fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4220	AnyDesk (1).exe
4220	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
3400	AnyDesk (1).exe
3400	AnyDesk (1).exe
3400	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
3400	AnyDesk (1).exe
3400	AnyDesk (1).exe
3400	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 3620 wrote to memory of 4220	3620	AnyDesk (1).exe	82
PID 3620 wrote to memory of 4220	3620	AnyDesk (1).exe	82
PID 3620 wrote to memory of 4220	3620	AnyDesk (1).exe	82
PID 3620 wrote to memory of 3400	3620	AnyDesk (1).exe	83
PID 3620 wrote to memory of 3400	3620	AnyDesk (1).exe	83
PID 3620 wrote to memory of 3400	3620	AnyDesk (1).exe	83

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
e78bb1aeb7f46f29931619d4dde726c7

SHA1
b2f9cd2328567ef4558a9f2fc2a79ed4d077e503

SHA256
0c29fed6cab83a0d5a2efaf1bda78b9387bcaf99fe25e0affd609bc62e9f548b

SHA512
db0f9301bb88d5dca40fe703d33e0dd369579bebe0f1eb5916d09cf537c392acf8eae7b429aaa44b4971db0c6481946107bfe392d03509867ce7a0f40e8e14a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
142ad1425aa3c1a35303e52e4eb56d48

SHA1
4ff9e701df851c34309c8defd6614cb33778c0ff

SHA256
6dc39c36101735b5f2b73a724019fbcc23447b08fee8bb9ed2beec941f9ba328

SHA512
af66cc07d094519a5b21a5efde237bc053f0a3060295af7889978072be5a797ec1d47f6cc534ddb0dcd3f20d2ac7d6f23009d89c29ba070b426e96e278332e5f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
221c0693d14d8b1f4f44a7f71eb0db57

SHA1
d517070873f009f770ddec8e35171223f20ab224

SHA256
6d7f42273fca9ae44095f777b0f8015f2ad73e3dbeefd6ea69f72bc4645d9cd0

SHA512
74408daa9b2a2688cfa2fa2f9fa1e2efe19c4aef301404f68885c759b660af142c348b40ad51998cbe66876ed6773afa4b403e6552565fe28d982e9b096e1702

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
221c0693d14d8b1f4f44a7f71eb0db57

SHA1
d517070873f009f770ddec8e35171223f20ab224

SHA256
6d7f42273fca9ae44095f777b0f8015f2ad73e3dbeefd6ea69f72bc4645d9cd0

SHA512
74408daa9b2a2688cfa2fa2f9fa1e2efe19c4aef301404f68885c759b660af142c348b40ad51998cbe66876ed6773afa4b403e6552565fe28d982e9b096e1702

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
143e2afb68526f4db9adec423024482d

SHA1
3e38c12e0644e8d51e60762a8628bbe341a530d0

SHA256
b81b7bbe343790217e9dbe75a7d61fe95078d3d8d15dbdf4f78fb2a043e4c30b

SHA512
7d880419b7226371671963beaf92359ab1583420dceabb293a8725362e789f14e6e0a189007bcf627dce65c4c6ebc231718d109159fbced72e10d2791064a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
143e2afb68526f4db9adec423024482d

SHA1
3e38c12e0644e8d51e60762a8628bbe341a530d0

SHA256
b81b7bbe343790217e9dbe75a7d61fe95078d3d8d15dbdf4f78fb2a043e4c30b

SHA512
7d880419b7226371671963beaf92359ab1583420dceabb293a8725362e789f14e6e0a189007bcf627dce65c4c6ebc231718d109159fbced72e10d2791064a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
143e2afb68526f4db9adec423024482d

SHA1
3e38c12e0644e8d51e60762a8628bbe341a530d0

SHA256
b81b7bbe343790217e9dbe75a7d61fe95078d3d8d15dbdf4f78fb2a043e4c30b

SHA512
7d880419b7226371671963beaf92359ab1583420dceabb293a8725362e789f14e6e0a189007bcf627dce65c4c6ebc231718d109159fbced72e10d2791064a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
143e2afb68526f4db9adec423024482d

SHA1
3e38c12e0644e8d51e60762a8628bbe341a530d0

SHA256
b81b7bbe343790217e9dbe75a7d61fe95078d3d8d15dbdf4f78fb2a043e4c30b

SHA512
7d880419b7226371671963beaf92359ab1583420dceabb293a8725362e789f14e6e0a189007bcf627dce65c4c6ebc231718d109159fbced72e10d2791064a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
143e2afb68526f4db9adec423024482d

SHA1
3e38c12e0644e8d51e60762a8628bbe341a530d0

SHA256
b81b7bbe343790217e9dbe75a7d61fe95078d3d8d15dbdf4f78fb2a043e4c30b

SHA512
7d880419b7226371671963beaf92359ab1583420dceabb293a8725362e789f14e6e0a189007bcf627dce65c4c6ebc231718d109159fbced72e10d2791064a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f6d6e50f7e094569e62e2a2feadb6581

SHA1
671bfeba4ba7d6a96e54eca07dd543907386bd6e

SHA256
4ceb923eb59cfc6d547a7de63d959543bf392030b0c1e5f8af6a288c6781843d

SHA512
fef1182ff6a2b1319cd3e016b4d615bc49b0baaf8ed7b4f13301476facdefdec500b0e5396c16b131132ce50b2d0c845001c02ee28a69be43dacead9d486be4a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
143e2afb68526f4db9adec423024482d

SHA1
3e38c12e0644e8d51e60762a8628bbe341a530d0

SHA256
b81b7bbe343790217e9dbe75a7d61fe95078d3d8d15dbdf4f78fb2a043e4c30b

SHA512
7d880419b7226371671963beaf92359ab1583420dceabb293a8725362e789f14e6e0a189007bcf627dce65c4c6ebc231718d109159fbced72e10d2791064a1f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
09400ca18471005e76c7372466b49213

SHA1
fcdb4cba227e3bf4de9c918e0b0f85669a9fad58

SHA256
168d5e0d2bee0aa9778c526d7d4d571460a166037daf2d72172364df6ef78e1f

SHA512
961d734138882b8b085eea0c72e5ab8a78181efa8faf8e5d518993d903cbdc2a2a6cca8876ce239f5b1b8645e79737b39a78f25aa3d496ccc385e6f9652c1412

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
53b5695a32b967051d6138142fba4546

SHA1
6b12ef07cb9563518bc205dae42094c0b044d228

SHA256
8bc0246b4b2da6c49c1c4ac3bf16738848780d0e97299eb21c067857fe10253b

SHA512
5a565dc26c3b420381c9287e501619c6b27edf0363a1e3bb386d57cce3081d47be8b850992cb64f8edb1a0d6f99bd4651457bdc4e8486f61377636a5faaad46a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6f0fcdfb538c0aa6248ed6af4cb9b8e2

SHA1
bd5142076f675b61a1d52d79d1a101569f50a3f5

SHA256
0b6d7957a1a8e6a91e9b4d1be4e0cb5b6a44283701dd9a811b8f6ce8b3e4a8fd

SHA512
9805bb23632ab88d208f175a6299e22b9f951692350893302a92d0761a9e2f87b26fd420871c16ed7f527cc6b1d8a6269daa22f7fbabdb26cd1a369aeba65948

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6f0fcdfb538c0aa6248ed6af4cb9b8e2

SHA1
bd5142076f675b61a1d52d79d1a101569f50a3f5

SHA256
0b6d7957a1a8e6a91e9b4d1be4e0cb5b6a44283701dd9a811b8f6ce8b3e4a8fd

SHA512
9805bb23632ab88d208f175a6299e22b9f951692350893302a92d0761a9e2f87b26fd420871c16ed7f527cc6b1d8a6269daa22f7fbabdb26cd1a369aeba65948

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c082ffe338f0c0f6c85ac91948a58b53

SHA1
d9722f9645dd70e37c7a023b5227ed97d4aeefa0

SHA256
8f7fc40e32789daab61dec71a445b7a74a725438a12983ec7f075be01a1f2107

SHA512
bee03a3d1aca11cd559f50e60890a3bbd266f63c1b6eb4d547ad83858d2b4e63832843363272cc536a2174c9baad5bd124b0e4c6e775983521635f6c4c605815

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6f0fcdfb538c0aa6248ed6af4cb9b8e2

SHA1
bd5142076f675b61a1d52d79d1a101569f50a3f5

SHA256
0b6d7957a1a8e6a91e9b4d1be4e0cb5b6a44283701dd9a811b8f6ce8b3e4a8fd

SHA512
9805bb23632ab88d208f175a6299e22b9f951692350893302a92d0761a9e2f87b26fd420871c16ed7f527cc6b1d8a6269daa22f7fbabdb26cd1a369aeba65948

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3078bf07932b15afa8060cb8f7379c9e

SHA1
e7434d684ea4efbd23c53781c54d9e155ece697b

SHA256
8096e00cb48af57b91e264399db42ba2a7bd1799d029fc3927986173c8895fa6

SHA512
81681931f034b431cce735fddd4d2d52dc422130dea2707ed2e4fb50ec04aa2997f2bef72884fa97d1fab2d9ebe1646c067aca78ed91d301dd5d888d5151acb5

Download Submit
memory/3400-707-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/3400-143-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/3400-292-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/3400-508-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/3400-161-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/3620-135-0x0000000001E60000-0x0000000001E61000-memory.dmp

Filesize
4KB

Download
memory/3620-159-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/3620-160-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/3620-133-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/3620-245-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/4220-374-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/4220-507-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/4220-312-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/4220-291-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/4220-142-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download
memory/4220-706-0x0000000000CB0000-0x0000000001D2E000-memory.dmp

Filesize
16.5MB

Download