fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
210s
max time network
207s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
31-01-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1280	AnyDesk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

AnyDesk.exe

pid	Process
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

AnyDesk.exe

pid	Process
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe
728	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1992 wrote to memory of 1280	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 1280	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 1280	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 1280	1992	AnyDesk.exe	28
PID 1992 wrote to memory of 728	1992	AnyDesk.exe	29
PID 1992 wrote to memory of 728	1992	AnyDesk.exe	29
PID 1992 wrote to memory of 728	1992	AnyDesk.exe	29
PID 1992 wrote to memory of 728	1992	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
8517d3b1cc7496d288a79857b50f89e8

SHA1
a3b74e56e240590cea2adb7a07c6cd0a244a0339

SHA256
bd5638f73429333802502ea31ba840accf981d77631620749c671f5cfc05560a

SHA512
b828b7a7ed19245bae4e50a6b22a76406a50883d45e13c88b7a925c6da8018c60aff17b71ba06d472b11d9528e20730a550c813309edee613f7c2d5c2b4eb7e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
8517d3b1cc7496d288a79857b50f89e8

SHA1
a3b74e56e240590cea2adb7a07c6cd0a244a0339

SHA256
bd5638f73429333802502ea31ba840accf981d77631620749c671f5cfc05560a

SHA512
b828b7a7ed19245bae4e50a6b22a76406a50883d45e13c88b7a925c6da8018c60aff17b71ba06d472b11d9528e20730a550c813309edee613f7c2d5c2b4eb7e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5167785c07263a0f2574c85bc0e31e43

SHA1
89cfdfac68c42b4158d2c2e2c2ccc125da31de57

SHA256
5589680dd6b7d1ec0d9663094efb647f2412c56ce893b9c2ccd9c6e3244993a4

SHA512
5598c646b8324dfd7aca3d65153d39235e7f6e90d72155b65d1207e29c2fb013f63fe5997eaa834aea3041a287e45d2e91c2ca398f0b0a10fbbf8cd26fd64e1c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2ba6a517c40c53a63e91c3fa6691dd9c

SHA1
8d170cb922543dd38647969d5c7c233e8d08630c

SHA256
0560f603fcbe8083fca6f573d62cb5c1a6f2628d68c939f35c036ae6deb027fb

SHA512
a216ce1bf77b4fa9853167415539ff31dc4665a17a8238b44748d4f296b78aa17c64bd37629117781ecde8f7ecaec405294f789dfd8e7bb956cc64ed0469e132

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8946452a7fb3852aadcf7035eee609a1

SHA1
7d6a40f430a00653bb6e1b5e89fab476fb0a1e0e

SHA256
f253d5a1f929f3a54a1b98fa134572c5777436b06122f8e18fd988e7d7576d90

SHA512
e41842b2ece986fbf47e06747f45ad0fe50d84b266b41e40f8a9f7db9cec9bd36e330a77a249f4f990e4729395674023f2989fc18b45e11c9187de1fb6b1462f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
66273a8df77e89a9ee08e4b7111d281f

SHA1
93ee96bfaf537bc59ad34dd257d54b8bb8fa973f

SHA256
ca314be9404131ba4253d205775ea399634e0c77a8f53aa0fd95043fce312deb

SHA512
08fcbe7f0b1c6e3a1ec0ef1d6322cb6c2792c324d1d38d9620efad58f7737d6a99e799e55d222bd482e0eb111a60e3addb5631f4f66e6b37697c0ae14a7a6de7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7c4ff847084658f70089860129cfb1d0

SHA1
18b831379098a9657fd8c9d3f48963b5eb3032de

SHA256
837c3a952a1b7a65a61a0640721dbf8ecd1aae00aab4da1c19ab47404f4f7b3e

SHA512
f50152b4a2beb76a89a3e577ebda009b6a8e0d21c6a5fbf8e9952f30d346148d7ee4680b2d9a7eb8a9fb9cf4c77ff0e504601ad5170bce297be698452a4a2eba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7c4ff847084658f70089860129cfb1d0

SHA1
18b831379098a9657fd8c9d3f48963b5eb3032de

SHA256
837c3a952a1b7a65a61a0640721dbf8ecd1aae00aab4da1c19ab47404f4f7b3e

SHA512
f50152b4a2beb76a89a3e577ebda009b6a8e0d21c6a5fbf8e9952f30d346148d7ee4680b2d9a7eb8a9fb9cf4c77ff0e504601ad5170bce297be698452a4a2eba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9559cbe786f6e9c33b6d779d3042ab2a

SHA1
0fc18dfb0f98ea5f7e637637f8bcfd5f89d8cee3

SHA256
dc227ade446ae51a9488be0b3439febf61753cd62f58fa6b2c455590a02f924f

SHA512
4a816bbc17db8ebf0c357356c2ec03468f42259fedc64782446d6006d3655b2baa9e643b4249ac7868141b17df4b1a7bf53d6da5d4841ea8d113ca55f1ffbfad

Download Submit
memory/728-62-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/728-73-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/728-103-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/728-59-0x0000000000000000-mapping.dmp

Download
memory/1280-102-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/1280-71-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/1280-58-0x0000000000000000-mapping.dmp

Download
memory/1280-63-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/1992-101-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/1992-54-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1992-70-0x00000000749F1000-0x00000000749F3000-memory.dmp

Filesize
8KB

Download
memory/1992-57-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download
memory/1992-55-0x0000000000340000-0x00000000013BE000-memory.dmp

Filesize
16.5MB

Download