fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2023 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1484	AnyDesk (1).exe
1484	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
3756	AnyDesk (1).exe
3756	AnyDesk (1).exe
3756	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
3756	AnyDesk (1).exe
3756	AnyDesk (1).exe
3756	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 3144 wrote to memory of 1484	3144	AnyDesk (1).exe	84
PID 3144 wrote to memory of 1484	3144	AnyDesk (1).exe	84
PID 3144 wrote to memory of 1484	3144	AnyDesk (1).exe	84
PID 3144 wrote to memory of 3756	3144	AnyDesk (1).exe	85
PID 3144 wrote to memory of 3756	3144	AnyDesk (1).exe	85
PID 3144 wrote to memory of 3756	3144	AnyDesk (1).exe	85

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
55231f7853f07138682a289545f70e15

SHA1
496bad7a55f2e6cdb73dab572eb2cdd4b06130f1

SHA256
7c8fc90396b34084588dc055f14576a4e5a2829c20251bd09efaeb2b213267fe

SHA512
f2e02a9c0b8f04d5faf22a7287fd9d37756b3136ca107f4c3c0cdcdd3dd365cb4bde4de996864b44b904eb9ec579903135e4400c4cfe8c002d8a49712c2f2422

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
ce5834ebe028fbbba40ee43666a52d58

SHA1
a54d079d7cfe4488c306d64e098080ba14ad43c2

SHA256
cb51fb6b80d796e5f1d7bebf21d72b947733c4a03dd68e33902e3de80eb2b2b9

SHA512
f3704d4748e2272dfc04b9a846e62b2fcb3ff48bf5eb2a378d08586f07e7ebcc5cc27efd79422b73fc8012e087a6a9c7ac046749cf79c32dfa95a2cdca106d41

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ba82f93e4937f866a85de491d823f655

SHA1
703da67c4de598775403334313f993525fbe0c33

SHA256
b0a47d8157d9c53b3eea7eab3dd5245a715877616e05140d13b12429cb9f083e

SHA512
46d03bf7e209059b6c21ca0ec9396ae57df200d0a0f036d0a0f0565ed54e8206a95b3417dc31c91e3bbe718e29f301fe7c1bfe7267b2e7c86277cfccf85b9027

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ba82f93e4937f866a85de491d823f655

SHA1
703da67c4de598775403334313f993525fbe0c33

SHA256
b0a47d8157d9c53b3eea7eab3dd5245a715877616e05140d13b12429cb9f083e

SHA512
46d03bf7e209059b6c21ca0ec9396ae57df200d0a0f036d0a0f0565ed54e8206a95b3417dc31c91e3bbe718e29f301fe7c1bfe7267b2e7c86277cfccf85b9027

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0f6be97fc4c0124452a9e9eb8f3471e4

SHA1
c89ef78583d37f49c04d6495fb1b0c7753d57488

SHA256
2c0d4a425d3c9fb6160a7e8bc0d7e4d7c15e96d316d46fde413629ca0f8bff17

SHA512
4f93e4657a6951433a88f95a49a2b0c7d2f2b600b75dcff7e49904b111a13b01dc1747b9798c1eb3a662615d77c9d885e135e71976027a5a061f585d6d9a0551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0f6be97fc4c0124452a9e9eb8f3471e4

SHA1
c89ef78583d37f49c04d6495fb1b0c7753d57488

SHA256
2c0d4a425d3c9fb6160a7e8bc0d7e4d7c15e96d316d46fde413629ca0f8bff17

SHA512
4f93e4657a6951433a88f95a49a2b0c7d2f2b600b75dcff7e49904b111a13b01dc1747b9798c1eb3a662615d77c9d885e135e71976027a5a061f585d6d9a0551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0f6be97fc4c0124452a9e9eb8f3471e4

SHA1
c89ef78583d37f49c04d6495fb1b0c7753d57488

SHA256
2c0d4a425d3c9fb6160a7e8bc0d7e4d7c15e96d316d46fde413629ca0f8bff17

SHA512
4f93e4657a6951433a88f95a49a2b0c7d2f2b600b75dcff7e49904b111a13b01dc1747b9798c1eb3a662615d77c9d885e135e71976027a5a061f585d6d9a0551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0f6be97fc4c0124452a9e9eb8f3471e4

SHA1
c89ef78583d37f49c04d6495fb1b0c7753d57488

SHA256
2c0d4a425d3c9fb6160a7e8bc0d7e4d7c15e96d316d46fde413629ca0f8bff17

SHA512
4f93e4657a6951433a88f95a49a2b0c7d2f2b600b75dcff7e49904b111a13b01dc1747b9798c1eb3a662615d77c9d885e135e71976027a5a061f585d6d9a0551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0f6be97fc4c0124452a9e9eb8f3471e4

SHA1
c89ef78583d37f49c04d6495fb1b0c7753d57488

SHA256
2c0d4a425d3c9fb6160a7e8bc0d7e4d7c15e96d316d46fde413629ca0f8bff17

SHA512
4f93e4657a6951433a88f95a49a2b0c7d2f2b600b75dcff7e49904b111a13b01dc1747b9798c1eb3a662615d77c9d885e135e71976027a5a061f585d6d9a0551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ef590172cd41054a9c16efa9c947696b

SHA1
5280715b131ac5cf8a9e78f8598ba9be504f835b

SHA256
a57d2298b281b392eabb95faacbee629d7559d126bbe00f1b39cd9c6defd7a95

SHA512
466f82f3ac8d9144d4a6b07e35724e9fdb96af3ee3ce7d72a7f1c93e2f458cfe52e2e4ef33305ad5492dc39bc63b47ffcff49f51918ade286e73e7b6c98d8701

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
0f6be97fc4c0124452a9e9eb8f3471e4

SHA1
c89ef78583d37f49c04d6495fb1b0c7753d57488

SHA256
2c0d4a425d3c9fb6160a7e8bc0d7e4d7c15e96d316d46fde413629ca0f8bff17

SHA512
4f93e4657a6951433a88f95a49a2b0c7d2f2b600b75dcff7e49904b111a13b01dc1747b9798c1eb3a662615d77c9d885e135e71976027a5a061f585d6d9a0551

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cf8ae878b9d7e37f41b4eb721beb3bfe

SHA1
660804884e44eeacdbf585bfea09e9e53ede1e4d

SHA256
f0dd75acba271d20e3ff357f1be575ada4e11d8884745b3117a42bb9532f1e9b

SHA512
0529ef032d23a7bb83036679cfdb681613b717390b9be64b12d0dbb8d875b217aaa27fc42766b983391a12b1dd684c2c047284e605ade37b4f709b0e543a4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
cf8ae878b9d7e37f41b4eb721beb3bfe

SHA1
660804884e44eeacdbf585bfea09e9e53ede1e4d

SHA256
f0dd75acba271d20e3ff357f1be575ada4e11d8884745b3117a42bb9532f1e9b

SHA512
0529ef032d23a7bb83036679cfdb681613b717390b9be64b12d0dbb8d875b217aaa27fc42766b983391a12b1dd684c2c047284e605ade37b4f709b0e543a4ca9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f16636dc7a3dd1257826c3c469c9bbfc

SHA1
65282b293020e5b7ec857240aa17a94bb5c297cf

SHA256
e43c67054c410b22e39f6d9353ecaa1514de46974194a1c2eb8838e7ff18ca4f

SHA512
bb17a0a7821bd71333525d3470bbb05c3f330ed1554d3b290731198bc1cfc575ac585ce19c452d4807f86c122f3861f448d029309aae8ebc3223f70ea3c95a23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f16636dc7a3dd1257826c3c469c9bbfc

SHA1
65282b293020e5b7ec857240aa17a94bb5c297cf

SHA256
e43c67054c410b22e39f6d9353ecaa1514de46974194a1c2eb8838e7ff18ca4f

SHA512
bb17a0a7821bd71333525d3470bbb05c3f330ed1554d3b290731198bc1cfc575ac585ce19c452d4807f86c122f3861f448d029309aae8ebc3223f70ea3c95a23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f16636dc7a3dd1257826c3c469c9bbfc

SHA1
65282b293020e5b7ec857240aa17a94bb5c297cf

SHA256
e43c67054c410b22e39f6d9353ecaa1514de46974194a1c2eb8838e7ff18ca4f

SHA512
bb17a0a7821bd71333525d3470bbb05c3f330ed1554d3b290731198bc1cfc575ac585ce19c452d4807f86c122f3861f448d029309aae8ebc3223f70ea3c95a23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f16636dc7a3dd1257826c3c469c9bbfc

SHA1
65282b293020e5b7ec857240aa17a94bb5c297cf

SHA256
e43c67054c410b22e39f6d9353ecaa1514de46974194a1c2eb8838e7ff18ca4f

SHA512
bb17a0a7821bd71333525d3470bbb05c3f330ed1554d3b290731198bc1cfc575ac585ce19c452d4807f86c122f3861f448d029309aae8ebc3223f70ea3c95a23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f16636dc7a3dd1257826c3c469c9bbfc

SHA1
65282b293020e5b7ec857240aa17a94bb5c297cf

SHA256
e43c67054c410b22e39f6d9353ecaa1514de46974194a1c2eb8838e7ff18ca4f

SHA512
bb17a0a7821bd71333525d3470bbb05c3f330ed1554d3b290731198bc1cfc575ac585ce19c452d4807f86c122f3861f448d029309aae8ebc3223f70ea3c95a23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f16636dc7a3dd1257826c3c469c9bbfc

SHA1
65282b293020e5b7ec857240aa17a94bb5c297cf

SHA256
e43c67054c410b22e39f6d9353ecaa1514de46974194a1c2eb8838e7ff18ca4f

SHA512
bb17a0a7821bd71333525d3470bbb05c3f330ed1554d3b290731198bc1cfc575ac585ce19c452d4807f86c122f3861f448d029309aae8ebc3223f70ea3c95a23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d2d80da76dfd19327434e38e97ca76a8

SHA1
ce14290f156238637e58debfc12396f9cbaa1204

SHA256
fffed7ccae14e1fbcc6a8f95aa4ea95a63edd1c552156956e32d32cc175736e1

SHA512
64341bf6b5cda87ddfa36a1c5de3ad04fead4f78bb7c8426dc36991c4f0df6b3b626d9bb5773de9b108898568354ac267d8f065d93be9c0adb30bf8e706c54b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d2d80da76dfd19327434e38e97ca76a8

SHA1
ce14290f156238637e58debfc12396f9cbaa1204

SHA256
fffed7ccae14e1fbcc6a8f95aa4ea95a63edd1c552156956e32d32cc175736e1

SHA512
64341bf6b5cda87ddfa36a1c5de3ad04fead4f78bb7c8426dc36991c4f0df6b3b626d9bb5773de9b108898568354ac267d8f065d93be9c0adb30bf8e706c54b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f24456fc018cb96550d519efc6a76a89

SHA1
0f57f77c8dba15ca8c9b9235b9a1b4aea4cef1f0

SHA256
ed9d2da78f9b006f67ea18bf837302a8b938298d191538d53848fc1bee0b46e8

SHA512
1c63a274da7dfb35fec14d301a5e0b0015b150b93c3064db89b78c46ac80b1a6907cba598f7563cc4eb462ffd253ace7586cdde238cdcdc991e2eb8e229f0b48

Download Submit
memory/1484-311-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/1484-526-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/1484-270-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/1484-149-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/1484-371-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/3144-153-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/3144-245-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/3144-152-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/3144-133-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/3144-136-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/3756-162-0x00000000017F0000-0x00000000017F1000-memory.dmp

Filesize
4KB

Download
memory/3756-148-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/3756-279-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download
memory/3756-527-0x00000000000E0000-0x000000000115E000-memory.dmp

Filesize
16.5MB

Download