0947f026798cb0e0bcba786d525ace5dddb6d256cd55f0e5fe8612ef68338ccb

Analysis

max time kernel
300s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk.exe

pid	Process
3528	AnyDesk.exe
3528	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
3668	AnyDesk.exe
3668	AnyDesk.exe
3668	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
3668	AnyDesk.exe
3668	AnyDesk.exe
3668	AnyDesk.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 4260 wrote to memory of 3528	4260	AnyDesk.exe	84
PID 4260 wrote to memory of 3528	4260	AnyDesk.exe	84
PID 4260 wrote to memory of 3528	4260	AnyDesk.exe	84
PID 4260 wrote to memory of 3668	4260	AnyDesk.exe	85
PID 4260 wrote to memory of 3668	4260	AnyDesk.exe	85
PID 4260 wrote to memory of 3668	4260	AnyDesk.exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
d7597a08982512764f4a729bb1f5b907

SHA1
f962c00a4203426513d443b2d0a2121184d0e971

SHA256
565e92de66ddb3d90cac6af4235348a5c832ec625c8b8c7dd5a23d7d523347b5

SHA512
c79909f462a0fbe858ab77ded4036e39e0fc9cc5177119c66fb215d7dd975846c1aa34c46ca18ca9956614107a370fc1c38aa9cfc1b14c0a652f28ebb70fec42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
fef1a537a4d7fcf18371a78e12cc6e6d

SHA1
49d9f7b4a8b732396a3d081d7308d2bf65270ee0

SHA256
78cb0eb5e22a2322d41b20dd54f46d016dcee435c92b8b0a79305a3d17ff3274

SHA512
f119e1344282b1fa566b79a7fc884b306b72d652b745a5cbbfe2302776baa1267b464ba8fc6cb07017c00ba31f96c8e5aceac88ca66a6e7f2253103822e2c558

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ce2479e7a9b9d27abf1e13a5f4321072

SHA1
02e463118d3591d2b56aed089f24bf3f16d7d431

SHA256
8d52e07286b4bc3a281c0ff4dd4b50d2620caf334be2fa2dd007c3bd5e7775b3

SHA512
279766a484f5ac286c7924c5c122bffe80c258a2e06a8c4cb31f036c369e29e60d9f6e0e794f0a8e7c6982e394410a0d127cbac34bdf0a3dbaf7b54ffae157ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ce2479e7a9b9d27abf1e13a5f4321072

SHA1
02e463118d3591d2b56aed089f24bf3f16d7d431

SHA256
8d52e07286b4bc3a281c0ff4dd4b50d2620caf334be2fa2dd007c3bd5e7775b3

SHA512
279766a484f5ac286c7924c5c122bffe80c258a2e06a8c4cb31f036c369e29e60d9f6e0e794f0a8e7c6982e394410a0d127cbac34bdf0a3dbaf7b54ffae157ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0560e3db3bbee6be39548ab4174afff1

SHA1
4a3556e17b6d3789e90f091660fd62e8590b104b

SHA256
d6ef332b23314cdf22ab26f6e65d02ca8cd36e3e830bb3a7a631eccf68b4b075

SHA512
1a7d258735207592eca3d778f11f98aec55cf4a846dd98fe1919b30b9ff73aaf2d3d7a14fa3a97a28fe6b943386c88d726626222e0df7122eedb7640b37ce695

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4beda511695a1f6f386f4f6a55133983

SHA1
b092b1c17b5151c23db4487a0f593a662a48667f

SHA256
d47b82f533cd9f12f9e9df9932c1776d30fea1fa8b58913289fb4034384c1a90

SHA512
cffe34264a120ebf912e815b5c1c99a6bd85e70b33e553ec97bbff2093a2e77f61f280925dd37f27b516cf58669cd8f27767d28ac3e23bf88ca4b2460372cd61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8d03a625d306e44174dc42935c24c6eb

SHA1
f52f5c38f0dd451cba46d5e971efdc6be88983bf

SHA256
679b15fd526f0e8b16d2ce12acd9b7c8e60f42e0b89e37f06c3c75d38335f2a3

SHA512
71cd0f08bcff7b785beab1b2ecf3aa5693951b6650f871f3f02a43dd50532b8e51019f800b1b16877cc63ad3e0b4aa49721ca6e1034b667010279a12e0b52f4b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
850e77c28d1d7dffbb92564df5d58c76

SHA1
f0d4f27e16f16ce75dcde36caf19e647f67e0e18

SHA256
369ee29cd43196730d3ed90dc7424a9b4b5970aea9e66ac7fc0bad73689c05be

SHA512
ec5e5132c9114114a77c0d5d7f1d51ee3a7fc55c2e587715d50e818090895e8e9160c155e7df313dac89b86dafb1ca0d07eec36b7f5b82935868d2ead35f4d28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
db891f70abe90169e2a00b29ab154304

SHA1
5fe13faf900278b9af79d21ac0d498b74fff0137

SHA256
8ebe965aeee192743fc11df9d4aa7734f1f2f6ea32632e60da172420a7f51ded

SHA512
10e289b44162347f4ea999d6b7f88c79d620417a53b03309e23f3cdd88aa7a48c5b2583564321f7e20f787ee795468bb645e178106c4bc5cee7a0e51b6433b09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
db891f70abe90169e2a00b29ab154304

SHA1
5fe13faf900278b9af79d21ac0d498b74fff0137

SHA256
8ebe965aeee192743fc11df9d4aa7734f1f2f6ea32632e60da172420a7f51ded

SHA512
10e289b44162347f4ea999d6b7f88c79d620417a53b03309e23f3cdd88aa7a48c5b2583564321f7e20f787ee795468bb645e178106c4bc5cee7a0e51b6433b09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
db891f70abe90169e2a00b29ab154304

SHA1
5fe13faf900278b9af79d21ac0d498b74fff0137

SHA256
8ebe965aeee192743fc11df9d4aa7734f1f2f6ea32632e60da172420a7f51ded

SHA512
10e289b44162347f4ea999d6b7f88c79d620417a53b03309e23f3cdd88aa7a48c5b2583564321f7e20f787ee795468bb645e178106c4bc5cee7a0e51b6433b09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
175afc47cd009b2514466d4412636dc7

SHA1
090fc8ef9dfcb9685b02a2dac3f953f0b5257bd8

SHA256
9c557cb1a23a0d689b38f783f522fb483add93d649228825ddad642ae0dfc24f

SHA512
d3735a7725d778567a287865c8b8372bb1bef2ec851a1c352fc87dc4fd0a877197db1818ac97e17350eebcdcea61a3fd8eab1460343a65ae4f33dcf9742f7259

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2c0bfd60cec3b8ad0fe7e7b75cc3385b

SHA1
a0f480836aadea081ecd49e54a28f856a08100e8

SHA256
6904d787481328cf62c7f29fb0d658f1da54a2e733850682c4df5271b58fdb0c

SHA512
89eded2ef1764ca4f44b0feaa544cd4f691c128a50f9ff8d4ee5d1c91d1d4c8102210e465a75c37fc4d124654313a4535cdf7ecb72969c89ae7968e51ee3e53c

Download Submit
memory/3528-223-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3528-723-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3528-289-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3528-370-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3528-142-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3528-501-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3668-224-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3668-143-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3668-504-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/3668-162-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/3668-724-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/4260-133-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/4260-153-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4260-152-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4260-220-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/4260-305-0x0000000000390000-0x000000000140E000-memory.dmp

Filesize
16.5MB

Download
memory/4260-138-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download