fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2023 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
2532	AnyDesk.exe
2532	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1600	AnyDesk.exe
1600	AnyDesk.exe
1600	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1600	AnyDesk.exe
1600	AnyDesk.exe
1600	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 4776 wrote to memory of 2532	4776	AnyDesk.exe	80
PID 4776 wrote to memory of 2532	4776	AnyDesk.exe	80
PID 4776 wrote to memory of 2532	4776	AnyDesk.exe	80
PID 4776 wrote to memory of 1600	4776	AnyDesk.exe	81
PID 4776 wrote to memory of 1600	4776	AnyDesk.exe	81
PID 4776 wrote to memory of 1600	4776	AnyDesk.exe	81

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d32b8cf9e5a35e9ff3ab1e13a447f42d

SHA1
d1d636bdde7593373152200ceb4ae0136d90b85c

SHA256
1bc79945b8c17f6fe9c300cca800f70f0c1437643e2b2803a5c82863a1a6f05d

SHA512
95386275b96cf82031a28a19ce2719a6c35d1864f288f922cad621924317dd3af76522da2106514c56ad334e92bdff8534c2b7e5049f34869a779b6c457f3046

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d32b8cf9e5a35e9ff3ab1e13a447f42d

SHA1
d1d636bdde7593373152200ceb4ae0136d90b85c

SHA256
1bc79945b8c17f6fe9c300cca800f70f0c1437643e2b2803a5c82863a1a6f05d

SHA512
95386275b96cf82031a28a19ce2719a6c35d1864f288f922cad621924317dd3af76522da2106514c56ad334e92bdff8534c2b7e5049f34869a779b6c457f3046

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b7192a7bd202860b2ea585f82638290f

SHA1
2d6d560453e7b184add04c5469d697027f7323c1

SHA256
0f0e0644a96c003fd62a135c573866d293a1bb629f184f003b8921ca277e72b7

SHA512
61e76becf578e9629f459d7f2298d89e98e6581469be3d70865fcba162dc44543c946a2582487df691d604d3ac493bba9d80f53d803f4b0bb82baa1f6fb33736

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3d6efbeed3f2d7979e7e1e783f521bdf

SHA1
b3b994a50952f2fe45b80956ead929d967d9b52e

SHA256
128cc1743ca0f6bbae5890e29a7136e4f3851aeea3601e5e0f6f5cfcfa9d0d4a

SHA512
44a23051841f349d9bd9638b60bc367c66659c2bb3fb3b595d3bdc079e69a688c962dee2605a89a7cfcb6e47f937f5722246cc86b6bc7b2809a798f07dedf13a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3d6efbeed3f2d7979e7e1e783f521bdf

SHA1
b3b994a50952f2fe45b80956ead929d967d9b52e

SHA256
128cc1743ca0f6bbae5890e29a7136e4f3851aeea3601e5e0f6f5cfcfa9d0d4a

SHA512
44a23051841f349d9bd9638b60bc367c66659c2bb3fb3b595d3bdc079e69a688c962dee2605a89a7cfcb6e47f937f5722246cc86b6bc7b2809a798f07dedf13a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3d6efbeed3f2d7979e7e1e783f521bdf

SHA1
b3b994a50952f2fe45b80956ead929d967d9b52e

SHA256
128cc1743ca0f6bbae5890e29a7136e4f3851aeea3601e5e0f6f5cfcfa9d0d4a

SHA512
44a23051841f349d9bd9638b60bc367c66659c2bb3fb3b595d3bdc079e69a688c962dee2605a89a7cfcb6e47f937f5722246cc86b6bc7b2809a798f07dedf13a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3d6efbeed3f2d7979e7e1e783f521bdf

SHA1
b3b994a50952f2fe45b80956ead929d967d9b52e

SHA256
128cc1743ca0f6bbae5890e29a7136e4f3851aeea3601e5e0f6f5cfcfa9d0d4a

SHA512
44a23051841f349d9bd9638b60bc367c66659c2bb3fb3b595d3bdc079e69a688c962dee2605a89a7cfcb6e47f937f5722246cc86b6bc7b2809a798f07dedf13a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e6790b0af6fca7b3ce45116aa3038941

SHA1
ff516b8f8676a87237b84ac22f4cb38d7a977320

SHA256
41cfaeef6f329fa425cecb4df6000f33bc30950f1cf83990ccc04dbfe5f42852

SHA512
176d7e2394ee5d7735b6d457974777c8a5817525018da0943d548970366e29404ac3e83483e53743f7fd5ad7d44539f9810cfaf6e55aa79b24dc987bd554fd46

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3d6efbeed3f2d7979e7e1e783f521bdf

SHA1
b3b994a50952f2fe45b80956ead929d967d9b52e

SHA256
128cc1743ca0f6bbae5890e29a7136e4f3851aeea3601e5e0f6f5cfcfa9d0d4a

SHA512
44a23051841f349d9bd9638b60bc367c66659c2bb3fb3b595d3bdc079e69a688c962dee2605a89a7cfcb6e47f937f5722246cc86b6bc7b2809a798f07dedf13a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
afb454e42265a3aae44ba6d4bd077109

SHA1
0215499012ef3cab5a76ffb742bf93a6a5d324e8

SHA256
126f76ff6caa309c94880cc16aa448a420341e14766f0d08eb38c5c08297cdc5

SHA512
e0cc410718665749133be6fe21a30b7d5ff1ada4c503aec9ec00191b8a9067c013b9b573d82fb2d80f3896ab4e2373e87598f69e628059eb58e0c25eb3fddbc4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ea1920f87c06d8ae1060aa7beb973c3

SHA1
d4488bca201fb13116417b3da859068c477fee75

SHA256
60bbb7cdff7528deab83892f41247a6b2c91c8742c1cf927b078cc3647a0e95f

SHA512
2493911d345c9c91d41dab86dfe2ebeef0aedaffedc340b27296cd8276cf0c985c5e8813ef1fcfc5b2687abc6c5393d6a84cb0a988bbbb73be125230dd360fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10bddfeade2cb0e1770b19bd947789d2

SHA1
2a6743bf397497fe2158988d0ef01df0fe0466d6

SHA256
177d7fb89c81b7903b02259268c368ff41dbe1c7f2a429f1885e16eb11fe2e6c

SHA512
f519452b2bb362132d80e30dd05fd0c3ad879466a1fb4fa1aec4ca3cbb3a10f4416257fd4738956c39112a4e538c7b5e7a73df9391221b4de0f99879eda67eeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10bddfeade2cb0e1770b19bd947789d2

SHA1
2a6743bf397497fe2158988d0ef01df0fe0466d6

SHA256
177d7fb89c81b7903b02259268c368ff41dbe1c7f2a429f1885e16eb11fe2e6c

SHA512
f519452b2bb362132d80e30dd05fd0c3ad879466a1fb4fa1aec4ca3cbb3a10f4416257fd4738956c39112a4e538c7b5e7a73df9391221b4de0f99879eda67eeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
10bddfeade2cb0e1770b19bd947789d2

SHA1
2a6743bf397497fe2158988d0ef01df0fe0466d6

SHA256
177d7fb89c81b7903b02259268c368ff41dbe1c7f2a429f1885e16eb11fe2e6c

SHA512
f519452b2bb362132d80e30dd05fd0c3ad879466a1fb4fa1aec4ca3cbb3a10f4416257fd4738956c39112a4e538c7b5e7a73df9391221b4de0f99879eda67eeb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ea1920f87c06d8ae1060aa7beb973c3

SHA1
d4488bca201fb13116417b3da859068c477fee75

SHA256
60bbb7cdff7528deab83892f41247a6b2c91c8742c1cf927b078cc3647a0e95f

SHA512
2493911d345c9c91d41dab86dfe2ebeef0aedaffedc340b27296cd8276cf0c985c5e8813ef1fcfc5b2687abc6c5393d6a84cb0a988bbbb73be125230dd360fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ea1920f87c06d8ae1060aa7beb973c3

SHA1
d4488bca201fb13116417b3da859068c477fee75

SHA256
60bbb7cdff7528deab83892f41247a6b2c91c8742c1cf927b078cc3647a0e95f

SHA512
2493911d345c9c91d41dab86dfe2ebeef0aedaffedc340b27296cd8276cf0c985c5e8813ef1fcfc5b2687abc6c5393d6a84cb0a988bbbb73be125230dd360fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ea1920f87c06d8ae1060aa7beb973c3

SHA1
d4488bca201fb13116417b3da859068c477fee75

SHA256
60bbb7cdff7528deab83892f41247a6b2c91c8742c1cf927b078cc3647a0e95f

SHA512
2493911d345c9c91d41dab86dfe2ebeef0aedaffedc340b27296cd8276cf0c985c5e8813ef1fcfc5b2687abc6c5393d6a84cb0a988bbbb73be125230dd360fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1ea1920f87c06d8ae1060aa7beb973c3

SHA1
d4488bca201fb13116417b3da859068c477fee75

SHA256
60bbb7cdff7528deab83892f41247a6b2c91c8742c1cf927b078cc3647a0e95f

SHA512
2493911d345c9c91d41dab86dfe2ebeef0aedaffedc340b27296cd8276cf0c985c5e8813ef1fcfc5b2687abc6c5393d6a84cb0a988bbbb73be125230dd360fca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08651437829b345c99d1ef8ac9742a79

SHA1
a5f5555e62eb9d8c1ff8fae50111a35c7a833fa8

SHA256
8a81587db10ef21705d5ff4374df006834d70a08cf680a943eaacf629d88e924

SHA512
905753d13f891de54ae01218c286f6ed646ffac92f0e219cc406bd4cbd86eddaa3f8dc2b0394c21aaea4a41a397b4991e76ff8c17658e4210c1eaabead982da9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c89266963ed49fbcb5f23943df54d3ee

SHA1
26dfce91fbb6098a4dc761196c8dbb584f5515f8

SHA256
33d9749b511f319fe06c456382725f5878d2304c92a3d5e9755e4364d3af3c49

SHA512
9ad08c3ddd44938441be2e7102cdcb6cda5e0444ea63a94caf71ce9df8c1e16183ff4d0f646dd08d577a149ad53fe008a3d397483b68791c7eea274fb264c2b6

Download Submit
memory/1600-163-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/1600-145-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/1600-137-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/1600-136-0x0000000000000000-mapping.dmp

Download
memory/2532-164-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/2532-138-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/2532-156-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/2532-135-0x0000000000000000-mapping.dmp

Download
memory/4776-132-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/4776-162-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download
memory/4776-134-0x0000000000400000-0x000000000147E000-memory.dmp

Filesize
16.5MB

Download