fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2023, 23:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4428	AnyDesk (1).exe
4428	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4352	AnyDesk (1).exe
4352	AnyDesk (1).exe
4352	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4352	AnyDesk (1).exe
4352	AnyDesk (1).exe
4352	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 4428	2120	AnyDesk (1).exe	84
PID 2120 wrote to memory of 4428	2120	AnyDesk (1).exe	84
PID 2120 wrote to memory of 4428	2120	AnyDesk (1).exe	84
PID 2120 wrote to memory of 4352	2120	AnyDesk (1).exe	85
PID 2120 wrote to memory of 4352	2120	AnyDesk (1).exe	85
PID 2120 wrote to memory of 4352	2120	AnyDesk (1).exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
964e65cb83c81b1d15964d7837d793cc

SHA1
830d2e7d0a05b9cf142b1d35a3655548fe258d85

SHA256
ff4d4d3039fc4c74ab2b42b2f935acb9652164574ee27e0f05b0ec1748be8ad0

SHA512
6be55de030ce6f76d5541795ac61b122a8eccae9e9e416f1c3d093808a8d3a8acae436062a7f10b61df1e654797063001da6a79095511c2b5a8cfc250233c6a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
964e65cb83c81b1d15964d7837d793cc

SHA1
830d2e7d0a05b9cf142b1d35a3655548fe258d85

SHA256
ff4d4d3039fc4c74ab2b42b2f935acb9652164574ee27e0f05b0ec1748be8ad0

SHA512
6be55de030ce6f76d5541795ac61b122a8eccae9e9e416f1c3d093808a8d3a8acae436062a7f10b61df1e654797063001da6a79095511c2b5a8cfc250233c6a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2d47655fa38ec1d623fc2c6c5c4c142b

SHA1
7786c2b715ff1f7056679521a7a97f8ec0344533

SHA256
84b717b822c245948c336afa0f420d91c10a1ec43570b942185cc237a12c2154

SHA512
dac95b9b881e276cb176f3396f446bf688fd768fb7ddc412e5431d08c3343c79aba1df91b7075cd8b2c09a3991d1e717cd2db80db6f542ff20f2c6c77527548f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
2d47655fa38ec1d623fc2c6c5c4c142b

SHA1
7786c2b715ff1f7056679521a7a97f8ec0344533

SHA256
84b717b822c245948c336afa0f420d91c10a1ec43570b942185cc237a12c2154

SHA512
dac95b9b881e276cb176f3396f446bf688fd768fb7ddc412e5431d08c3343c79aba1df91b7075cd8b2c09a3991d1e717cd2db80db6f542ff20f2c6c77527548f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
650d41ac083a18a89e4d7cc7733fccc9

SHA1
d83c274dd6ce0df25f476e42b1551176f3200e61

SHA256
fafcf1519f770f9cf997b50d869a942529df042feb0399f01d49c40b9c776838

SHA512
6aa3d4c305a80f49b8bc73475d48556a3f37e73d14b6bb9ab0e8342e20e3f9fb8b265cb399073dcd9bd973c987ac60c273067e258517611a11a1ec1960cb5a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
650d41ac083a18a89e4d7cc7733fccc9

SHA1
d83c274dd6ce0df25f476e42b1551176f3200e61

SHA256
fafcf1519f770f9cf997b50d869a942529df042feb0399f01d49c40b9c776838

SHA512
6aa3d4c305a80f49b8bc73475d48556a3f37e73d14b6bb9ab0e8342e20e3f9fb8b265cb399073dcd9bd973c987ac60c273067e258517611a11a1ec1960cb5a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
650d41ac083a18a89e4d7cc7733fccc9

SHA1
d83c274dd6ce0df25f476e42b1551176f3200e61

SHA256
fafcf1519f770f9cf997b50d869a942529df042feb0399f01d49c40b9c776838

SHA512
6aa3d4c305a80f49b8bc73475d48556a3f37e73d14b6bb9ab0e8342e20e3f9fb8b265cb399073dcd9bd973c987ac60c273067e258517611a11a1ec1960cb5a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
650d41ac083a18a89e4d7cc7733fccc9

SHA1
d83c274dd6ce0df25f476e42b1551176f3200e61

SHA256
fafcf1519f770f9cf997b50d869a942529df042feb0399f01d49c40b9c776838

SHA512
6aa3d4c305a80f49b8bc73475d48556a3f37e73d14b6bb9ab0e8342e20e3f9fb8b265cb399073dcd9bd973c987ac60c273067e258517611a11a1ec1960cb5a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
650d41ac083a18a89e4d7cc7733fccc9

SHA1
d83c274dd6ce0df25f476e42b1551176f3200e61

SHA256
fafcf1519f770f9cf997b50d869a942529df042feb0399f01d49c40b9c776838

SHA512
6aa3d4c305a80f49b8bc73475d48556a3f37e73d14b6bb9ab0e8342e20e3f9fb8b265cb399073dcd9bd973c987ac60c273067e258517611a11a1ec1960cb5a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
506af7f734eb208f24c24c3407b5c575

SHA1
ea8caeb9ac1bfd009b29fd4d67d93b3e16b0d5c0

SHA256
fe159c6a92bf24d73baeb1e47d061e2e7b8a8ff73d4d061c5b76f50ed39135d0

SHA512
a466ddbb7e095afb881451c1e13a35bb56623f7ebbe8fdbf2b7aabc1a2449942215e7e5c2f9cb1ae3581e21df6b6aaee93be359ee0510a3d9384ae6ed8b5e968

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
650d41ac083a18a89e4d7cc7733fccc9

SHA1
d83c274dd6ce0df25f476e42b1551176f3200e61

SHA256
fafcf1519f770f9cf997b50d869a942529df042feb0399f01d49c40b9c776838

SHA512
6aa3d4c305a80f49b8bc73475d48556a3f37e73d14b6bb9ab0e8342e20e3f9fb8b265cb399073dcd9bd973c987ac60c273067e258517611a11a1ec1960cb5a43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
df6c5b39a511131d0eeb3314a00ae7a9

SHA1
22ea57925e002299bc8c04cf3e6b9bea9e40d4be

SHA256
26a17d4fb739503f4122d1ec9097ca642e16ce01a7a23ab38690f7fb9ea74d28

SHA512
f069a991efd331931dbd40f9ac3597f8591d0b7296c4465e479cee988e91371026292eebdbc27f95b9798dd6b679eca90853a37a1f3504824120094f60ffab3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9b9dc3707522751153ad6fad470de6ae

SHA1
923236218ee07e7d057228e9620766e06df708a6

SHA256
dc7cafe97b4ba1827c9462aa982421d69eb31df530ff05d447963a581e4b03a1

SHA512
14c5f6289f5ad9debaa5acedf57e25da78f928b9473781bb9b8c3c488a5efc3f3be3978708ddbb88c3d6ef4390ed4f477a03bab502ec41690ac4f85ba53964d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8776e73600930db6b20fca19cab9de36

SHA1
669bf22d5e209d8ab1998ddd565cf94dde9d849f

SHA256
142fe8d6f70571655ead15252cf9073a4bf4e9ae0b11290ceb94774bd37ccfdc

SHA512
e8d4f1440f52a5f59aa65fba551c3a1dc2ae0224d00737eaedeebb8d02f4d7748e04625b8dbe4a92a9455169d4546b322ae6df825ecb2515a77f48dd7ce8f8e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8776e73600930db6b20fca19cab9de36

SHA1
669bf22d5e209d8ab1998ddd565cf94dde9d849f

SHA256
142fe8d6f70571655ead15252cf9073a4bf4e9ae0b11290ceb94774bd37ccfdc

SHA512
e8d4f1440f52a5f59aa65fba551c3a1dc2ae0224d00737eaedeebb8d02f4d7748e04625b8dbe4a92a9455169d4546b322ae6df825ecb2515a77f48dd7ce8f8e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
8776e73600930db6b20fca19cab9de36

SHA1
669bf22d5e209d8ab1998ddd565cf94dde9d849f

SHA256
142fe8d6f70571655ead15252cf9073a4bf4e9ae0b11290ceb94774bd37ccfdc

SHA512
e8d4f1440f52a5f59aa65fba551c3a1dc2ae0224d00737eaedeebb8d02f4d7748e04625b8dbe4a92a9455169d4546b322ae6df825ecb2515a77f48dd7ce8f8e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
06447d7d192aa5e3b6663f578d47383c

SHA1
3bf17cf7f9b731b7b89eb363f7b11465c0194ca4

SHA256
4c178e7370fa5c9821008c9dec387ac289bbc8dce64cda02962a506b39385578

SHA512
0fda7039b535b02d1bd106bfccf625b48e41eed6c1d9e93aa02e1575ba782a08e3848c81f500f3db122ee431ee285f02c92aa399568617389f409cbbaadb9de0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
52db803cad33a08540be7f2b215cc2fe

SHA1
4d67251ba19be378df2d62f8bd2c6949fc79ae77

SHA256
1c4c93d72d704b85fce57b5f3b5f60eb09d8421f2cb9b759d02035a93982a003

SHA512
7a63280144577f500bd42433ab12be087c29960c8813e8f59fc8a0835f9776c24cef37f4e26f398539d35bb007ba9bf9a474848199bbe7f81dd88c410f9da9e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b515ac7b00087aea81c33fbd52a7d827

SHA1
d7a3c8e243ca801ed3366710451ed3a3e02d190d

SHA256
07a20eed48d1590bdad81195b508f9b6a365c8532a2def0a5be1795eeba0b373

SHA512
904641f898047b63e41c5b52098491dc458c2fe391d0da8f0c5174b445b13caa1a31e24d3b8f8232dd7a6d3cbec961e6044d0c5b2b409e6f87da7471d69adad7

Download Submit
memory/2120-246-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/2120-133-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/2120-152-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/2120-138-0x0000000003700000-0x0000000003701000-memory.dmp

Filesize
4KB

Download
memory/2120-153-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4352-532-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4352-704-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4352-293-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4352-162-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4352-149-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4428-313-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4428-531-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4428-148-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4428-375-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4428-703-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download
memory/4428-292-0x0000000000BD0000-0x0000000001C4E000-memory.dmp

Filesize
16.5MB

Download