fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
27-02-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid	Process
588	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1324	AnyDesk (1).exe
1324	AnyDesk (1).exe
1324	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1324	AnyDesk (1).exe
1324	AnyDesk (1).exe
1324	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 2044 wrote to memory of 588	2044	AnyDesk (1).exe	28
PID 2044 wrote to memory of 588	2044	AnyDesk (1).exe	28
PID 2044 wrote to memory of 588	2044	AnyDesk (1).exe	28
PID 2044 wrote to memory of 588	2044	AnyDesk (1).exe	28
PID 2044 wrote to memory of 1324	2044	AnyDesk (1).exe	27
PID 2044 wrote to memory of 1324	2044	AnyDesk (1).exe	27
PID 2044 wrote to memory of 1324	2044	AnyDesk (1).exe	27
PID 2044 wrote to memory of 1324	2044	AnyDesk (1).exe	27

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
f9dffbf5a5a6306ee177b8e3a7427cad

SHA1
80e6f8e49d18dfe008044a02d8ecb36ac9ee224c

SHA256
af8295a04eefc985f24b85d012bbd6f7ca6f3b5c2ac66eee6515d1d736c170f3

SHA512
532f3b07fe55fdb6f69430dc04e5102b1af0c6e90cad762cac40a296cc342ca700a9828f7e914070e3f6cff86426e5cf08453e5627333272eb4faac8ec426f52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
f50d397aae1de0a810e8141ed4ec0f8b

SHA1
cc4bc086cb2b33d0002f6e22e8be2d16737e5870

SHA256
dd8fee3afaa8d1031d59cc872623d8f64b5f440d82112b7cfe1d20570ac9ea52

SHA512
6fa6f8fecdc7089a544f334f39c9ba088f47863c7c36400ebf076e382280918826043f70975f1c82c512d111bd18fe11cbbc57bd8135a6fa3ca3386f741baacf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ffc2d29585d9aa25fac769a0c05662f4

SHA1
2daf13e3416ed22b379233f5c904aa34ed8b68e0

SHA256
c1cc31c7b39846b90e79e424db2ee7c9478d29f41cbe85a30073a165c5d4af02

SHA512
09a7cc88a2d0924f89cad404b041b9d948d1ed5ee81b66b1628ccacbbfd92a89f60d97c92e70353563b37098fd33d2ccd6f5a913b7d5a8caeefb5344ec0b99a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4d1d753a3132b3e79af60f01b37d0650

SHA1
f3070bc54675ecd9aeb3d1c3ed8fc9942a933ff0

SHA256
203b4e227910bcc8b3f57a3eed0e871020a8e5ea6e6fdb94aaba93cfd8ee8232

SHA512
6625fe4eb3674817a2871b4fd7b583ced09b29d9f3685e38f3d78903579e51daebc3b664fcd0f3b18324ef0bd13494552fb9c0194a1c1d2538a69ae639f8c9fc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
20c4f9c1b0b064ee733469936e29a683

SHA1
37fb3d8cf2c2e2c59e1849fd5dae9c98425dc9ac

SHA256
2cccb379346d216a73a3c552c95ac336a15493fb95cb8ccffa14a043a1e406df

SHA512
0bb1612b270a2692f8f46efeacacae2980f05fe1f3f859b544ec016dc3ff4d103eef78619a93f1d0ac0163f67a1ab4f7f218012056cafcbafeabfed86e3974ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
20c4f9c1b0b064ee733469936e29a683

SHA1
37fb3d8cf2c2e2c59e1849fd5dae9c98425dc9ac

SHA256
2cccb379346d216a73a3c552c95ac336a15493fb95cb8ccffa14a043a1e406df

SHA512
0bb1612b270a2692f8f46efeacacae2980f05fe1f3f859b544ec016dc3ff4d103eef78619a93f1d0ac0163f67a1ab4f7f218012056cafcbafeabfed86e3974ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
a63c3b8dd715aa1588255e1f36afae53

SHA1
9b5fa5ad133fc05fd6a021c75c3451570c864b55

SHA256
e88e12b5999d9103a25fe928a3b006c03067190c71563967cce1461a3a197c2b

SHA512
824396401c59f6f7646e360304e124cc992bf2b16e941e9395fad9809ef6169d755a74c1ae15664a0c5104a33fb0b22f8afd0491a21831edefc6b8d7fbd89840

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
611B

MD5
a63c3b8dd715aa1588255e1f36afae53

SHA1
9b5fa5ad133fc05fd6a021c75c3451570c864b55

SHA256
e88e12b5999d9103a25fe928a3b006c03067190c71563967cce1461a3a197c2b

SHA512
824396401c59f6f7646e360304e124cc992bf2b16e941e9395fad9809ef6169d755a74c1ae15664a0c5104a33fb0b22f8afd0491a21831edefc6b8d7fbd89840

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
1be7896a2be39e0c04a5b9fc827af466

SHA1
10e5d9cbec6119e08189ca43d50373a1f3ce4dfa

SHA256
89da40e48add1d55245fe7cb4603cb297b2b52ffc3b8cf67a1de910eaeaf47b0

SHA512
b34c1478bb91fc055cdc1ff2dee5a54ac42f1fbb1376d1956ccab7950f177067bf877dc14da6bea5a69f5d88811e0958a92727b6629e91a166a76066493bcd8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
9851fbe56e54348189a8680ec29c5667

SHA1
af37aecd62e7672f9059bedbadfc731d87253a32

SHA256
44a40c3df47a09d0d8648cd3a8a45409d8a1d2dc2f86750b629ad9606845d1c6

SHA512
92f5265e8a7a8d255b9c95d5eb0ae90f8cd66fdf7b8b4b320a5f56b6488fcd09741461f4c5a9a4d4f7e1cd5feda1f575d85eba467908b60458d026b573bff8cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
848B

MD5
2658e6d50d73f336568e95dada7c3c92

SHA1
c0bb35f4a3905a0b2fb3e4f56df9d75e9ac9ef10

SHA256
f81ddd29eb92146f29a7dd19c319f511d7e8e70ced08d2443e78d928a0933c21

SHA512
4204f09547569c5e51966c810a3d447d1754e234a089794e267612a39208dfa4f603c1929c1d1f5348f2c513eb179893a12df2a5dc019cad5590813fd5e11510

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
848B

MD5
2658e6d50d73f336568e95dada7c3c92

SHA1
c0bb35f4a3905a0b2fb3e4f56df9d75e9ac9ef10

SHA256
f81ddd29eb92146f29a7dd19c319f511d7e8e70ced08d2443e78d928a0933c21

SHA512
4204f09547569c5e51966c810a3d447d1754e234a089794e267612a39208dfa4f603c1929c1d1f5348f2c513eb179893a12df2a5dc019cad5590813fd5e11510

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
68664baa6cf01fe257e6862fe0ea384d

SHA1
adcd68d1c44030d893b9dae44ca67e2d8d24dc45

SHA256
225d0a2a0e7e0c09789632ed3528769938f1eaf17c2f54640d6373a274272f5b

SHA512
a388f79d35542274498678cdd1192d56219d5f9546468e5824afd5ea81d7fc9cb4d688eaa4f60ad15bca8fc42386b33740a3d3fcea6ee5d40baf404f5d5d4306

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a57f54d1aa741b7553c20832d4667259

SHA1
639ec62c2783cede91b921abff10d02581b9cc2c

SHA256
e5c6c7001c7be9927469e7642a0096c9761d49b643de74b3ac5f5d534d820f0b

SHA512
335439a6f1e96b93be00a3eeea10206ea5fc218c346d6ee7094a046cb5865acb1b847ef64ed5c6eb4413f4c06632db42626ff34c185850d08a9097c4365a61c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a57f54d1aa741b7553c20832d4667259

SHA1
639ec62c2783cede91b921abff10d02581b9cc2c

SHA256
e5c6c7001c7be9927469e7642a0096c9761d49b643de74b3ac5f5d534d820f0b

SHA512
335439a6f1e96b93be00a3eeea10206ea5fc218c346d6ee7094a046cb5865acb1b847ef64ed5c6eb4413f4c06632db42626ff34c185850d08a9097c4365a61c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b57e6284fda568ff0e04d8d2dbc27a38

SHA1
b1cbcec3b3e3a7c696de2104c575fc2d6ea0eb88

SHA256
7345c030ef4925b2a3493ee294b585c4a23438e226d01169e01bd78567ea9782

SHA512
e2631dc73871ee1e9ed29458c9ab83cf755d143af26e7cd0aea6bc7e2eac487cf9d39e1d223f5ad4b97a6eb8dd8031f4c6e4996c8f575775bcd935cd1d3b8cc8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a1fa3dab83b5dc0006bb0f12d4aaee2

SHA1
49911ba362c524f4e3e2945de5e849ae85d45b7b

SHA256
3b0aff0779fc4b40dffdea49711a5f6560defb62b50dc249fd34937eef8fe193

SHA512
5e6ac78e16268e9e42585122644221aece3a0dae838b33b145576477e95a72055d4f8e3f57705b447573546363d413d7d3e15eb098c0bd77cab93ddc83477212

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4a1fa3dab83b5dc0006bb0f12d4aaee2

SHA1
49911ba362c524f4e3e2945de5e849ae85d45b7b

SHA256
3b0aff0779fc4b40dffdea49711a5f6560defb62b50dc249fd34937eef8fe193

SHA512
5e6ac78e16268e9e42585122644221aece3a0dae838b33b145576477e95a72055d4f8e3f57705b447573546363d413d7d3e15eb098c0bd77cab93ddc83477212

Download Submit
memory/588-278-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/588-70-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/1324-175-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1324-69-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/1324-279-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/2044-54-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download
memory/2044-78-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/2044-75-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2044-57-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2044-277-0x0000000000D80000-0x0000000001DFE000-memory.dmp

Filesize
16.5MB

Download