Analysis
-
max time kernel
747s -
max time network
750s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2023 23:49
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk (1).exe
Resource
win7-20230220-en
windows7-x64
6 signatures
1800 seconds
Behavioral task
behavioral2
Sample
AnyDesk (1).exe
Resource
win10v2004-20230220-en
windows10-2004-x64
14 signatures
1800 seconds
General
-
Target
AnyDesk (1).exe
-
Size
3.8MB
-
MD5
e546506082b374a0869bdd97b313fe5d
-
SHA1
082dc6b336b41788391bad20b26f4b9a1ad724fc
-
SHA256
fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
-
SHA512
15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
-
SSDEEP
98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM
Score
5/10
Malware Config
Signatures
-
Drops file in System32 directory 15 IoCs
Processes:
AnyDesk (1).exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk (1).exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk (1).exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AnyDesk (1).exefirefox.exefirefox.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AnyDesk (1).exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AnyDesk (1).exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
Processes:
firefox.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
AnyDesk (1).exepid Process 4784 AnyDesk (1).exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
Processes:
AnyDesk (1).exetaskmgr.exepid Process 2200 AnyDesk (1).exe 2200 AnyDesk (1).exe 2200 AnyDesk (1).exe 2200 AnyDesk (1).exe 2200 AnyDesk (1).exe 2200 AnyDesk (1).exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe 4224 taskmgr.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid Process 4