fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
210s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2023 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
2284	3716	WerFault.exe	82

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
4512	AnyDesk.exe
4512	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
4240	AnyDesk.exe
4240	AnyDesk.exe
4240	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 4968 wrote to memory of 4512	4968	AnyDesk.exe	80
PID 4968 wrote to memory of 4512	4968	AnyDesk.exe	80
PID 4968 wrote to memory of 4512	4968	AnyDesk.exe	80
PID 4968 wrote to memory of 4240	4968	AnyDesk.exe	81
PID 4968 wrote to memory of 4240	4968	AnyDesk.exe	81
PID 4968 wrote to memory of 4240	4968	AnyDesk.exe	81

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4968
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4240

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 444 -p 3716 -ip 3716
1⤵
PID:4052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3716 -s 1748
1⤵
- Program crash
PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
f936688fe437d857daf13f0c3006a561

SHA1
9cbbb11a7c2e4d35e04a05d5d8b1a89c8e338231

SHA256
deba550723a1cf539407d84a5afe1c1c854896f375ff78aadaec07acb4bc30df

SHA512
c1473fdda5f267fc89bb63e39616080b841763f390fc057dc89dca632c06cac344ff67c09a454a92e75b9caacd092b0e98f673a8c38b6ec7a8c8d3d38573ab33

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
271aa6f7f94bbb5baf9c58b6c77474f6

SHA1
02eabf33ab107aeafc9f86a3a4b72ada114665f0

SHA256
4f3556ebc2ee660756c772313672789eb82c407917b6f96a71b87ff480625a5f

SHA512
a3d09409219d36013827f641fbe15e50f448a11082cf9340fc408545b44bde489ff376a860aebf03b491c9bb2df1a5d1eb2c6c362959e7fd41d49acee92f0846

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
04038d08cf9f43c07dbde80c38a91b7e

SHA1
279945591f8bd0e6a91c83a563283111492e444d

SHA256
9a9dbe52abe2768d9211915ff5ff47755fdbd40fc232b5691482ced349d881a8

SHA512
9717be0b5ad01f99ea1d5ad89f64cab675012c0c4c91ac2ac77d7d4da13427f3f8de14c95312f997791fc98a81a6b6e8a7717be4f06a0f17ff293eb856fc4f60

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ba80c08163ddcba6c6296923b9f3fe5

SHA1
e255e1d4956efaef8a836f118c84ecd95a18b1b1

SHA256
9bca66e01d4bfa7d34e51f48cf803eb512dbbc26f7574d3a1f0a008e1c67b23a

SHA512
eaa1b553c4dc87542198560cb7639f7db6a681e3bb482d283b1ec004e24d41c23a9590475d3c187c38245f0a8fe25859ea334878960119b5c439f5bdfb6a4222

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ba80c08163ddcba6c6296923b9f3fe5

SHA1
e255e1d4956efaef8a836f118c84ecd95a18b1b1

SHA256
9bca66e01d4bfa7d34e51f48cf803eb512dbbc26f7574d3a1f0a008e1c67b23a

SHA512
eaa1b553c4dc87542198560cb7639f7db6a681e3bb482d283b1ec004e24d41c23a9590475d3c187c38245f0a8fe25859ea334878960119b5c439f5bdfb6a4222

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bd7996fb911183dbc9a86e3ae8e8d420

SHA1
47bac9b3f98768f5bc38c13af6e1fb013524f0a0

SHA256
801d81c246f9df27fac1655e30e09d693c4570ede8fdfaaa7206698b41a40d8e

SHA512
718d971656a12c20201eaab73b4c2f8bb86bf5831e3d04b0701ca3e172bcafce162ba1d2db9978206551ca5d0f25be036a77ef179fed32c2586ff89c1aa35921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ba80c08163ddcba6c6296923b9f3fe5

SHA1
e255e1d4956efaef8a836f118c84ecd95a18b1b1

SHA256
9bca66e01d4bfa7d34e51f48cf803eb512dbbc26f7574d3a1f0a008e1c67b23a

SHA512
eaa1b553c4dc87542198560cb7639f7db6a681e3bb482d283b1ec004e24d41c23a9590475d3c187c38245f0a8fe25859ea334878960119b5c439f5bdfb6a4222

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bd7996fb911183dbc9a86e3ae8e8d420

SHA1
47bac9b3f98768f5bc38c13af6e1fb013524f0a0

SHA256
801d81c246f9df27fac1655e30e09d693c4570ede8fdfaaa7206698b41a40d8e

SHA512
718d971656a12c20201eaab73b4c2f8bb86bf5831e3d04b0701ca3e172bcafce162ba1d2db9978206551ca5d0f25be036a77ef179fed32c2586ff89c1aa35921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ba80c08163ddcba6c6296923b9f3fe5

SHA1
e255e1d4956efaef8a836f118c84ecd95a18b1b1

SHA256
9bca66e01d4bfa7d34e51f48cf803eb512dbbc26f7574d3a1f0a008e1c67b23a

SHA512
eaa1b553c4dc87542198560cb7639f7db6a681e3bb482d283b1ec004e24d41c23a9590475d3c187c38245f0a8fe25859ea334878960119b5c439f5bdfb6a4222

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bd7996fb911183dbc9a86e3ae8e8d420

SHA1
47bac9b3f98768f5bc38c13af6e1fb013524f0a0

SHA256
801d81c246f9df27fac1655e30e09d693c4570ede8fdfaaa7206698b41a40d8e

SHA512
718d971656a12c20201eaab73b4c2f8bb86bf5831e3d04b0701ca3e172bcafce162ba1d2db9978206551ca5d0f25be036a77ef179fed32c2586ff89c1aa35921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ba80c08163ddcba6c6296923b9f3fe5

SHA1
e255e1d4956efaef8a836f118c84ecd95a18b1b1

SHA256
9bca66e01d4bfa7d34e51f48cf803eb512dbbc26f7574d3a1f0a008e1c67b23a

SHA512
eaa1b553c4dc87542198560cb7639f7db6a681e3bb482d283b1ec004e24d41c23a9590475d3c187c38245f0a8fe25859ea334878960119b5c439f5bdfb6a4222

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bd7996fb911183dbc9a86e3ae8e8d420

SHA1
47bac9b3f98768f5bc38c13af6e1fb013524f0a0

SHA256
801d81c246f9df27fac1655e30e09d693c4570ede8fdfaaa7206698b41a40d8e

SHA512
718d971656a12c20201eaab73b4c2f8bb86bf5831e3d04b0701ca3e172bcafce162ba1d2db9978206551ca5d0f25be036a77ef179fed32c2586ff89c1aa35921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
9ba80c08163ddcba6c6296923b9f3fe5

SHA1
e255e1d4956efaef8a836f118c84ecd95a18b1b1

SHA256
9bca66e01d4bfa7d34e51f48cf803eb512dbbc26f7574d3a1f0a008e1c67b23a

SHA512
eaa1b553c4dc87542198560cb7639f7db6a681e3bb482d283b1ec004e24d41c23a9590475d3c187c38245f0a8fe25859ea334878960119b5c439f5bdfb6a4222

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
bd7996fb911183dbc9a86e3ae8e8d420

SHA1
47bac9b3f98768f5bc38c13af6e1fb013524f0a0

SHA256
801d81c246f9df27fac1655e30e09d693c4570ede8fdfaaa7206698b41a40d8e

SHA512
718d971656a12c20201eaab73b4c2f8bb86bf5831e3d04b0701ca3e172bcafce162ba1d2db9978206551ca5d0f25be036a77ef179fed32c2586ff89c1aa35921

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6de411171d849aaa17fb91ef7da2e106

SHA1
215dcebd0cac5f005fe38783a78128a0dddce8f0

SHA256
db9902ee573dd2dde94d28bb084fadca4a290cca0b228c6370f7ac7b8d8537b7

SHA512
ad53e7bf5f3492bd54afe6ef5dd5247f0aaf2309f684a036ea6472cd5cb7f3260df3ac22919ef6faf6338585ef297bff6172429cb6a0a2a344fc435da505efc3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
365dc3a861348f69a3cedbffe707fc52

SHA1
35de0a5539ac5c1bb0cb0d0e68e7c58dc02d9749

SHA256
5ffb3bc79a8bd492bbb0528c0eae86e422fdf9b8e5496e89b7a247afc135dd7e

SHA512
4a6ec37260b4ca81164a15c22999ec45a2218b5f5602b0b69411ff97c70d1b1c992eb204420a8a51ebe2d95efd6a458d15f9654f2eb1e3d0d724abb9fa722f4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
365dc3a861348f69a3cedbffe707fc52

SHA1
35de0a5539ac5c1bb0cb0d0e68e7c58dc02d9749

SHA256
5ffb3bc79a8bd492bbb0528c0eae86e422fdf9b8e5496e89b7a247afc135dd7e

SHA512
4a6ec37260b4ca81164a15c22999ec45a2218b5f5602b0b69411ff97c70d1b1c992eb204420a8a51ebe2d95efd6a458d15f9654f2eb1e3d0d724abb9fa722f4d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a6c8a757021ceae6de15bf5d8655beac

SHA1
a70f880e132224a308cc486b6dee663b880a29d1

SHA256
cf54256db67bf77a73247c6482c4a0ec8705f41985596cd5e4188bd617afa12e

SHA512
fc028f018bf719144f8153f32dda517df80e47953fe2bada37e961f738a5bab934a3b2832b18c33e59e45b4979349c2fb3f10654b13460db8352d3eb01bef1c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
342d405ba0a60587a6ec4cac8004e088

SHA1
7acf3ecb1dacc614894adb67d812227b32f38bd3

SHA256
da451d718c7a84ac221c9c5b575c551257f7deed08e86ab417528e18d9be4508

SHA512
4183d4e9d182a12336eb9c9f2bb783b51c4958d4f9bfed17c7da05046660f6a6ee4078cd45deef9550224e2a202b4baaaadad865e6a0cc1050d5d72208a62e7e

Download Submit
memory/4240-158-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4240-136-0x0000000000000000-mapping.dmp

Download
memory/4240-138-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4240-145-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4512-157-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4512-142-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4512-137-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4512-135-0x0000000000000000-mapping.dmp

Download
memory/4968-154-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4968-132-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download
memory/4968-134-0x0000000000190000-0x000000000120E000-memory.dmp

Filesize
16.5MB

Download