fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1764	AnyDesk (1).exe
1764	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1764	AnyDesk (1).exe
1764	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 1052 wrote to memory of 272	1052	AnyDesk (1).exe	28
PID 1052 wrote to memory of 272	1052	AnyDesk (1).exe	28
PID 1052 wrote to memory of 272	1052	AnyDesk (1).exe	28
PID 1052 wrote to memory of 272	1052	AnyDesk (1).exe	28
PID 1052 wrote to memory of 1764	1052	AnyDesk (1).exe	29
PID 1052 wrote to memory of 1764	1052	AnyDesk (1).exe	29
PID 1052 wrote to memory of 1764	1052	AnyDesk (1).exe	29
PID 1052 wrote to memory of 1764	1052	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  PID:272
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
0fa6f2220eb90f0ac33a1501811f6624

SHA1
57fcf406ed6dc9481f8514155354e8caeae8d90f

SHA256
ae71b514a955df018ff8b42b501d45d08e406c1c790eb1901ada4bb41cb781e1

SHA512
7a9468de2b66015f97e8f9d72e10e874c3a5258c5ceaf0b8e733ed17d817726ef5ffdfc0834a3bf13be117c62ea5bd7394f39aa231d910642c6e63366b5562fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
1d7c5656f48ce07ae28d61958e9abca4

SHA1
fc07b2f4372bd9cd5aa0c217f5309b10fd3db804

SHA256
11cca4317c36c2dab2e32ae0d19c8adaa537bf67386d6d787b3b7edb63a3b88f

SHA512
90135a00b4990b364ceaa2c0592d930a658536c9a341b06be9cfbc82c91388da83efab3521ddcd6c93d16ed9d398b87414a4b02f785758703d37a5925e3b6fbd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
618ed3b3641e805481d8ef076c92bcc4

SHA1
272131e349f21626742477f4cf403e3caacbfc48

SHA256
bd1b97fcce2f2ebcd753c0cdae071fed756392a5f8fdb02a99c19e094f2ad813

SHA512
eda5e56660f848b4d9113956dcfc181b94f46b2612d7eeedfe43bbb825193350fd334d95c5a1c9c194d0e0b3b638daeccb5c3fb0e4379b34be33d17fe02401fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
618ed3b3641e805481d8ef076c92bcc4

SHA1
272131e349f21626742477f4cf403e3caacbfc48

SHA256
bd1b97fcce2f2ebcd753c0cdae071fed756392a5f8fdb02a99c19e094f2ad813

SHA512
eda5e56660f848b4d9113956dcfc181b94f46b2612d7eeedfe43bbb825193350fd334d95c5a1c9c194d0e0b3b638daeccb5c3fb0e4379b34be33d17fe02401fe

Download Submit
memory/272-70-0x00000000013C0000-0x000000000243E000-memory.dmp

Filesize
16.5MB

Download
memory/272-86-0x00000000013C0000-0x000000000243E000-memory.dmp

Filesize
16.5MB

Download
memory/1052-85-0x00000000013C0000-0x000000000243E000-memory.dmp

Filesize
16.5MB

Download
memory/1052-56-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/1052-54-0x00000000013C0000-0x000000000243E000-memory.dmp

Filesize
16.5MB

Download
memory/1052-71-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/1052-73-0x0000000001270000-0x0000000001271000-memory.dmp

Filesize
4KB

Download
memory/1764-69-0x00000000013C0000-0x000000000243E000-memory.dmp

Filesize
16.5MB

Download
memory/1764-87-0x00000000013C0000-0x000000000243E000-memory.dmp

Filesize
16.5MB

Download
memory/1764-77-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download