fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13-02-2023 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1500	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
644	AnyDesk.exe
644	AnyDesk.exe
644	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
644	AnyDesk.exe
644	AnyDesk.exe
644	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 840 wrote to memory of 1500	840	AnyDesk.exe	28
PID 840 wrote to memory of 1500	840	AnyDesk.exe	28
PID 840 wrote to memory of 1500	840	AnyDesk.exe	28
PID 840 wrote to memory of 1500	840	AnyDesk.exe	28
PID 840 wrote to memory of 644	840	AnyDesk.exe	29
PID 840 wrote to memory of 644	840	AnyDesk.exe	29
PID 840 wrote to memory of 644	840	AnyDesk.exe	29
PID 840 wrote to memory of 644	840	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
279846c4d0ab25d409690f81b9502971

SHA1
20a2b79c956a20847e44d7cde3797a15efc2f272

SHA256
6806cd5d4789dbab2947c32c87222fff8024f4bb8250a5ef75774b2575de6807

SHA512
0e541e3201558100ceba7f0ecc3e16b1d1658a98120e3ca127f540c4e249560aef4d99c4bf9d77ff17e464e59a9d3723099886bf1e9d372c5442de7e2d60a183

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e94d26a995660c00834ed1cce8511860

SHA1
93c10db0b500aae50d33762dd000cacff7d90687

SHA256
ad38042963aeaa74ec7bad581de404e6355f6e7f43953e1ef3310f48929a4945

SHA512
8149d4e45f6fab2b77b65839ac1ef9cee0c76ce2e4a0bdb13348a64e376d63bb5466b7ffa333b7920ccb9d02f9d29a7bfd8f2ce78b0eed2326f2ade65c95d02d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ec52afcb4645127d1b4f8654a9e0acb1

SHA1
a82105f1317b50f56a1c73c5cf75989176b91157

SHA256
7ac42ece9c07b3bfd0c8b41180cdb6e4ee54720d83dd61505ff37d16348cddf3

SHA512
74373af57e990c0d5ef89e6004a6bac55383d9df510159c5f8273a05f946a2c72dcd00a5a476b720803b6ddae0314da6b0bd64fa8eb7401059d5f6bb63dd8262

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab1682b693e2c021c71d75121da1e79

SHA1
462f8992ee9b534c746c2c2e5af40c8d5b60b920

SHA256
050bfd881afd7d82252e6bce9fd6e3b07b29b321f18ddbbbf1b32dcb2783f024

SHA512
cb25e68e2ee0c72f9da58e7b27f3d809196c07aafe81a3c641870c678c5677e5cc3cb69881a8b5f223e98567c7ee013c953313a66130f35c995d7c8fcc29a814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab1682b693e2c021c71d75121da1e79

SHA1
462f8992ee9b534c746c2c2e5af40c8d5b60b920

SHA256
050bfd881afd7d82252e6bce9fd6e3b07b29b321f18ddbbbf1b32dcb2783f024

SHA512
cb25e68e2ee0c72f9da58e7b27f3d809196c07aafe81a3c641870c678c5677e5cc3cb69881a8b5f223e98567c7ee013c953313a66130f35c995d7c8fcc29a814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab1682b693e2c021c71d75121da1e79

SHA1
462f8992ee9b534c746c2c2e5af40c8d5b60b920

SHA256
050bfd881afd7d82252e6bce9fd6e3b07b29b321f18ddbbbf1b32dcb2783f024

SHA512
cb25e68e2ee0c72f9da58e7b27f3d809196c07aafe81a3c641870c678c5677e5cc3cb69881a8b5f223e98567c7ee013c953313a66130f35c995d7c8fcc29a814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab1682b693e2c021c71d75121da1e79

SHA1
462f8992ee9b534c746c2c2e5af40c8d5b60b920

SHA256
050bfd881afd7d82252e6bce9fd6e3b07b29b321f18ddbbbf1b32dcb2783f024

SHA512
cb25e68e2ee0c72f9da58e7b27f3d809196c07aafe81a3c641870c678c5677e5cc3cb69881a8b5f223e98567c7ee013c953313a66130f35c995d7c8fcc29a814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab1682b693e2c021c71d75121da1e79

SHA1
462f8992ee9b534c746c2c2e5af40c8d5b60b920

SHA256
050bfd881afd7d82252e6bce9fd6e3b07b29b321f18ddbbbf1b32dcb2783f024

SHA512
cb25e68e2ee0c72f9da58e7b27f3d809196c07aafe81a3c641870c678c5677e5cc3cb69881a8b5f223e98567c7ee013c953313a66130f35c995d7c8fcc29a814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
cab1682b693e2c021c71d75121da1e79

SHA1
462f8992ee9b534c746c2c2e5af40c8d5b60b920

SHA256
050bfd881afd7d82252e6bce9fd6e3b07b29b321f18ddbbbf1b32dcb2783f024

SHA512
cb25e68e2ee0c72f9da58e7b27f3d809196c07aafe81a3c641870c678c5677e5cc3cb69881a8b5f223e98567c7ee013c953313a66130f35c995d7c8fcc29a814

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
df19e5be1b35731c6b0b63cb5bf7cb12

SHA1
20c74d13953d0b17d5575df8a55bf206ef2d0f78

SHA256
9195700ac61091cf6f9c7c9300dcd0b3c16a2d251fbbb1707614c6e681aaaed5

SHA512
38e4c8c09ce05de82a69a0fe01da30b194d15eb6af646a4c8f26171c702c558a70aafcf29fe8a2ec40b92291dd5725b9cf9edb39f5b2916df4851cbffceda6e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
14160ea35b01789f3db200288fb4898d

SHA1
8b925217578506cd7d2b5def6cc863c3cf4dd1ad

SHA256
a18ff3c2b74f450811e9c9084d00692ad2871e8ada8480518d5422792f04d7a0

SHA512
e63bdc1b754d5592023130fd5dc206db5c612518a035dad91b5e105b8d534b8e45d3cbae6b87fbf171c31320fa730b43d5c0f04e30ccdde2e2c269b73742b9f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
14160ea35b01789f3db200288fb4898d

SHA1
8b925217578506cd7d2b5def6cc863c3cf4dd1ad

SHA256
a18ff3c2b74f450811e9c9084d00692ad2871e8ada8480518d5422792f04d7a0

SHA512
e63bdc1b754d5592023130fd5dc206db5c612518a035dad91b5e105b8d534b8e45d3cbae6b87fbf171c31320fa730b43d5c0f04e30ccdde2e2c269b73742b9f0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9330540d5d327a081bf6871a0ed4dd02

SHA1
4bae6fd97b3961a9711c90a814365941ec3b0039

SHA256
d91bf1b850841bf8d0b14a9a733a7de50c047e8fcb6f9687466ee316791dabee

SHA512
5b8d9178b07d061ed5009555792b3743e039e4096d27f3a3cfd320b24f1a2d9450ba53d12b57a632ec1858daacbb63c234b531ddaed62ee339e724043466f0ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98791d2be3b5e1d80a05970c817dd25b

SHA1
3d8276e413adf7f8be85d7d1d06fb4f2836b276e

SHA256
5276628110179f0be96c4a58d49a7833c7eaa2161d19c3b6eaf1b173372591b4

SHA512
fb439830993a66fcb47d3d8e1abecbdc4378360c0faf2bd011b42d47ff7bed39f264208f89368e0db3950628c34b2454562554f382a73f8883918faec95130f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e6ed9244f38dffb526dc73f4ae8cee26

SHA1
f44378ef8cd23c95982cb4730c8581acfc688dff

SHA256
4e49bdbc406fa1d76b716167a79fa5fe7ff0a65079c23450c1aef694d2adadc9

SHA512
05fd27b05a065d1c24edbcbc116b6608a76e0514f1c88d2c0626454c1b22e83a2ed3ed77a0ce0f549a33ac6927c7ea2196af55286bb9fc0066ef2e27c01cd3b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5cd3ef381329f3083d5ee0fc895faad1

SHA1
06cdf4f36f7b9ba08b8dc53982189dc5950fc784

SHA256
f100b18d648bdd49cb493e3ef889aed689b87abeeea47f2a44319dd75ac78af6

SHA512
0a560112a835decd0d2ac5519b17571260db4d7f7ec04581955d45adcc5152cd618c11f758a0b423ddc4c6362722557b13cb81bf2f909d6dc1e68f1b6ff83c17

Download Submit
memory/644-113-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download
memory/644-63-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download
memory/644-59-0x0000000000000000-mapping.dmp

Download
memory/840-54-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/840-112-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download
memory/840-55-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download
memory/840-57-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download
memory/840-64-0x0000000074821000-0x0000000074823000-memory.dmp

Filesize
8KB

Download
memory/1500-114-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download
memory/1500-58-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x0000000000F10000-0x0000000001F8E000-memory.dmp

Filesize
16.5MB

Download