fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
28-02-2023 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

AnyDesk (1).exe

pid	Process
268	AnyDesk (1).exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1192	AnyDesk (1).exe
1192	AnyDesk (1).exe
1192	AnyDesk (1).exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk (1).exe

pid	Process
1192	AnyDesk (1).exe
1192	AnyDesk (1).exe
1192	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk (1).exe

description	pid	Process	procid_target
PID 1568 wrote to memory of 268	1568	AnyDesk (1).exe	28
PID 1568 wrote to memory of 268	1568	AnyDesk (1).exe	28
PID 1568 wrote to memory of 268	1568	AnyDesk (1).exe	28
PID 1568 wrote to memory of 268	1568	AnyDesk (1).exe	28
PID 1568 wrote to memory of 1192	1568	AnyDesk (1).exe	29
PID 1568 wrote to memory of 1192	1568	AnyDesk (1).exe	29
PID 1568 wrote to memory of 1192	1568	AnyDesk (1).exe	29
PID 1568 wrote to memory of 1192	1568	AnyDesk (1).exe	29

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:268
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
c169874c35cb372c814ad6ce25a7aeea

SHA1
15f19cf004d4002410f39c21215dd3fa1a6cb648

SHA256
1e4267699a88e5e05027a1e32eff53f9d86f019815eb3459c26424c0f0136e0f

SHA512
33ea0a149ce93bae57d00231909fb83ade59e10d8c8ed1ccaa9132987b1e47bab6c2426f6c21c1aebee661833f934b97aefdb51faaa14a8147812b1db981921c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
8041ab36694581f20923328bb1cb640f

SHA1
536d85fb71da8b356084d1ccc26214b77b43dc86

SHA256
aebd3f06862cb93c707eb5edc05fb8989980501034ff7e1054306e023ab95428

SHA512
af903251cb84597aaf1e8517e77a93c4a24f3de7cccb5b948f3b10d9c39f27128c8cf7e3c2357a7494638e0a075a1a15e47304abc7f92ca13de21010cbedf955

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
594c8dae7194e805741abcb15fbedca1

SHA1
f23b15d72068cf04df22614b5c2e349ae0496f73

SHA256
0da5405c348b8477718d87efa94eda0dd54952c34bdf57cf94fcd5a63729aadf

SHA512
3cf2dedf37945c342ba652a95985f69430f89884d29ad3d8a0de90bb4753f54214004848f58a5df97266c667cc5e0dce655ecabc9097210641e2a37aede11e0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
594c8dae7194e805741abcb15fbedca1

SHA1
f23b15d72068cf04df22614b5c2e349ae0496f73

SHA256
0da5405c348b8477718d87efa94eda0dd54952c34bdf57cf94fcd5a63729aadf

SHA512
3cf2dedf37945c342ba652a95985f69430f89884d29ad3d8a0de90bb4753f54214004848f58a5df97266c667cc5e0dce655ecabc9097210641e2a37aede11e0e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2cfdf389c5d5756885011dda07174f9b

SHA1
ee823fb8f442850dd21b0892247ff159ef6a9404

SHA256
7e5a5565fc9728441c409a21381919bb41eddcffcdb9b8691a418353b738f082

SHA512
b057374aed7ee8df74d73b6fb832c93b85ab19c413842155006979a8ca6eda459cb73fa4c55f8166816dbff78ff1d0aab1ebdfa1e7e18e50fa4b7c2c59b42da7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2cfdf389c5d5756885011dda07174f9b

SHA1
ee823fb8f442850dd21b0892247ff159ef6a9404

SHA256
7e5a5565fc9728441c409a21381919bb41eddcffcdb9b8691a418353b738f082

SHA512
b057374aed7ee8df74d73b6fb832c93b85ab19c413842155006979a8ca6eda459cb73fa4c55f8166816dbff78ff1d0aab1ebdfa1e7e18e50fa4b7c2c59b42da7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2cfdf389c5d5756885011dda07174f9b

SHA1
ee823fb8f442850dd21b0892247ff159ef6a9404

SHA256
7e5a5565fc9728441c409a21381919bb41eddcffcdb9b8691a418353b738f082

SHA512
b057374aed7ee8df74d73b6fb832c93b85ab19c413842155006979a8ca6eda459cb73fa4c55f8166816dbff78ff1d0aab1ebdfa1e7e18e50fa4b7c2c59b42da7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2cfdf389c5d5756885011dda07174f9b

SHA1
ee823fb8f442850dd21b0892247ff159ef6a9404

SHA256
7e5a5565fc9728441c409a21381919bb41eddcffcdb9b8691a418353b738f082

SHA512
b057374aed7ee8df74d73b6fb832c93b85ab19c413842155006979a8ca6eda459cb73fa4c55f8166816dbff78ff1d0aab1ebdfa1e7e18e50fa4b7c2c59b42da7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
34962eaec1cd6c0da7939ae677b58489

SHA1
4014823fd4a1ff09d4a4312592e223cfa2f32122

SHA256
cfa6b5b4fa60d9e6c39ca30c791c3fb45cd20d5f6c15300282a333e6f4e5b9b8

SHA512
4a41224906824a362937683a73653aca44275685f7a52b9a7dddd894d5c8f99bc2dd35138663a0d97d3abfc916e4168fbd68a693cec6ce31fbede56f98c52083

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
2cfdf389c5d5756885011dda07174f9b

SHA1
ee823fb8f442850dd21b0892247ff159ef6a9404

SHA256
7e5a5565fc9728441c409a21381919bb41eddcffcdb9b8691a418353b738f082

SHA512
b057374aed7ee8df74d73b6fb832c93b85ab19c413842155006979a8ca6eda459cb73fa4c55f8166816dbff78ff1d0aab1ebdfa1e7e18e50fa4b7c2c59b42da7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d72425cb61b68c470df7d1beefff2bde

SHA1
a8d144eae24c6c72b81a3861c31fccb6f09968c9

SHA256
17bfeccee129a5b4f3fde109e250bca631a6ffeb694fb679b67442b192605fe7

SHA512
ba724456e843f528345bc215e97d3284e7669958eacc4ec1cadb0b967a382f3d131e08e3fe1cbd40a1ebf66bd82535608f15a70bdb27066aca0fbb92ec1a734e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d72425cb61b68c470df7d1beefff2bde

SHA1
a8d144eae24c6c72b81a3861c31fccb6f09968c9

SHA256
17bfeccee129a5b4f3fde109e250bca631a6ffeb694fb679b67442b192605fe7

SHA512
ba724456e843f528345bc215e97d3284e7669958eacc4ec1cadb0b967a382f3d131e08e3fe1cbd40a1ebf66bd82535608f15a70bdb27066aca0fbb92ec1a734e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d72425cb61b68c470df7d1beefff2bde

SHA1
a8d144eae24c6c72b81a3861c31fccb6f09968c9

SHA256
17bfeccee129a5b4f3fde109e250bca631a6ffeb694fb679b67442b192605fe7

SHA512
ba724456e843f528345bc215e97d3284e7669958eacc4ec1cadb0b967a382f3d131e08e3fe1cbd40a1ebf66bd82535608f15a70bdb27066aca0fbb92ec1a734e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
98ec8a6398b9f96628a25a1089806304

SHA1
d371b1237fd4fd82ebe962e02651e5241be6197b

SHA256
bbce179185512c910eee387fcc165cb55ceb66d6ad0b8cb564b6f0343aebd2c3

SHA512
067b88e6a21d51ffedd9dc18312496dbf3115aa0f4522fa904d12a3e4e34f36fb61f16e29eb9488c9126dcac2e944abb3d022e3fa78f6a492d9240df1fea8e18

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
41e1e20533750b758c66631d1e97ba31

SHA1
e73a8ef7adb1a3aa0dc88d109b2e69219529db7f

SHA256
38a71818510d1c9f9b7cfb887369989a878024c947c15b16227d66f582e4b14c

SHA512
07aca8ca4f9e33182b5bd36616f99e827fd323738138ca95dcfb24e9eb18371268c35b1559f4451f1147d5fb1951ec9542fcf566fa969fb66424496682e66d4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
41e1e20533750b758c66631d1e97ba31

SHA1
e73a8ef7adb1a3aa0dc88d109b2e69219529db7f

SHA256
38a71818510d1c9f9b7cfb887369989a878024c947c15b16227d66f582e4b14c

SHA512
07aca8ca4f9e33182b5bd36616f99e827fd323738138ca95dcfb24e9eb18371268c35b1559f4451f1147d5fb1951ec9542fcf566fa969fb66424496682e66d4c

Download Submit
memory/268-330-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/268-69-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/268-240-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/268-152-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/268-130-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/268-95-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/268-180-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-156-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-70-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-85-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1192-147-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-105-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1192-241-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1568-149-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1568-74-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/1568-215-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1568-71-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1568-175-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1568-54-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1568-93-0x00000000013A0000-0x000000000241E000-memory.dmp

Filesize
16.5MB

Download
memory/1568-56-0x0000000000160000-0x0000000000161000-memory.dmp

Filesize
4KB

Download