fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
209s
max time network
201s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4868	AnyDesk (1).exe
4868	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4856	AnyDesk (1).exe
4856	AnyDesk (1).exe
4856	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
4856	AnyDesk (1).exe
4856	AnyDesk (1).exe
4856	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 2244 wrote to memory of 4868	2244	AnyDesk (1).exe	86
PID 2244 wrote to memory of 4868	2244	AnyDesk (1).exe	86
PID 2244 wrote to memory of 4868	2244	AnyDesk (1).exe	86
PID 2244 wrote to memory of 4856	2244	AnyDesk (1).exe	87
PID 2244 wrote to memory of 4856	2244	AnyDesk (1).exe	87
PID 2244 wrote to memory of 4856	2244	AnyDesk (1).exe	87

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
edd706e0f604654ad25485588225554f

SHA1
24a57bacf5acc73c0e0d844f4ffc05e0fd8a0cae

SHA256
582447c27181333a676ba8776a68ce10394f8a67116ae1e4e1def56dbff6d447

SHA512
219941fcd728293e99378d30873a740eeaa6462160a89905a3b78045a960c221f9c298c4badf2c5971fd69f9527f90e6ba753de4eb32befea3f305eaba9e5df0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
12d42b550d0881a2b4f5fa6ae812b190

SHA1
3ea2accc2547363ddfb532c50a81033549c0d6a2

SHA256
8ff53e6b2f676ea30588ef55b5f8a533d97727bb3c73ce8f0c4d0cf27e444f86

SHA512
ebe4f7ec71b0b78021fc8919df80ab3ab1a42516ef7c769c67e1dcda4207e1fba6d0b313fa2bd59e430108ac55b7f29c25248a76b63f16b77110bba2ba985e17

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e2676d731f1fe5c88ebf9a609f1117f5

SHA1
119350308767bbf43a257e2be57fa361bd16f250

SHA256
63dc91b7298b2c620d9a607a4ab57b227d71996218f4c0b5402a1d63488865d9

SHA512
ff164c8bdd17a591fab44e5afb13bb01feed7fa254f072cf4423ce6bbbb7bc380a12a8ad6b45c981671b0ac60a2bf1a3fa08c7f4dea99c8b0ca603a9719e0aff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e2676d731f1fe5c88ebf9a609f1117f5

SHA1
119350308767bbf43a257e2be57fa361bd16f250

SHA256
63dc91b7298b2c620d9a607a4ab57b227d71996218f4c0b5402a1d63488865d9

SHA512
ff164c8bdd17a591fab44e5afb13bb01feed7fa254f072cf4423ce6bbbb7bc380a12a8ad6b45c981671b0ac60a2bf1a3fa08c7f4dea99c8b0ca603a9719e0aff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
993c16a0a812758278a5fc46d1f0563c

SHA1
e687cb19a7339e196595a23f087dc87645a8edd0

SHA256
3d7b721b8fdbbcbb8340681735538546667595af0ec69b1e3d65c1a839921fb5

SHA512
708ae63f7294fad52e8d08199d746e94487a13386307a8e9dc8e9168f4e4fde2d4cffb2e3ce75d798ef376ef247cd3e8f08a1242567cec7b3e36708d43777fec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
993c16a0a812758278a5fc46d1f0563c

SHA1
e687cb19a7339e196595a23f087dc87645a8edd0

SHA256
3d7b721b8fdbbcbb8340681735538546667595af0ec69b1e3d65c1a839921fb5

SHA512
708ae63f7294fad52e8d08199d746e94487a13386307a8e9dc8e9168f4e4fde2d4cffb2e3ce75d798ef376ef247cd3e8f08a1242567cec7b3e36708d43777fec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
993c16a0a812758278a5fc46d1f0563c

SHA1
e687cb19a7339e196595a23f087dc87645a8edd0

SHA256
3d7b721b8fdbbcbb8340681735538546667595af0ec69b1e3d65c1a839921fb5

SHA512
708ae63f7294fad52e8d08199d746e94487a13386307a8e9dc8e9168f4e4fde2d4cffb2e3ce75d798ef376ef247cd3e8f08a1242567cec7b3e36708d43777fec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
993c16a0a812758278a5fc46d1f0563c

SHA1
e687cb19a7339e196595a23f087dc87645a8edd0

SHA256
3d7b721b8fdbbcbb8340681735538546667595af0ec69b1e3d65c1a839921fb5

SHA512
708ae63f7294fad52e8d08199d746e94487a13386307a8e9dc8e9168f4e4fde2d4cffb2e3ce75d798ef376ef247cd3e8f08a1242567cec7b3e36708d43777fec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
993c16a0a812758278a5fc46d1f0563c

SHA1
e687cb19a7339e196595a23f087dc87645a8edd0

SHA256
3d7b721b8fdbbcbb8340681735538546667595af0ec69b1e3d65c1a839921fb5

SHA512
708ae63f7294fad52e8d08199d746e94487a13386307a8e9dc8e9168f4e4fde2d4cffb2e3ce75d798ef376ef247cd3e8f08a1242567cec7b3e36708d43777fec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
6ca0ecb706a0e37f57bf4ff52da4a57d

SHA1
2102e6045e6a2ec1796ec5d418c2fc56e61954ed

SHA256
7ed12f2b32a9721691d8f617e3d8dac7f96066da5b9950c715a8278dd4c225ef

SHA512
e2fef14a6e31fc2af389aeb398fe021caab32c62f3950d3cf2ce54a4fcb141f34a78c83c50c9f85c1d2554d7f907ed3d67bd0f4bae0077ec7bebcc4d2bedb9e8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
993c16a0a812758278a5fc46d1f0563c

SHA1
e687cb19a7339e196595a23f087dc87645a8edd0

SHA256
3d7b721b8fdbbcbb8340681735538546667595af0ec69b1e3d65c1a839921fb5

SHA512
708ae63f7294fad52e8d08199d746e94487a13386307a8e9dc8e9168f4e4fde2d4cffb2e3ce75d798ef376ef247cd3e8f08a1242567cec7b3e36708d43777fec

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0792cf91c87e2dc3296f922658004b89

SHA1
084f31892be8b657480810b89d07cd1005deac2e

SHA256
1ebb76509592bfd55cd4e21b53fc92794934b641a115016641f57ab7b054bacb

SHA512
b2dc25b738e29f263e4bd8bc172fc1b173ea0e028a57ee44eeb6069f276fe26d6d9d179a929d22f3b441bea487f2cb40598fbdec70120a38084b4d9c9d025eab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0792cf91c87e2dc3296f922658004b89

SHA1
084f31892be8b657480810b89d07cd1005deac2e

SHA256
1ebb76509592bfd55cd4e21b53fc92794934b641a115016641f57ab7b054bacb

SHA512
b2dc25b738e29f263e4bd8bc172fc1b173ea0e028a57ee44eeb6069f276fe26d6d9d179a929d22f3b441bea487f2cb40598fbdec70120a38084b4d9c9d025eab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3e83cc2ed330fab293100a85b043894d

SHA1
1009b2faa84e68c84c219411856c1cdd417bc11a

SHA256
4f4e9d7a9fc48a78b71d2555b92d0702c97f96d2a9d744e4d82cc68a93dafb12

SHA512
97e7ee55557e46b522b9351e81fb5cf8796c6ca0f0919e530da063cb26d14a28703d5403e4e4fccdca191beea89c69ccff7252955055d4dbdd60113a754dab40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3e83cc2ed330fab293100a85b043894d

SHA1
1009b2faa84e68c84c219411856c1cdd417bc11a

SHA256
4f4e9d7a9fc48a78b71d2555b92d0702c97f96d2a9d744e4d82cc68a93dafb12

SHA512
97e7ee55557e46b522b9351e81fb5cf8796c6ca0f0919e530da063cb26d14a28703d5403e4e4fccdca191beea89c69ccff7252955055d4dbdd60113a754dab40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3e83cc2ed330fab293100a85b043894d

SHA1
1009b2faa84e68c84c219411856c1cdd417bc11a

SHA256
4f4e9d7a9fc48a78b71d2555b92d0702c97f96d2a9d744e4d82cc68a93dafb12

SHA512
97e7ee55557e46b522b9351e81fb5cf8796c6ca0f0919e530da063cb26d14a28703d5403e4e4fccdca191beea89c69ccff7252955055d4dbdd60113a754dab40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
efc68df2cee3dc2e2fc2b0f2744bfce1

SHA1
e6fd5c573bdf2ceb9d3a5fd0f8f3750e2d60b72e

SHA256
69365b096979f03b17c3cf767c8f5582cc533d6f6763a3e95be3f0001dbc7531

SHA512
8a130a8dffa4d64a3e7b5eb3c8969f40b1c4f71dd714a7f0f27859d3caed6ef9eee2763b6f01ef8ec5608f9727eb971916ffb7376b2a890348835c31f7685298

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
efc68df2cee3dc2e2fc2b0f2744bfce1

SHA1
e6fd5c573bdf2ceb9d3a5fd0f8f3750e2d60b72e

SHA256
69365b096979f03b17c3cf767c8f5582cc533d6f6763a3e95be3f0001dbc7531

SHA512
8a130a8dffa4d64a3e7b5eb3c8969f40b1c4f71dd714a7f0f27859d3caed6ef9eee2763b6f01ef8ec5608f9727eb971916ffb7376b2a890348835c31f7685298

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
efc68df2cee3dc2e2fc2b0f2744bfce1

SHA1
e6fd5c573bdf2ceb9d3a5fd0f8f3750e2d60b72e

SHA256
69365b096979f03b17c3cf767c8f5582cc533d6f6763a3e95be3f0001dbc7531

SHA512
8a130a8dffa4d64a3e7b5eb3c8969f40b1c4f71dd714a7f0f27859d3caed6ef9eee2763b6f01ef8ec5608f9727eb971916ffb7376b2a890348835c31f7685298

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7036480dd2827eba240dba6568149c45

SHA1
45a91eafe5e60d072f9538842d9daa40351103d5

SHA256
bad7f70765562a3450ab04a5ecfdeb7e2c8ca1c1e1e4cf0e928e6d2d3c5cbeeb

SHA512
ff72ef895897bfcb9c4c9f60bb4407f00b79357a6c8bb4e550421b6554c80c225820ae9b6bce0ee73126e4a15cd0b62ca47eae48237ce837ff55f8eb99116a84

Download Submit
memory/2244-154-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/2244-251-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/2244-153-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/2244-133-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/2244-140-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/4856-303-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4856-149-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4856-517-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4856-713-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4856-156-0x00000000039E0000-0x00000000039E1000-memory.dmp

Filesize
4KB

Download
memory/4868-385-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4868-516-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4868-321-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4868-302-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4868-712-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download
memory/4868-142-0x0000000000920000-0x000000000199E000-memory.dmp

Filesize
16.5MB

Download