e3c9a53e74adafec281af41c059ca72f040bdff005effbcea168

SHA512
aff5a26d9790337e3bac12486e35d18d4aa6787ddc806cc038b206857398a02a47a686ddaacaaedd29f603b6ba8dc2218b18e333736875763dbbae0524c9921c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
113B

MD5
9f80815a390234f336109a311e7eea47

SHA1
4b501cfc04019db224be32c76eeb8b969fce3322

SHA256
7b46e9db459b87912f033bc84f565283c2f9e63e776a3d3b38296f68d5bc4991

SHA512
c159b4fa54c6e944882bb39f533666cba00923f0f464a4163166f4fa4aa5ab6b5a6787d3d9f4dd6fc43fbea02771fed2679436822323201cbc0f2733e623a212

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
memory/2180-133-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/2180-149-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/2180-132-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/4564-147-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/4564-138-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/4564-151-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/5028-144-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/5028-137-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download
memory/5028-150-0x0000000000340000-0x0000000000F52000-memory.dmp

Filesize
12.1MB

Download