fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
210s
max time network
208s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-02-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1192	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1684	AnyDesk (1).exe
1684	AnyDesk (1).exe
1684	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1684	AnyDesk (1).exe
1684	AnyDesk (1).exe
1684	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 1696 wrote to memory of 1192	1696	AnyDesk (1).exe	28
PID 1696 wrote to memory of 1192	1696	AnyDesk (1).exe	28
PID 1696 wrote to memory of 1192	1696	AnyDesk (1).exe	28
PID 1696 wrote to memory of 1192	1696	AnyDesk (1).exe	28
PID 1696 wrote to memory of 1684	1696	AnyDesk (1).exe	29
PID 1696 wrote to memory of 1684	1696	AnyDesk (1).exe	29
PID 1696 wrote to memory of 1684	1696	AnyDesk (1).exe	29
PID 1696 wrote to memory of 1684	1696	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d33cfcae27806a5055476f3e4b6e4782

SHA1
65a2a3db40d18ffc96e4bed9ed80377a55ee1b2f

SHA256
bff566848e81bd92df64994eb8a2ef6b50508c2fa8b0749fbe204ae999d64413

SHA512
746c96288aebb830dc600ba1861b6749d0ee357e9e848a0384377830e8b7a90de91c7200981aea79f474b2fd9731028635585ad071275b965080c10dd099ebc7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
d33cfcae27806a5055476f3e4b6e4782

SHA1
65a2a3db40d18ffc96e4bed9ed80377a55ee1b2f

SHA256
bff566848e81bd92df64994eb8a2ef6b50508c2fa8b0749fbe204ae999d64413

SHA512
746c96288aebb830dc600ba1861b6749d0ee357e9e848a0384377830e8b7a90de91c7200981aea79f474b2fd9731028635585ad071275b965080c10dd099ebc7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d66ef9ce08c053e075f9cc259b0caad4

SHA1
f26dc41561066ea882faf399db6457d803f04771

SHA256
3e89b958d5ec8d974c23a9c93a2459ed6a273f8e752ae0a703561147bc6ded3b

SHA512
c56ebe775cd9682a23d4310c5a6c4be6f79e58df95797a7f480a5af8e2a93ddfbe72bc9e8830764dc533340ade16ead1c088762719d890db0fd556df4d0052c8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa5862db16c9211554aa000e73fc96b8

SHA1
5dbae4b0dcfb758a4bd36682c25fca35647ae31a

SHA256
1203bb3ca9b915c8470b89b2cfbb8d6464a1a80e75ff2015c1cd4d58edbadffb

SHA512
9ec0dff03621cedcf8f912e394926c70f9b7a4254e85aaaa09973dc1ddaccaeea83c8c546aa6fe2812d2e2dc30dde0d08e634456d35c6aaa73de5c79f385d30a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa5862db16c9211554aa000e73fc96b8

SHA1
5dbae4b0dcfb758a4bd36682c25fca35647ae31a

SHA256
1203bb3ca9b915c8470b89b2cfbb8d6464a1a80e75ff2015c1cd4d58edbadffb

SHA512
9ec0dff03621cedcf8f912e394926c70f9b7a4254e85aaaa09973dc1ddaccaeea83c8c546aa6fe2812d2e2dc30dde0d08e634456d35c6aaa73de5c79f385d30a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa5862db16c9211554aa000e73fc96b8

SHA1
5dbae4b0dcfb758a4bd36682c25fca35647ae31a

SHA256
1203bb3ca9b915c8470b89b2cfbb8d6464a1a80e75ff2015c1cd4d58edbadffb

SHA512
9ec0dff03621cedcf8f912e394926c70f9b7a4254e85aaaa09973dc1ddaccaeea83c8c546aa6fe2812d2e2dc30dde0d08e634456d35c6aaa73de5c79f385d30a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa5862db16c9211554aa000e73fc96b8

SHA1
5dbae4b0dcfb758a4bd36682c25fca35647ae31a

SHA256
1203bb3ca9b915c8470b89b2cfbb8d6464a1a80e75ff2015c1cd4d58edbadffb

SHA512
9ec0dff03621cedcf8f912e394926c70f9b7a4254e85aaaa09973dc1ddaccaeea83c8c546aa6fe2812d2e2dc30dde0d08e634456d35c6aaa73de5c79f385d30a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fa5862db16c9211554aa000e73fc96b8

SHA1
5dbae4b0dcfb758a4bd36682c25fca35647ae31a

SHA256
1203bb3ca9b915c8470b89b2cfbb8d6464a1a80e75ff2015c1cd4d58edbadffb

SHA512
9ec0dff03621cedcf8f912e394926c70f9b7a4254e85aaaa09973dc1ddaccaeea83c8c546aa6fe2812d2e2dc30dde0d08e634456d35c6aaa73de5c79f385d30a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
3fefcb73fe44e35afe637d43acdc4dea

SHA1
bf4d07c3e2fa0ca327c3b75cdb43be5236ff70c3

SHA256
02ab8e844b0b84d654c514f041485833d7e941d72a0dec901634e0230da30dc3

SHA512
51fed15f6b40a0b4a428a0230b0cbb2742267f1b596bf521743abba2f4fb36737946ef72065163b5fb2b9527f9cf76fc5eb45e96052e5d3293b1d81c20027a5c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1d5dc7fe1103a64c179bfea6dfaac75a

SHA1
a8a8b756384426e8be33aaeebf6dc029f1a6156d

SHA256
0df47ecdb9517a25785d4d93f9d5d9a06512c772175216782541339d8d4ebf01

SHA512
fd4134d10ec07225ae508f7e39380b796c63ab10f3163ed8787709b57d1b23cb345aaa6ae083d00c7fe127a753162a7c3923c2c3584fdd00ee58aacb9e7305c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1d5dc7fe1103a64c179bfea6dfaac75a

SHA1
a8a8b756384426e8be33aaeebf6dc029f1a6156d

SHA256
0df47ecdb9517a25785d4d93f9d5d9a06512c772175216782541339d8d4ebf01

SHA512
fd4134d10ec07225ae508f7e39380b796c63ab10f3163ed8787709b57d1b23cb345aaa6ae083d00c7fe127a753162a7c3923c2c3584fdd00ee58aacb9e7305c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1d5dc7fe1103a64c179bfea6dfaac75a

SHA1
a8a8b756384426e8be33aaeebf6dc029f1a6156d

SHA256
0df47ecdb9517a25785d4d93f9d5d9a06512c772175216782541339d8d4ebf01

SHA512
fd4134d10ec07225ae508f7e39380b796c63ab10f3163ed8787709b57d1b23cb345aaa6ae083d00c7fe127a753162a7c3923c2c3584fdd00ee58aacb9e7305c4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f318d6114b4a23c13e6dc035ea9c219f

SHA1
ba20b381623b23bd7d82fd88290b6b45b8ebb803

SHA256
8f14518c9d7b594360ca747fc7610a138a7a0d5e2dd2be32a45bf49df1a07af3

SHA512
20a243ec63d41f9a8a7d1ce670380d693065686ae86e72e2d196d7dc5127bf371f8dd37140b78a2d8579a216005d86186e9e1706506458e17aef3a8431484599

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
41e1e20533750b758c66631d1e97ba31

SHA1
e73a8ef7adb1a3aa0dc88d109b2e69219529db7f

SHA256
38a71818510d1c9f9b7cfb887369989a878024c947c15b16227d66f582e4b14c

SHA512
07aca8ca4f9e33182b5bd36616f99e827fd323738138ca95dcfb24e9eb18371268c35b1559f4451f1147d5fb1951ec9542fcf566fa969fb66424496682e66d4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
54f95b8e856f4ac18ffe7fc65dffad1a

SHA1
dee0e078bbe3d336abe9bf782c90d71a8f517d85

SHA256
9e6f84ef20c3113a928b138a67815be6bd6a0138616de558a0cf1cbf8a6892e7

SHA512
b7b5245dd07a088f7b8f6548f9c7eb14f4004eae4a6fbe51a490761435e4ea8ad7cb734c1647ee048fd939f57f21256b55ca0e1cb06670053e294b9530b764db

Download Submit
memory/1192-483-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-187-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-63-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-245-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-317-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1684-246-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1684-85-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1684-188-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1684-62-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1684-484-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1696-54-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1696-73-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1696-76-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/1696-182-0x0000000000D00000-0x0000000001D7E000-memory.dmp

Filesize
16.5MB

Download
memory/1696-56-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download