fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
1793s
max time network
1606s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1528	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1864	AnyDesk (1).exe
1864	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1864	AnyDesk (1).exe
1864	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 1408 wrote to memory of 1528	1408	AnyDesk (1).exe	28
PID 1408 wrote to memory of 1528	1408	AnyDesk (1).exe	28
PID 1408 wrote to memory of 1528	1408	AnyDesk (1).exe	28
PID 1408 wrote to memory of 1528	1408	AnyDesk (1).exe	28
PID 1408 wrote to memory of 1864	1408	AnyDesk (1).exe	29
PID 1408 wrote to memory of 1864	1408	AnyDesk (1).exe	29
PID 1408 wrote to memory of 1864	1408	AnyDesk (1).exe	29
PID 1408 wrote to memory of 1864	1408	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
fafc51f694dd48d6028c0de584e6e3d3

SHA1
5f0e29ec99bea09267fbae350de79727a494d345

SHA256
b68796f008ef9d58135df2b0e160ce2d4d9f92721af897997c7c935ad48fcb68

SHA512
94201fc6722e3a71b879ffdbfd239e865f66c9e936d4a90bc3ca67d593f6a48f8c29c2886bc02dc9ba36b3c4abeb8ab5757abd0d061515a096b81d1a0f0737b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
fafc51f694dd48d6028c0de584e6e3d3

SHA1
5f0e29ec99bea09267fbae350de79727a494d345

SHA256
b68796f008ef9d58135df2b0e160ce2d4d9f92721af897997c7c935ad48fcb68

SHA512
94201fc6722e3a71b879ffdbfd239e865f66c9e936d4a90bc3ca67d593f6a48f8c29c2886bc02dc9ba36b3c4abeb8ab5757abd0d061515a096b81d1a0f0737b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b3b2bf5894c138af7a1607bb3f31ea8c

SHA1
9e6c1da71e95cffd892a574b53bf45bb13bfa98f

SHA256
ca17b15752f0c039eb1994309e61385b6ce5923b2e3d4a3b8e4f375760c638c0

SHA512
742ef943a96c42ffc62813f2c8f5fde963c42f841fa4a179b28530031220247ba4896522bfc09ab53ef0bd29bbc356580c2b023e48cb679f1eaf1be186481d61

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ed12ff8a7c730033ddb8eba3d49ecf90

SHA1
447fa138ce2adda4d8fbd8cd1854122675a0fa53

SHA256
3b1820dbd724c6f2862ec83db22bb9314538816221e5af130ba1cfa90c6b8b71

SHA512
3fc41be1060c4b524321ec80d22e236975740465268faa186ec0e56c5e716b0d181e8ceeeaddfc36c5793a5a3dcc822b1f6486eb6ccf4ffdf715d0bc5de19421

Download Submit
memory/1408-74-0x0000000000850000-0x0000000000851000-memory.dmp

Filesize
4KB

Download
memory/1408-54-0x0000000000DE0000-0x0000000001E5E000-memory.dmp

Filesize
16.5MB

Download
memory/1408-73-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1408-56-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1408-95-0x0000000000DE0000-0x0000000001E5E000-memory.dmp

Filesize
16.5MB

Download
memory/1528-70-0x0000000000DE0000-0x0000000001E5E000-memory.dmp

Filesize
16.5MB

Download
memory/1528-96-0x0000000000DE0000-0x0000000001E5E000-memory.dmp

Filesize
16.5MB

Download
memory/1864-69-0x0000000000DE0000-0x0000000001E5E000-memory.dmp

Filesize
16.5MB

Download
memory/1864-85-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1864-98-0x0000000000DE0000-0x0000000001E5E000-memory.dmp

Filesize
16.5MB

Download