fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
108s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
24-02-2023 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk.exe

pid	Process
1476	AnyDesk.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1484	AnyDesk.exe
1484	AnyDesk.exe
1484	AnyDesk.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid	Process
1484	AnyDesk.exe
1484	AnyDesk.exe
1484	AnyDesk.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.exe

description	pid	Process	procid_target
PID 1376 wrote to memory of 1476	1376	AnyDesk.exe	28
PID 1376 wrote to memory of 1476	1376	AnyDesk.exe	28
PID 1376 wrote to memory of 1476	1376	AnyDesk.exe	28
PID 1376 wrote to memory of 1476	1376	AnyDesk.exe	28
PID 1376 wrote to memory of 1484	1376	AnyDesk.exe	29
PID 1376 wrote to memory of 1484	1376	AnyDesk.exe	29
PID 1376 wrote to memory of 1484	1376	AnyDesk.exe	29
PID 1376 wrote to memory of 1484	1376	AnyDesk.exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
d4e0c40a934187857a74067acb40a60a

SHA1
2ada1d80f53f08b2824e3e69df3b0de5ec46670d

SHA256
9dc9d149f622f28c7d796cead70bcc3fcc441aae640b1640de2c9251be69b06b

SHA512
241ca500fac557e88f383f779cac8c33705684e7dac1f1e2ea2557128869b1d9a327210d92c1b5cd6cb91d8e70e2f9b3717867888441b6fa9eedc0f355e1f4d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
d4e0c40a934187857a74067acb40a60a

SHA1
2ada1d80f53f08b2824e3e69df3b0de5ec46670d

SHA256
9dc9d149f622f28c7d796cead70bcc3fcc441aae640b1640de2c9251be69b06b

SHA512
241ca500fac557e88f383f779cac8c33705684e7dac1f1e2ea2557128869b1d9a327210d92c1b5cd6cb91d8e70e2f9b3717867888441b6fa9eedc0f355e1f4d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0697f204e8e530c9aed8f318a7c8d877

SHA1
659cfe287285fb01cd6dd2952983f6b027e50e4c

SHA256
18535e848405783e3875682da1605559a5cf10092872ed7ffebc578c1f70d4f5

SHA512
12617d404ca0810b3d2f9142ceb83578404534fb81cd72134130638af8f0418396825c8199d61abd77526391ee79446aaad334684d1b69a211830ef7f9ee303d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0697f204e8e530c9aed8f318a7c8d877

SHA1
659cfe287285fb01cd6dd2952983f6b027e50e4c

SHA256
18535e848405783e3875682da1605559a5cf10092872ed7ffebc578c1f70d4f5

SHA512
12617d404ca0810b3d2f9142ceb83578404534fb81cd72134130638af8f0418396825c8199d61abd77526391ee79446aaad334684d1b69a211830ef7f9ee303d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e30ae83a13ad70545a87c045ada62f51

SHA1
8a61f2cd390bdbc1c439040e4515fe52b6dde532

SHA256
5e01cfe93a62418e7688abe98661490e0196e4f136ffa1345b587f5db9be34bb

SHA512
291b7128d360a8d638671f7b10aba30c1bb8ea6940ef5c81b34aeeff17ae10bab49f34641601508f3516451e69937c52178caeaab4919b482c3281f9b3434d49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e30ae83a13ad70545a87c045ada62f51

SHA1
8a61f2cd390bdbc1c439040e4515fe52b6dde532

SHA256
5e01cfe93a62418e7688abe98661490e0196e4f136ffa1345b587f5db9be34bb

SHA512
291b7128d360a8d638671f7b10aba30c1bb8ea6940ef5c81b34aeeff17ae10bab49f34641601508f3516451e69937c52178caeaab4919b482c3281f9b3434d49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e30ae83a13ad70545a87c045ada62f51

SHA1
8a61f2cd390bdbc1c439040e4515fe52b6dde532

SHA256
5e01cfe93a62418e7688abe98661490e0196e4f136ffa1345b587f5db9be34bb

SHA512
291b7128d360a8d638671f7b10aba30c1bb8ea6940ef5c81b34aeeff17ae10bab49f34641601508f3516451e69937c52178caeaab4919b482c3281f9b3434d49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e30ae83a13ad70545a87c045ada62f51

SHA1
8a61f2cd390bdbc1c439040e4515fe52b6dde532

SHA256
5e01cfe93a62418e7688abe98661490e0196e4f136ffa1345b587f5db9be34bb

SHA512
291b7128d360a8d638671f7b10aba30c1bb8ea6940ef5c81b34aeeff17ae10bab49f34641601508f3516451e69937c52178caeaab4919b482c3281f9b3434d49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2d6521caf15e02f7be26efc9c772b4d2

SHA1
31e5b97abdcf5e45fed94767b0b7fff382e280ad

SHA256
ddc7bc9c84c6aa59348c6cffec994fb0bfc44271a3865f84160fec618999edc7

SHA512
8734d31d0a2975d1203f8c487ab81f3651d919df0797df99ecc55b32d3b5e5d2e3e50b23aad1a1de15cb364a4450c50e824cc553d71b5ebebda730e032c6eade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e30ae83a13ad70545a87c045ada62f51

SHA1
8a61f2cd390bdbc1c439040e4515fe52b6dde532

SHA256
5e01cfe93a62418e7688abe98661490e0196e4f136ffa1345b587f5db9be34bb

SHA512
291b7128d360a8d638671f7b10aba30c1bb8ea6940ef5c81b34aeeff17ae10bab49f34641601508f3516451e69937c52178caeaab4919b482c3281f9b3434d49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e30ae83a13ad70545a87c045ada62f51

SHA1
8a61f2cd390bdbc1c439040e4515fe52b6dde532

SHA256
5e01cfe93a62418e7688abe98661490e0196e4f136ffa1345b587f5db9be34bb

SHA512
291b7128d360a8d638671f7b10aba30c1bb8ea6940ef5c81b34aeeff17ae10bab49f34641601508f3516451e69937c52178caeaab4919b482c3281f9b3434d49

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3dccb9ac0c8f283361c6c221749f2e5a

SHA1
f8560794b7e4606ef306c9a81a4931577beb363b

SHA256
64412fbaffc1b9994a93a56b9ca54aa43556a39be7472c93a76eb255441a4d73

SHA512
35a50262aedf75077cd8f6216afaba1dcd1225eafd83a14d1c23129ceb9b63cee8edec7b4d21cdeeb31197868118fe67b12d69dff186f7f4ae575c7adf1da0f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6a6d8fa919b3f9a273f29071fecaec67

SHA1
06b69398e11ab0c6e0bbfdfdf2d42c81803c1174

SHA256
d9d46ec7955ee8a2fe8aec3184fccedfb7a7f1aceae9fec310f421b51ba1470f

SHA512
d0f75eafff326e588c618976b76f4cffab6782c3edf182b1fe4180659d84aa2b229e2f0d2c868e49549ab6ce84a6a9d047a0830769203b211498acdaa272aca9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6a6d8fa919b3f9a273f29071fecaec67

SHA1
06b69398e11ab0c6e0bbfdfdf2d42c81803c1174

SHA256
d9d46ec7955ee8a2fe8aec3184fccedfb7a7f1aceae9fec310f421b51ba1470f

SHA512
d0f75eafff326e588c618976b76f4cffab6782c3edf182b1fe4180659d84aa2b229e2f0d2c868e49549ab6ce84a6a9d047a0830769203b211498acdaa272aca9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2b8db2b0f566c7d80a71390352f40169

SHA1
2e0efb31898c28c3429e6b16a6a3bb1cb94b68d2

SHA256
9b6625dc54218dd06910d897ff27bcd24c953fd3fd559ef896502faa36088787

SHA512
761bc0dba6e47891eb6f78076d779e47f571f9d624d38cb008deab8f9f80b4e6490f3aeba256e62ffac18a9f7c4e49df67fc7cf626c3e32318a52e9a52285843

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
36d8df77d57ac7e92d0ede06999a62fe

SHA1
3f104685e217bad7f95c88ee1519f93dfb729819

SHA256
a86380d83297f1616be8a4adecc78edf1b2f5b7a1e906d51dac6718550d0ff18

SHA512
8fba9c00e4a2a58a27c92e69120dcf81b4f0cb97240b87a5d9f639e99d5e8a5cb53ee655206eda0961a856d078c906e82d81ea58f3d01629b2113523b85f9290

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
36d8df77d57ac7e92d0ede06999a62fe

SHA1
3f104685e217bad7f95c88ee1519f93dfb729819

SHA256
a86380d83297f1616be8a4adecc78edf1b2f5b7a1e906d51dac6718550d0ff18

SHA512
8fba9c00e4a2a58a27c92e69120dcf81b4f0cb97240b87a5d9f639e99d5e8a5cb53ee655206eda0961a856d078c906e82d81ea58f3d01629b2113523b85f9290

Download Submit
memory/1376-83-0x00000000015C0000-0x00000000015C1000-memory.dmp

Filesize
4KB

Download
memory/1376-184-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1376-79-0x00000000015B0000-0x00000000015B1000-memory.dmp

Filesize
4KB

Download
memory/1376-59-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1376-54-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1476-70-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1476-245-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1476-321-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1476-191-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1476-458-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1484-192-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1484-69-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1484-459-0x0000000000180000-0x00000000011FE000-memory.dmp

Filesize
16.5MB

Download
memory/1484-92-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download