fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
149s
max time network
125s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1580	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
560	AnyDesk (1).exe
560	AnyDesk (1).exe
560	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
560	AnyDesk (1).exe
560	AnyDesk (1).exe
560	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 1996 wrote to memory of 1580	1996	AnyDesk (1).exe	28
PID 1996 wrote to memory of 1580	1996	AnyDesk (1).exe	28
PID 1996 wrote to memory of 1580	1996	AnyDesk (1).exe	28
PID 1996 wrote to memory of 1580	1996	AnyDesk (1).exe	28
PID 1996 wrote to memory of 560	1996	AnyDesk (1).exe	29
PID 1996 wrote to memory of 560	1996	AnyDesk (1).exe	29
PID 1996 wrote to memory of 560	1996	AnyDesk (1).exe	29
PID 1996 wrote to memory of 560	1996	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1580
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
f106a814c3a38d40e7028804274dd24c

SHA1
5559aa80ad3a60b302ebf1618dc8f2ca6ae1f01d

SHA256
af85d03ce8332e4ced33d020b37a242fa9772d775d32424e7c3b321bd646f5b7

SHA512
c76a07471db37310c66da49f00efd90762afb046c4d8014c1e390c067dd44c01575f776df52920f2a338606f07688ccb7fb49a80b73bcfaae8c2618942bd1710

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d79926afa22aa3f3664e65dad7f03207

SHA1
d3a29db023c32c33b986108c9b85c6773fcb1082

SHA256
270891efe84defdd48659ae1e4709771081950e3df87a4fbec5154d4c537bf2c

SHA512
af0b89a23181b8e245f01b759867eaaaf1db522853306f4c09fed96fe1bcac9ea04ddce4842af97c4213ef462756dd9d0125623b815e35677ac09fb839b77616

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1f7e851af77db614881722f62f87334e

SHA1
82a958d78de4765d7ad4f55cbf6e0cba93837c8a

SHA256
3b9d3a1c4b567c56b73be85e9a90887215085946bbade5abce7e64c919e784f6

SHA512
01a2415a8f7b887275cd026327d8d054ff03b41bad39361650b6292e42dbc52d5b3752f3901327078a3513f9fba5da9d538bc0e2c8df4458d9a5cfd8a81f01f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
1f7e851af77db614881722f62f87334e

SHA1
82a958d78de4765d7ad4f55cbf6e0cba93837c8a

SHA256
3b9d3a1c4b567c56b73be85e9a90887215085946bbade5abce7e64c919e784f6

SHA512
01a2415a8f7b887275cd026327d8d054ff03b41bad39361650b6292e42dbc52d5b3752f3901327078a3513f9fba5da9d538bc0e2c8df4458d9a5cfd8a81f01f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4ad3a810153262d60a8010e2b838c0a

SHA1
a8c713f5c3976b04eaa64ebaa749fa986172a4e9

SHA256
770b38d193f3b109903e6bae9660fa81458d2f91ab21a114dc54d054007af342

SHA512
9b2f0d96f328584ba0488b22bb598eadf12ae831ca10bd382caa4c1089b2d798088b3c0ff03f4b8bf47172c87b29101a0faa5ae6483b8a523350e9cc7d8dbc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4ad3a810153262d60a8010e2b838c0a

SHA1
a8c713f5c3976b04eaa64ebaa749fa986172a4e9

SHA256
770b38d193f3b109903e6bae9660fa81458d2f91ab21a114dc54d054007af342

SHA512
9b2f0d96f328584ba0488b22bb598eadf12ae831ca10bd382caa4c1089b2d798088b3c0ff03f4b8bf47172c87b29101a0faa5ae6483b8a523350e9cc7d8dbc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4ad3a810153262d60a8010e2b838c0a

SHA1
a8c713f5c3976b04eaa64ebaa749fa986172a4e9

SHA256
770b38d193f3b109903e6bae9660fa81458d2f91ab21a114dc54d054007af342

SHA512
9b2f0d96f328584ba0488b22bb598eadf12ae831ca10bd382caa4c1089b2d798088b3c0ff03f4b8bf47172c87b29101a0faa5ae6483b8a523350e9cc7d8dbc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4ad3a810153262d60a8010e2b838c0a

SHA1
a8c713f5c3976b04eaa64ebaa749fa986172a4e9

SHA256
770b38d193f3b109903e6bae9660fa81458d2f91ab21a114dc54d054007af342

SHA512
9b2f0d96f328584ba0488b22bb598eadf12ae831ca10bd382caa4c1089b2d798088b3c0ff03f4b8bf47172c87b29101a0faa5ae6483b8a523350e9cc7d8dbc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebd8a634860e10f71fcf096af5c21689

SHA1
b5b262f8324b46ed596fc4e7bf12545a8e6a73ca

SHA256
4542dae8118d041638969b691aa9f066900b70857094a1d341dc5d993104f03a

SHA512
b33fff098ca82d4062a5cf1ea9b2b1b3b0d8e0e4b67577dff23d1789a98da47c92871315349a07f62d5b22c9defd62660d0663d7088d13920bd4878278679c51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4ad3a810153262d60a8010e2b838c0a

SHA1
a8c713f5c3976b04eaa64ebaa749fa986172a4e9

SHA256
770b38d193f3b109903e6bae9660fa81458d2f91ab21a114dc54d054007af342

SHA512
9b2f0d96f328584ba0488b22bb598eadf12ae831ca10bd382caa4c1089b2d798088b3c0ff03f4b8bf47172c87b29101a0faa5ae6483b8a523350e9cc7d8dbc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a4ad3a810153262d60a8010e2b838c0a

SHA1
a8c713f5c3976b04eaa64ebaa749fa986172a4e9

SHA256
770b38d193f3b109903e6bae9660fa81458d2f91ab21a114dc54d054007af342

SHA512
9b2f0d96f328584ba0488b22bb598eadf12ae831ca10bd382caa4c1089b2d798088b3c0ff03f4b8bf47172c87b29101a0faa5ae6483b8a523350e9cc7d8dbc70

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ae3cb1adf4b51cacc983fb31c5292ce1

SHA1
b5086f5d439a3dbe5bd526fe6eebdd253ce88179

SHA256
d5c2c53a5d9d8035971e45d83139dcb7bd7cf40d6c681bd6c463ffa43ed21923

SHA512
effc8143e735c830e5631d6ff53ef95e8660d1f51adcfc1dc2ea0ea728e4b18f1be8addcd0ccd5cb6838e8a29511c035b42934f9ce6eb8312879e2132b30eaa2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b545c9f17e7c12d01524d1380e70f9f0

SHA1
42df6ed6ea2a186a73b8ed659534ac561c21bbae

SHA256
787f65d84d783a96684cb1bf63418fdd773f4ecb05622dc600b3375eef038473

SHA512
c15dd370191241105db5e4007870e0f243a6b14fb9d6162962951715012d28dfa62d82bc1046a5a2b23c7c1a2d0faf7d828f6cb3f9546e626c850e0b0bc690b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b545c9f17e7c12d01524d1380e70f9f0

SHA1
42df6ed6ea2a186a73b8ed659534ac561c21bbae

SHA256
787f65d84d783a96684cb1bf63418fdd773f4ecb05622dc600b3375eef038473

SHA512
c15dd370191241105db5e4007870e0f243a6b14fb9d6162962951715012d28dfa62d82bc1046a5a2b23c7c1a2d0faf7d828f6cb3f9546e626c850e0b0bc690b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b545c9f17e7c12d01524d1380e70f9f0

SHA1
42df6ed6ea2a186a73b8ed659534ac561c21bbae

SHA256
787f65d84d783a96684cb1bf63418fdd773f4ecb05622dc600b3375eef038473

SHA512
c15dd370191241105db5e4007870e0f243a6b14fb9d6162962951715012d28dfa62d82bc1046a5a2b23c7c1a2d0faf7d828f6cb3f9546e626c850e0b0bc690b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b545c9f17e7c12d01524d1380e70f9f0

SHA1
42df6ed6ea2a186a73b8ed659534ac561c21bbae

SHA256
787f65d84d783a96684cb1bf63418fdd773f4ecb05622dc600b3375eef038473

SHA512
c15dd370191241105db5e4007870e0f243a6b14fb9d6162962951715012d28dfa62d82bc1046a5a2b23c7c1a2d0faf7d828f6cb3f9546e626c850e0b0bc690b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b545c9f17e7c12d01524d1380e70f9f0

SHA1
42df6ed6ea2a186a73b8ed659534ac561c21bbae

SHA256
787f65d84d783a96684cb1bf63418fdd773f4ecb05622dc600b3375eef038473

SHA512
c15dd370191241105db5e4007870e0f243a6b14fb9d6162962951715012d28dfa62d82bc1046a5a2b23c7c1a2d0faf7d828f6cb3f9546e626c850e0b0bc690b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b545c9f17e7c12d01524d1380e70f9f0

SHA1
42df6ed6ea2a186a73b8ed659534ac561c21bbae

SHA256
787f65d84d783a96684cb1bf63418fdd773f4ecb05622dc600b3375eef038473

SHA512
c15dd370191241105db5e4007870e0f243a6b14fb9d6162962951715012d28dfa62d82bc1046a5a2b23c7c1a2d0faf7d828f6cb3f9546e626c850e0b0bc690b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
80467d2d39828946c36e537526807fd5

SHA1
52dc3620c66dc89b555226a8dc77dcb8727d46b8

SHA256
80083c0de32aad028010bbfdad37395e158e678b7e1cd6d4bff1cecb7b28b83a

SHA512
99134539a7952eb2de563ed0f9bd9cf38802ad80b46d6bc18f40215b2035c8608d2b1574043d4a6388631c4bb9e0b09f09872da7f5afd5035a066cf65ea5e1e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a49d07ddaeb04c86c5497b539c1460e4

SHA1
6a3767dd1690fcc163857612c7d1f144f792d00a

SHA256
c5b93ca81927fcf50d97657205f51a6c45ba8f800f82e4b364b047c4c6b783e6

SHA512
f65f88892ecb3cee4d7d372da60c466be51b4343419faa340f4ff1249863184a47938259d58b57384ce3edab1686edc9761807bd7f3e694ca4f526f3a0da648e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a49d07ddaeb04c86c5497b539c1460e4

SHA1
6a3767dd1690fcc163857612c7d1f144f792d00a

SHA256
c5b93ca81927fcf50d97657205f51a6c45ba8f800f82e4b364b047c4c6b783e6

SHA512
f65f88892ecb3cee4d7d372da60c466be51b4343419faa340f4ff1249863184a47938259d58b57384ce3edab1686edc9761807bd7f3e694ca4f526f3a0da648e

Download Submit
memory/560-168-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/560-491-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/560-193-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/560-69-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1580-248-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1580-320-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1580-70-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1580-490-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1580-192-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1996-56-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1996-181-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1996-54-0x00000000010D0000-0x000000000214E000-memory.dmp

Filesize
16.5MB

Download
memory/1996-75-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/1996-78-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download